openstack/ironic
Code Issues Proposed changes

docs: trivial: clarify pull secrets for OCI image access

Browse Source 
Also, fix the json in the example config.json document.

Change-Id: I0c0ad427afdeba6740e1c4ef812f1c7552b32a00
Signed-off-by: Julia Kreger <juliaashleykreger@gmail.com>
This commit is contained in:
Julia Kreger
2025-08-28 06:26:07 -07:00
parent bc443a71b4
commit 9803975d7d
1 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
doc/source/admin/oci-container-registry.rst
View File

@@ -106,7 +106,10 @@ As such, there are three available paths for providing configuration:
utilized to retrieve an image artifact, but is not intended for pulling
other artifacts like kernels or ramdisks used as part of a deployment
process. As with all other ``instance_info`` field values, this value
is deleted once the node has been unprovisioned.
is deleted once the node has been unprovisioned. The way this field is
used, is by supplying the pre-shared secret token value. This is the same
value which you would normally have in your Docker ``config.json`` file
``auth`` field for the top level domain your accessing.
* A node ``driver_info`` value of ``image_pull_secret``. This setting is
similar to the ``instance_info`` setting, but may be utilized by an
administrator of a baremetal node to define the specific registry
@@ -128,10 +131,10 @@ example.
{
"auths": {
"quay.io": {
"auth": "<secret_here>",
"auth": "<pull_secret_here>"
},
"private-registry.tld": {
"auth": "<secret_here>",
"auth": "<pull_secret_here>"
}
}
}
@@ -142,6 +145,15 @@ example.
due Ironic's secret value santiization, which prevents sensitive
values from being visible, and are instead returned as '******'.
.. NOTE::
If you need to extract the pull secret from a config.json file,
you may want to explore using the ``jq`` command with a syntax
along the lines of `jq '.auths."domain.tld".auth' config.json`
which will return the quoted string you can then populate. Other
command line oriented ways exist for users to retrieve such a value
once a login has completed to a container platform, meaning you can
use that same token value if desired.
Available URL Formats
---------------------