-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Containerapp] az containerapp create/up
: --registry-server
and --source
use managed identity for image pull by default
#7972
Conversation
|
rule | cmd_name | rule_message | suggest_message |
---|---|---|---|
containerapp up | cmd containerapp up added parameter registry_identity |
||
containerapp up | cmd containerapp up added parameter system_assigned |
||
containerapp up | cmd containerapp up added parameter user_assigned |
Hi @Greedygre, |
Containerapp |
CodeGen Tools Feedback CollectionThank you for using our CodeGen tool. We value your feedback, and we would like to know how we can improve our product. Please take a few minutes to fill our codegen survey |
Hi @Greedygre Release SuggestionsModule: containerapp
Notes
|
About |
@@ -1247,9 +1256,13 @@ def _get_acr_from_image(cmd, app): | |||
app.registry_server = app.image.split("/")[ | |||
0 | |||
] # TODO what if this conflicts with registry_server param? | |||
|
|||
# If --registry-server is ACR, use system-assigned managed identity for image pull by default | |||
if app.registry_identity is None and app.registry_user is None and app.registry_pass is None: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if a public registry? Do we need system?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This logic is for command az containerapp up
, if the image is from ACR, it will always look up credential and add ACR to properties.configuration.registries
.
For properties.configuration.registries
, it require (username and password) or identity, otherwise it throw error from DP:
(ContainerAppRegistriesPasswordSecretRefNotFound) PasswordSecretRef '' defined for registry server 'acaxinyulogtest.azurecr.io' not found.
So we need system.
For az containerapp create
, if it is a public registry, without argument --registry-server
the CLI will not add registry to properties.configuration.registries
, then it will treat as a public image.
The CI failed with following error, which is not relate to our containerapp extension. =========================== short test summary info ============================ |
680f092
to
c459d1e
Compare
It looks like some unrelated changes (about aks-preview) were merged into your branch? |
c459d1e
to
de7d0bf
Compare
Fixed. |
az containerapp create/up
: --registry-server
use managed identity for image pull by defaultaz containerapp create/up
: --registry-server
and --source
use managed identity for image pull by default
@@ -409,7 +409,10 @@ def __init__( | |||
env_vars=None, | |||
workload_profile_name=None, | |||
ingress=None, | |||
force_single_container_updates=None | |||
force_single_container_updates=None, | |||
registry_identity=None, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should this parameter be exposed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For az containerapp up, we expose new arguments --registry-identity
, --system-assigned
, --user-assigned
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not see --registry-identity added in params.py
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
parsed = urlparse(app.image) | ||
registry_name = (parsed.netloc if parsed.scheme else parsed.path).split(".")[0] | ||
if app.registry_user is None or app.registry_pass is None: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what if only app.registry_user provided?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It will be handled in create_containerapp
or update_containerapp
, we will look up creds for it, also I has test case cover it: test_containerapp_registry_acr_look_up_credentical
@@ -849,6 +880,7 @@ def parent_construct_payload(self): | |||
self.set_up_registry_identity() | |||
|
|||
def construct_payload(self): | |||
self.set_up_system_assigned_identity_as_default_if_using_acr() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why not put after parent_construct_payload()?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The set_up_system_assigned_identity_as_default_if_using_acr
will set --identity to system
as default, it should be execute before parent_construct_payload()
if self.get_argument_source(): | ||
_get_registry_details_without_get_creds(self.cmd, app, self.get_argument_source()) | ||
if self.get_argument_repo(): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what about both --source and --repo provided?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't allowed input --source and --repo together:
When input --source --repo together, throw:
Cannot use --source and --repo together. Can either deploy from a local directory or a Github repo
For --repo, it will create github action with sourcecontrols, it use the ACR registry to create github action.
registry_username=app.registry_user,
The sourcecontrols doesn't support registry with registry identity. It only support registry username and password.
system_sp = safe_get(self.containerapp_def, "identity", "principalId") | ||
|
||
# create system service principalId | ||
if system_sp is None and is_registry_msi_system(identity): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in this condition, only when customer specify system as identity, we will create the system principalId? should we also create in default scenario?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we did.
For the default behavior, in the set_up_system_assigned_identity_as_default_if_using_acr
, it will set identity to system
, then in here it will create the system principalId too.
I have test to cover it: test_containerapp_registry_identity_system
return | ||
registry_exists = False | ||
for r in registries_def: | ||
if r['server'].lower() == self.get_argument_registry_server().lower(): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what if no 'server' in r?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there such a scenario? Is it a legal scenario?
if source: | ||
_get_registry_details_without_get_creds(cmd, app, source) | ||
if repo: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what if both source and repo provided?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not allowed:
When input --source --repo together, throw:
Cannot use --source and --repo together. Can either deploy from a local directory or a Github repo
code in _validate_up_args
|
||
force_single_container_updates = False | ||
if source: | ||
app.get_acr_creds = False |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
once source is provided, you will never try to get acr creds?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
with --source,
If customer not provider --registry-username, we will never try to get acr creds.
If customer provider --registry-username or --registry-password, we will try to get acr creds in the next stepscreate_containerapp
or update_containerapp
.
self.cmd.cli_ctx, registry_name | ||
) | ||
if self.get_acr_creds: | ||
self.registry_user, self.registry_pass, _ = _get_acr_cred( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the format looks strange
c.argument('user_assigned', nargs='+', help="Space-separated user identities to be assigned.") | ||
c.argument('system_assigned', help="Boolean indicating whether to assign system-assigned identity.", action='store_true') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you refer to the guideline https://github.com/Azure/azure-cli/blob/dev/doc/managed_identity_command_guideline.md to design these managed identity related parameters?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The new user_assigned and system_assigned parameters for the az containerapp up command are consistent with those for az containerapp create. We need to change them together, otherwise the user experience will be inconsistent.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, sounds good
This checklist is used to make sure that common guidelines for a pull request are followed.
Related command
--registry-server
use managed identity for image pull by default--registry-identity
,--system-assigned
,--user-assigned
General Guidelines
azdev style <YOUR_EXT>
locally? (pip install azdev
required)python scripts/ci/test_index.py -q
locally? (pip install wheel==0.30.0
required)For new extensions:
About Extension Publish
There is a pipeline to automatically build, upload and publish extension wheels.
Once your pull request is merged into main branch, a new pull request will be created to update
src/index.json
automatically.You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify
src/index.json
.