Add docs about additional-layer-store-auth-helper option

Signed-off-by: Kohei Tokunaga <[email protected]>
containers · May 22, 2024 · 55844d4 · 55844d4
1 parent b9a19fd
commit 55844d4
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/docs/containers-registries.conf.5.md b/docs/containers-registries.conf.5.md
@@ -19,6 +19,11 @@ Container engines will use the `$HOME/.config/containers/registries.conf` if it
 `credential-helpers`
 : An array of default credential helpers used as external credential stores.  Note that "containers-auth.json" is a reserved value to use auth files as specified in containers-auth.json(5).  The credential helpers are set to `["containers-auth.json"]` if none are specified.
 
+`additional-layer-store-auth-helper`
+: A string of helper name. This enables to pass registry credentials to
+  Additional Layer Store on every pulling of an image so that it can access
+  private registries. See the later section for more details.
+
 ### NAMESPACED `[[registry]]` SETTINGS
 
 The bulk of the configuration is represented as an array of `[[registry]]`
@@ -254,6 +259,28 @@ in order, and use the first one that exists.
 
 Note that a mirror is associated only with the current `[[registry]]` TOML table. If using the example above, pulling the image `registry.com/image:latest` will hence only reach out to `mirror.registry.com`, and the mirrors associated with `example.com/foo` will not be considered.
 
+### Enabling Additional Layer Store to access to private registries
+
+The `additional-layer-store-auth-helper` option enables to pass registry
+credentials to Additional Layer Store so that it can access private registries.
+
+Additional Layer Store needs to provide a helper binary. This helper binary is
+registered to `additional-layer-store-auth-helper` option. Every time pulling of
+an image happens, the specified helper binary is executed and receives registry
+credentials from stdin in the following format.
+
+```json
+{
+  "image-reference": {
+    "username": "username",
+    "password": "password",
+    "identityToken": "identityToken"
+  }
+}
+```
+
+Additional Layer Store can use this for accessing to the registry.
+
 ## VERSION 1 FORMAT - DEPRECATED
 VERSION 1 format is still supported but it does not support
 using registry mirrors, longest-prefix matches, or location rewriting.