upgrade: improve error messages when registry authentication fails #2070
Description
Summary
When bootc upgrade encounters a registry authentication failure (401/403), the error message doesn't help the operator diagnose the problem. The current output is something like:
ERROR Upgrading: creating container image deployment: ...unauthorized...
This doesn't mention:
- Which registry returned the auth failure
- That
/etc/ostree/auth.jsonis the credential source for bootc upgrades (not the standard podman auth path) - Whether the token is expired, malformed, or missing
Use case
We run nightly bootc upgrade on CentOS Stream 10 hosts pulling from a private GitLab registry. When a deploy token expires, the error gives no indication that auth is the problem or where to look. The /etc/ostree/auth.json path is particularly non-obvious since it differs from podman's credential store.
Proposed improvement
When the pull path receives a 401 or 403 from a registry, wrap the error with additional context, for example:
Registry authentication failed for {registry}.
Credentials are read from /etc/ostree/auth.json. Verify the file exists
and contains valid credentials for this registry.
This would save significant debug time for anyone using private registries with bootc.