[Containerapp] az containerapp create/up: --registry-server and --source use managed identity for image pull by default
#7972
Conversation
|
| rule | cmd_name | rule_message | suggest_message |
|---|---|---|---|
| containerapp up | cmd containerapp up added parameter registry_identity |
||
| containerapp up | cmd containerapp up added parameter system_assigned |
||
| containerapp up | cmd containerapp up added parameter user_assigned |
|
Hi @Greedygre, |
|
Containerapp |
microsoft-github-policy-service
bot
requested review from
yonzhan,
wangzelin007,
yanzhudd,
zhoxing-ms,
jsntcy,
ruslany,
sanchitmehta,
ebencarek,
JennyLawrance,
howang-ms,
vinisoto,
chinadragon0515,
vturecek,
torosent,
pagariyaalok,
Juliehzl and
jijohn14
CodeGen Tools Feedback CollectionThank you for using our CodeGen tool. We value your feedback, and we would like to know how we can improve our product. Please take a few minutes to fill our codegen survey |
|
Hi @Greedygre Release SuggestionsModule: containerapp
Notes
|
|
About |
| @@ -1247,9 +1256,13 @@ def _get_acr_from_image(cmd, app): | |||
| app.registry_server = app.image.split("/")[ | |||
| 0 | |||
| ] # TODO what if this conflicts with registry_server param? | |||
|
|
|||
| # If --registry-server is ACR, use system-assigned managed identity for image pull by default | |||
| if app.registry_identity is None and app.registry_user is None and app.registry_pass is None: | |||
There was a problem hiding this comment.
What if a public registry? Do we need system?
There was a problem hiding this comment.
This logic is for command az containerapp up, if the image is from ACR, it will always look up credential and add ACR to properties.configuration.registries.
For properties.configuration.registries, it require (username and password) or identity, otherwise it throw error from DP:
(ContainerAppRegistriesPasswordSecretRefNotFound) PasswordSecretRef '' defined for registry server 'acaxinyulogtest.azurecr.io' not found.
So we need system.
For az containerapp create, if it is a public registry, without argument --registry-server the CLI will not add registry to properties.configuration.registries, then it will treat as a public image.
|
The CI failed with following error, which is not relate to our containerapp extension. =========================== short test summary info ============================ |
Greedygre
force-pushed
the
xinyu/20240829_registry_server_default_system_assign
branch
from
680f092
to
c459d1e
Compare
github-actions
bot
added
the
release-version-block
|
It looks like some unrelated changes (about aks-preview) were merged into your branch? |
Greedygre
force-pushed
the
xinyu/20240829_registry_server_default_system_assign
branch
from
c459d1e
to
de7d0bf
Compare
Fixed. |
github-actions
bot
removed
the
release-version-block
Greedygre
changed the title
az containerapp create/up: --registry-server use managed identity for image pull by defaultaz containerapp create/up: --registry-server and --source use managed identity for image pull by default
| @@ -409,7 +409,10 @@ def __init__( | |||
| env_vars=None, | |||
| workload_profile_name=None, | |||
| ingress=None, | |||
| force_single_container_updates=None | |||
| force_single_container_updates=None, | |||
| registry_identity=None, | |||
There was a problem hiding this comment.
should this parameter be exposed?
There was a problem hiding this comment.
For az containerapp up, we expose new arguments --registry-identity, --system-assigned, --user-assigned
There was a problem hiding this comment.
I do not see --registry-identity added in params.py
There was a problem hiding this comment.
For --registry-identity, it is Inherited from azure-cli az containerapp:
| parsed = urlparse(app.image) | ||
| registry_name = (parsed.netloc if parsed.scheme else parsed.path).split(".")[0] | ||
| if app.registry_user is None or app.registry_pass is None: |
There was a problem hiding this comment.
what if only app.registry_user provided?
There was a problem hiding this comment.
It will be handled in create_containerapp or update_containerapp, we will look up creds for it, also I has test case cover it: test_containerapp_registry_acr_look_up_credentical
| @@ -849,6 +880,7 @@ def parent_construct_payload(self): | |||
| self.set_up_registry_identity() | |||
|
|
|||
| def construct_payload(self): | |||
| self.set_up_system_assigned_identity_as_default_if_using_acr() | |||
There was a problem hiding this comment.
why not put after parent_construct_payload()?
There was a problem hiding this comment.
The set_up_system_assigned_identity_as_default_if_using_acr will set --identity to system as default, it should be execute before parent_construct_payload()
| if self.get_argument_source(): | ||
| _get_registry_details_without_get_creds(self.cmd, app, self.get_argument_source()) | ||
| if self.get_argument_repo(): |
There was a problem hiding this comment.
what about both --source and --repo provided?
There was a problem hiding this comment.
We don't allowed input --source and --repo together:
When input --source --repo together, throw:
Cannot use --source and --repo together. Can either deploy from a local directory or a Github repo
For --repo, it will create github action with sourcecontrols, it use the ACR registry to create github action.
registry_username=app.registry_user,
The sourcecontrols doesn't support registry with registry identity. It only support registry username and password.
| system_sp = safe_get(self.containerapp_def, "identity", "principalId") | ||
|
|
||
| # create system service principalId | ||
| if system_sp is None and is_registry_msi_system(identity): |
There was a problem hiding this comment.
in this condition, only when customer specify system as identity, we will create the system principalId? should we also create in default scenario?
There was a problem hiding this comment.
Yes, we did.
For the default behavior, in the set_up_system_assigned_identity_as_default_if_using_acr, it will set identity to system, then in here it will create the system principalId too.
I have test to cover it: test_containerapp_registry_identity_system
| return | ||
| registry_exists = False | ||
| for r in registries_def: | ||
| if r['server'].lower() == self.get_argument_registry_server().lower(): |
There was a problem hiding this comment.
what if no 'server' in r?
There was a problem hiding this comment.
Is there such a scenario? Is it a legal scenario?
| if source: | ||
| _get_registry_details_without_get_creds(cmd, app, source) | ||
| if repo: |
There was a problem hiding this comment.
what if both source and repo provided?
There was a problem hiding this comment.
This is not allowed:
When input --source --repo together, throw:
Cannot use --source and --repo together. Can either deploy from a local directory or a Github repo
code in _validate_up_args
|
|
||
| force_single_container_updates = False | ||
| if source: | ||
| app.get_acr_creds = False |
There was a problem hiding this comment.
once source is provided, you will never try to get acr creds?
There was a problem hiding this comment.
with --source,
If customer not provider --registry-username, we will never try to get acr creds.
If customer provider --registry-username or --registry-password, we will try to get acr creds in the next stepscreate_containerapp or update_containerapp.
| self.cmd.cli_ctx, registry_name | ||
| ) | ||
| if self.get_acr_creds: | ||
| self.registry_user, self.registry_pass, _ = _get_acr_cred( |
| c.argument('user_assigned', nargs='+', help="Space-separated user identities to be assigned.") | ||
| c.argument('system_assigned', help="Boolean indicating whether to assign system-assigned identity.", action='store_true') |
There was a problem hiding this comment.
Could you refer to the guideline https://github.com/Azure/azure-cli/blob/dev/doc/managed_identity_command_guideline.md to design these managed identity related parameters?
There was a problem hiding this comment.
The new user_assigned and system_assigned parameters for the az containerapp up command are consistent with those for az containerapp create. We need to change them together, otherwise the user experience will be inconsistent.
This checklist is used to make sure that common guidelines for a pull request are followed.
Related command
--registry-serveruse managed identity for image pull by default--registry-identity,--system-assigned,--user-assignedGeneral Guidelines
azdev style <YOUR_EXT>locally? (pip install azdevrequired)python scripts/ci/test_index.py -qlocally? (pip install wheel==0.30.0required)For new extensions:
About Extension Publish
There is a pipeline to automatically build, upload and publish extension wheels.
Once your pull request is merged into main branch, a new pull request will be created to update
src/index.jsonautomatically.You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify
src/index.json.