Certificate configuration for authenticating to registry via API/service

[jwhonce]

Currently the Podman service does not provide a method to do certificate authenticate when doing pushes etc. As the first step to allowing this, I propose the environment variable CONTAINERS_CERT_PATH. Each colon separated element will be a directory in which certs may be provided. This additional work will allow https verified connections to the registry.

The headers X-Registry-Auth and X-Registry-Config will still provide the user authentication. Failure to access files in a directory or the directory itself will be silently ignored.

If there is enough demand, CLI arguments could be added in the future.

The environment variable will be manually added to the systemd unit file as needed. As examples:

• sudo systemctl edit podman.service

[Service]
Environment=CONTAINERS_CERT_PATH="/etc/containers/certs.d/"

• systemctl --user edit podman.service

[Service]
Environment=CONTAINERS_CERT_PATH="%h/.config/containers/certs.d:/etc/containers/certs.d/"

[rhatdan]

This sounds perfect to me. Should we have /etc/continers/certs.d as the default?