Handle podman logout not logging out when logged in via different tool (#137)

plugins/modules/podman_logout.py

@@ -19,6 +19,10 @@ description:
     `authfile` flag. The default path used is
     `${XDG_RUNTIME_DIR}/containers/auth.json`.
     All the cached credentials can be removed by setting the `all` flag.
+    Warning - podman will use credentials in `${HOME}/.docker/config.json`
+    to authenticate in case they are not found in the default `authfile`.
+    However, the logout command will only removed credentials in the
+    `authfile` specified.
 requirements:
   - "Podman installed on host"
 options:
@@ -38,7 +42,20 @@ options:
     type: path
   all:
     description:
-      - Remove the cached credentials for all registries in the auth file
+      - Remove the cached credentials for all registries in the auth file.
+    type: bool
+  ignore_docker_credentials:
+    description:
+      - Credentials created using other tools such as `docker login` are not
+        removed unless the corresponding `authfile` is explicitly specified.
+        Since podman also uses existing credentials in these files by default
+        (for docker e.g. `${HOME}/.docker/config.json`), module execution will
+        fail if a docker login exists for the registry specified in any
+        `authfile` is used by podman. This can be ignored by setting
+        `ignore_docker_credentials` to `yes` - the credentials will be kept and
+        `changed` will be false.
+        This option cannot be used together with `all` since in this case
+        podman will not check for existing `authfiles` created by other tools.
     type: bool
   executable:
     description:
@@ -71,7 +88,7 @@ import json  # noqa: F402
 from ansible.module_utils.basic import AnsibleModule
 
 
-def logout(module, executable, registry, authfile, all_registries):
+def logout(module, executable, registry, authfile, all_registries, ignore_docker_credentials):
     command = [executable, 'logout']
     changed = False
     if authfile:
@@ -89,6 +106,13 @@ def logout(module, executable, registry, authfile, all_registries):
         # Mind: This also applied if --all flag is used, while in this case
         # there is no check whether one has been logged into any registry
         changed = True
+    if 'Existing credentials were established via' in out:
+        # The command will return successfully but not log out the user if the
+        # credentials were initially created using docker. Catch this behaviour:
+        if not ignore_docker_credentials:
+            module.fail_json(msg="Unable to log out of %s: %s" % (registry, out))
+        else:
+            changed = False
     return changed, out, err
 
 
@@ -99,19 +123,23 @@ def main():
             registry=dict(type='str'),
             authfile=dict(type='path'),
             all=dict(type='bool'),
+            ignore_docker_credentials=dict(type='bool'),
         ),
         supports_check_mode=True,
         mutually_exclusive=(
             ['registry', 'all'],
+            ['ignore_docker_credentials', 'all'],
         ),
     )
 
     registry = module.params['registry']
     authfile = module.params['authfile']
     all_registries = module.params['all']
+    ignore_docker_credentials = module.params['ignore_docker_credentials']
     executable = module.get_bin_path(module.params['executable'], required=True)
 
-    changed, out, err = logout(module, executable, registry, authfile, all_registries)
+    changed, out, err = logout(module, executable, registry, authfile,
+                               all_registries, ignore_docker_credentials)
 
     results = {
         "changed": changed,