tests: Add cstor-dist registry infrastructure to bootc_testlib.nu

Add reusable functions for running cstor-dist, a tool that serves
images from containers-storage via an authenticated OCI registry
endpoint. This enables testing authenticated logically bound images.

The following functions are exported:
- start_cstor_dist: Starts cstor-dist container with basic auth
- get_cstor_auth: Returns registry address and base64-encoded credentials
- setup_insecure_registry: Configures registries.conf.d for non-TLS access
- setup_system_auth: Sets up /run/ostree/auth.json with credentials

Also update test-logically-bound-switch.nu to:
- Import get_cstor_auth from bootc_testlib.nu
- Add --with-auth flag to build_image for baking auth.json into images
- Fix verify_images to check if image name is IN the Names array
  (not exact match) to support images with multiple tags

Assisted-by: Claude Code (claude-opus-4-5@20251101)
Signed-off-by: ckyrouac <ckyrouac@redhat.com>

Author: ckyrouac

tmt/tests/booted/bootc_testlib.nu

@@ -23,3 +23,88 @@ export def have_hostexports [] {
 export def parse_cmdline []  {
     open /proc/cmdline | str trim | split row " "
 }
+
+# cstor-dist configuration for authenticated registry testing
+# cstor-dist serves images from containers-storage via an authenticated OCI registry endpoint
+# https://github.com/ckyrouac/cstor-dist
+const CSTOR_DIST_IMAGE = "ghcr.io/ckyrouac/cstor-dist:latest"
+const CSTOR_DIST_USER = "testuser"
+const CSTOR_DIST_PASS = "testpass"
+const CSTOR_DIST_PORT = 8000
+
+# The registry address for cstor-dist
+export const CSTOR_DIST_REGISTRY = $"localhost:($CSTOR_DIST_PORT)"
+
+# Start cstor-dist with basic auth on localhost
+# Fails if cstor-dist cannot be started
+export def start_cstor_dist [] {
+    print "Starting cstor-dist with basic auth..."
+
+    # Pull test images that cstor-dist will serve
+    print "Pulling test images for cstor-dist to serve..."
+    podman pull docker.io/library/alpine:latest
+    podman pull docker.io/library/busybox:latest
+
+    # Run cstor-dist container with auth enabled
+    # Mount the local containers storage so cstor-dist can serve images from it
+    let storage_path = if ("/var/lib/containers/storage" | path exists) {
+        "/var/lib/containers/storage"
+    } else {
+        $"($env.HOME)/.local/share/containers/storage"
+    }
+
+    (podman run --privileged --rm -d --name cstor-dist-auth
+        -p $"($CSTOR_DIST_PORT):8000"
+        -v $"($storage_path):/var/lib/containers/storage"
+        $CSTOR_DIST_IMAGE --username $CSTOR_DIST_USER --password $CSTOR_DIST_PASS)
+
+    # Wait for cstor-dist to be ready by testing HTTP connection
+    # Loop for up to 20 seconds
+    print "Waiting for cstor-dist to be ready..."
+    let auth_header = $"($CSTOR_DIST_USER):($CSTOR_DIST_PASS)" | encode base64
+    mut ready = false
+    for i in 1..20 {
+        let result = do { curl -sf -H $"Authorization: Basic ($auth_header)" $"http://($CSTOR_DIST_REGISTRY)/v2/" } | complete
+        if $result.exit_code == 0 {
+            $ready = true
+            break
+        }
+        print $"Attempt ($i)/20: cstor-dist not ready yet..."
+        sleep 1sec
+    }
+
+    if not $ready {
+        # Show container logs for debugging
+        print "cstor-dist failed to start. Container logs:"
+        podman logs cstor-dist-auth
+        error make { msg: "cstor-dist failed to become ready within 20 seconds" }
+    }
+
+    print $"cstor-dist running on ($CSTOR_DIST_REGISTRY)"
+}
+
+# Get cstor-dist auth config
+export def get_cstor_auth [] {
+    # Base64 encode the credentials for auth.json
+    let auth_b64 = $"($CSTOR_DIST_USER):($CSTOR_DIST_PASS)" | encode base64
+    {
+        registry: $CSTOR_DIST_REGISTRY,
+        auth_b64: $auth_b64
+    }
+}
+
+# Configure insecure registry for cstor-dist (no TLS)
+export def setup_insecure_registry [] {
+    mkdir /etc/containers/registries.conf.d
+    (echo $"[[registry]]\nlocation=\"($CSTOR_DIST_REGISTRY)\"\ninsecure=true"
+        | save -f /etc/containers/registries.conf.d/99-cstor-dist.conf)
+}
+
+# Set up auth.json on the running system with cstor-dist credentials
+export def setup_system_auth [] {
+    mkdir /run/ostree
+    let cstor = get_cstor_auth
+    print $"Setting up system auth for cstor-dist at ($cstor.registry)"
+    let auth_json = $'{"auths": {"($cstor.registry)": {"auth": "($cstor.auth_b64)"}}}'
+    echo $auth_json | save -f /run/ostree/auth.json
+}

tmt/tests/booted/test-logically-bound-switch.nu

@@ -15,24 +15,21 @@
 
 use std assert
 use tap.nu
+use bootc_testlib.nu [get_cstor_auth]
 
 # This code runs on *each* boot.
 bootc status
 let st = bootc status --json | from json
 let booted = $st.status.booted.image
 
-# The tests here aren't fetching from a registry which requires auth by default,
-# but we can replicate the failure in https://github.com/bootc-dev/bootc/pull/1852
-# by just injecting any auth file.
-echo '{}' | save -f /run/ostree/auth.json
-
 def initial_setup [] {
     bootc image copy-to-storage
     podman images
     podman image inspect localhost/bootc | from json
 }
 
-def build_image [name images containers] {
+# Build an image with optional auth.json baked in
+def build_image [name images containers --with-auth] {
     let td = mktemp -d
     cd $td
     mkdir usr/share/containers/systemd
@@ -59,6 +56,16 @@ RUN echo sanity check > /usr/share/bound-image-sanity-check.txt
         }
     }
 
+    # Optionally bake auth.json into the image
+    if $with_auth {
+        let cstor = get_cstor_auth
+        print "Baking auth.json into the image"
+        mkdir etc/ostree
+        let auth_json = $'{"auths": {"($cstor.registry)": {"auth": "($cstor.auth_b64)"}}}'
+        echo $auth_json | save etc/ostree/auth.json
+        echo "COPY etc/ /etc/\n" | save Dockerfile --append
+    }
+
     # Build it
     podman build -t $name .
     # Just sanity check it
@@ -74,12 +81,13 @@ def verify_images [images containers] {
     let image_names = podman --storage-opt=additionalimagestore=/usr/lib/bootc/storage images --format json | from json | select -i Names
 
     for $image in $bound_images {
-        let found = $image_names | where Names == [$image.image]
+        # Check if the expected image name is IN the Names array (not exact match)
+        let found = $image_names | where { |row| $image.image in $row.Names }
         assert (($found | length) > 0) $"($image.image) not found"
     }
 
     for $container in $bound_containers {
-        let found = $image_names | where Names == [$container.image]
+        let found = $image_names | where { |row| $container.image in $row.Names }
         assert (($found | length) > 0) $"($container.image) not found"
     }
 }
@@ -89,14 +97,14 @@ def first_boot [] {
 
     initial_setup
 
-    # build a bootc image that includes bound images
+    # Build a bootc image that includes bound images
     let images = [
         { "bound": true, "image": "registry.access.redhat.com/ubi9/ubi-minimal:9.4", "name": "ubi-minimal" },
         { "bound": false, "image": "quay.io/centos-bootc/centos-bootc:stream9", "name": "centos-bootc" }
     ]
 
     let containers = [{
-        "bound": true, "image": "docker.io/library/alpine:latest", "name": "alpine" 
+        "bound": true, "image": "docker.io/library/alpine:latest", "name": "alpine"
     }]
 
     let image_name = "localhost/bootc-bound"
@@ -111,18 +119,18 @@ def second_boot [] {
     assert equal $booted.image.transport containers-storage
     assert equal $booted.image.image localhost/bootc-bound
 
-    # verify images are still there after boot
+    # Verify images are still there after boot
     let images = [
         { "bound": true, "image": "registry.access.redhat.com/ubi9/ubi-minimal:9.4", "name": "ubi-minimal" },
         { "bound": false, "image": "quay.io/centos-bootc/centos-bootc:stream9", "name": "centos-bootc" }
     ]
 
     let containers = [{
-        "bound": true, "image": "docker.io/library/alpine:latest", "name": "alpine" 
+        "bound": true, "image": "docker.io/library/alpine:latest", "name": "alpine"
     }]
     verify_images $images $containers
 
-    # build a new bootc image with an additional bound image
+    # Build a new bootc image with an additional bound image
     print "bootc upgrade with another bound image"
     let image_name = "localhost/bootc-bound"
     let more_images = $images | append [{ "bound": true, "image": "registry.access.redhat.com/ubi9/ubi-minimal:9.3", "name": "ubi-minimal-9-3" }]
@@ -144,7 +152,7 @@ def third_boot [] {
     ]
 
     let containers = [{
-        "bound": true, "image": "docker.io/library/alpine:latest", "name": "alpine" 
+        "bound": true, "image": "docker.io/library/alpine:latest", "name": "alpine"
     }]
 
     verify_images $images $containers