Private registries authentication

As the source for install or upgrade can be an OCI image and sometimes those are behind a private repository, Kairos implements the default basic authentication used by docker for private registries.

To install/upgrade with a container image behind a registry with authentication, Kairos reads the following files in order to find about registry auth:

  • ${XDG_CONFIG_HOME}/.docker/config.json
  • If set, DOCKER_CONFIG environment variable which points to a directory as per the docs.
  • ${XDG_RUNTIME_DIR}/containers/auth.json for podman

See the login docs for docker or the login docs for podman for more information.

You can also just generate that file yourself with the proper auth parameters like so:

{
	"auths": {
		"registry.example.com": {
			"auth": "a2Fpcm9zOmh1bnRlcjIK"
		}
	}
}

The auths map has an entry per registry, and the auth field contains your username and password encoded as HTTP ‘Basic’ Auth.

NOTE: This means that your credentials are stored in plaintext. Have a look at the docker docs for the credentials-store