From 87ecb2b136c9c04598d6700df752f2ae38145701 Mon Sep 17 00:00:00 2001
From: Clemens Hering <c.hering@hotmail.de>
Date: Sun, 1 Mar 2026 08:54:27 +0100
Subject: [PATCH] Fix Pull

---
 deploy/quadlet/README.md      |  5 +++++
 scripts/deploy-with-podman.sh | 21 +++++++++++++++++++--
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/deploy/quadlet/README.md b/deploy/quadlet/README.md
index 45dfad2..9a8738e 100644
--- a/deploy/quadlet/README.md
+++ b/deploy/quadlet/README.md
@@ -72,6 +72,11 @@ Workflow template is included at:
 
 The deploy script builds with Podman, tags `localhost/kubeviz:prod`, and restarts `kubeviz.service`.
 The workflow uses `git` checkout (no Node runtime dependency). For private repos, set Gitea secret `CI_REPO_TOKEN`.
+For private base images (for example `dhi.io/golang:*`), ensure the runner user is logged in with Podman and has an auth file at either:
+- `$XDG_RUNTIME_DIR/containers/auth.json` or
+- `$HOME/.config/containers/auth.json`
+
+The deploy script forwards `REGISTRY_AUTH_FILE` to `sudo podman` automatically.
 
 Required sudo permissions for the Gitea runner user (example):
 
diff --git a/scripts/deploy-with-podman.sh b/scripts/deploy-with-podman.sh
index c4f361e..08990db 100755
--- a/scripts/deploy-with-podman.sh
+++ b/scripts/deploy-with-podman.sh
@@ -5,6 +5,23 @@ IMAGE_REPO="${IMAGE_REPO:-localhost/kubeviz}"
 IMAGE_TAG="${IMAGE_TAG:-prod}"
 SERVICE_NAME="${SERVICE_NAME:-kubeviz.service}"
 
+if [ -z "${REGISTRY_AUTH_FILE:-}" ]; then
+  if [ -n "${XDG_RUNTIME_DIR:-}" ] && [ -f "${XDG_RUNTIME_DIR}/containers/auth.json" ]; then
+    REGISTRY_AUTH_FILE="${XDG_RUNTIME_DIR}/containers/auth.json"
+  elif [ -f "${HOME}/.config/containers/auth.json" ]; then
+    REGISTRY_AUTH_FILE="${HOME}/.config/containers/auth.json"
+  fi
+fi
+
+SUDO_PODMAN=(sudo podman)
+if [ -n "${REGISTRY_AUTH_FILE:-}" ] && [ -f "${REGISTRY_AUTH_FILE}" ]; then
+  export REGISTRY_AUTH_FILE
+  SUDO_PODMAN=(sudo --preserve-env=REGISTRY_AUTH_FILE podman)
+  echo "Using registry auth file: ${REGISTRY_AUTH_FILE}"
+else
+  echo "Warning: no REGISTRY_AUTH_FILE found; private base image pulls may fail."
+fi
+
 if git rev-parse --short=12 HEAD >/dev/null 2>&1; then
   BUILD_ID="$(git rev-parse --short=12 HEAD)"
 else
@@ -15,10 +32,10 @@ SOURCE_IMAGE="${IMAGE_REPO}:ci-${BUILD_ID}"
 RELEASE_IMAGE="${IMAGE_REPO}:${IMAGE_TAG}"
 
 echo "Building ${SOURCE_IMAGE}"
-sudo podman build --pull=always -t "${SOURCE_IMAGE}" .
+"${SUDO_PODMAN[@]}" build --pull=always -t "${SOURCE_IMAGE}" .
 
 echo "Tagging ${RELEASE_IMAGE}"
-sudo podman tag "${SOURCE_IMAGE}" "${RELEASE_IMAGE}"
+"${SUDO_PODMAN[@]}" tag "${SOURCE_IMAGE}" "${RELEASE_IMAGE}"
 
 echo "Restarting ${SERVICE_NAME}"
 sudo systemctl restart "${SERVICE_NAME}"