Try SpotterManage tokens for accessing Quay Container Registry repositories
| "added in version" 0.0.11 of herve4m.quay"
Authors: Herve Quatremain (@herve4m)
Install with ansible-galaxy collection install herve4m.quay:==1.2.0
collections:
- name: herve4m.quay
version: 1.2.0Create or delete tokens for client tools to access repositories.
For example, the C(docker), C(podman), and C(skopeo) command-line tools can use such tokens.
Kubernetes can also use those tokens, declared is Kubernetes secret objects, to pull images and deploy pods.
Using tokens is an alternative to using your user login and password.
The tokens you create are for the user account you are logged in. You cannot create tokens for other users, even if you are logged in with a super user account.
- name: Ensure the token exists for my account
herve4m.quay.quay_docker_token:
name: token_for_pull
state: present
quay_host: https://quay.example.com
quay_token: vgfH9zH5q6eV16Con7SvDQYSr0KPYQimMHVehZv7
register: token_details
- name: Ensure the image is pulled
containers.podman.podman_image:
name: quay.example.com/production/smallimage:v1.0.0
username: "{{ token_details['username'] }}"
password: "{{ token_details['token_code'] }}"
- name: Ensure the token does not exist
herve4m.quay.quay_docker_token:
name: token_for_pull
state: absent
quay_host: https://quay.example.com
quay_token: vgfH9zH5q6eV16Con7SvDQYSr0KPYQimMHVehZv7
name:
description:
- Name of the token to create or delete.
required: true
type: str
state:
choices:
- absent
- present
default: present
description:
- If C(absent), then the module deletes the token.
- The module does not fail if the token does not exist, because the state is already
as expected.
- If C(present), then the module creates the token if it does not already exist.
- If the token already exists, then the module returns its details.
type: str
quay_host:
default: http://127.0.0.1
description:
- URL for accessing the API. U(https://quay.example.com:8443) for example.
- If you do not set the parameter, then the module uses the C(QUAY_HOST) environment
variable.
- If you do no set the environment variable either, then the module uses the U(http://127.0.0.1)
URL.
type: str
quay_token:
description:
- OAuth access token for authenticating against the API.
- If you do not set the parameter, then the module tries the C(QUAY_TOKEN) environment
variable.
- Mutually exclusive with I(quay_username) and I(quay_password).
type: str
quay_password:
description:
- The password to use for authenticating against the API.
- If you do not set the parameter, then the module tries the C(QUAY_PASSWORD) environment
variable.
- If you set I(quay_password), then you also need to set I(quay_username).
- Mutually exclusive with I(quay_token).
type: str
quay_username:
description:
- The username to use for authenticating against the API.
- If you do not set the parameter, then the module tries the C(QUAY_USERNAME) environment
variable.
- If you set I(quay_username), then you also need to set I(quay_password).
- Mutually exclusive with I(quay_token).
type: str
validate_certs:
aliases:
- verify_ssl
default: true
description:
- Whether to allow insecure connections to the API.
- If C(no), then the module does not validate SSL certificates.
- If you do not set the parameter, then the module tries the C(QUAY_VERIFY_SSL) environment
variable (C(yes), C(1), and C(True) mean yes, and C(no), C(0), C(False), and no
value mean no).
type: bool
auth_b64:
description:
- Base 64 encoding of the username and the token (C(I(username):I(token_code)))
- Some client configuration files, such as the C(~/.docker/config.json) Docker configuration
file, require that you provide the username and the token in that format.
- You can decode the string by using the C(base64 --decode) command. See the C(base64)(1)
man page.
returned: always
sample: JGFw...NzBK
type: str
created:
description: Token creation date and time.
returned: always
sample: Wed, 25 May 2022 12:46:41 -0000
type: str
dockerconfigjson_b64:
description:
- Base 64 encoding of the C(~/.docker/config.json) configuration file.
- The C(containers-auth.json)(5) man page describe the format of the file.
returned: always
sample: ewog...Cn0=
type: str
expiration:
description:
- Expiration date and time of the token.
- By default, tokens do not expire. In that case I(expiration) is C(null).
- Your Quay administrator might have activated expiration by setting the C(APP_SPECIFIC_TOKEN_EXPIRATION)
directive in the C(config.yaml) configuration file.
returned: always
sample: Fri, 29 Apr 2023 13:31:05 -0000
type: str
last_accessed:
description:
- Last date and time the token was used.
- If the token has not been used yet, then I(last_accessed) is C(null).
returned: always
sample: Wed, 25 May 2022 12:49:45 -0000
type: str
name:
description: Name of the application token.
returned: always
sample: my_push_token
type: str
token_code:
description: Token to use as the password.
returned: always
sample: OVKFT8YJBTQYG4Z30YHDOPJBU4M2VPMCQJ5IYW4BAQGZD8T5V70JORLJBJHFYVVFQ89K7
type: str
username:
description:
- Username to use with client commands such as C(docker) or C(podman).
- When you use a token with those commands, do not use your login name but use this
username instead.
- For Quay, that username is always C($app).
- Because the C($) character is a special shell character, you might have to protect
it with a backslash or by using single quotation marks.
returned: always
sample: $app
type: str
uuid:
description: Internal ID of the application token.
returned: always
sample: 31b32343-e974-4f8c-bd9c-db5a0406f211
type: str