search

Azure / container-apps-deploy-pipelines-task

Azure Pipelines Task (Release Candidate) for building and deploying Azure Container Apps
MIT License
6 stars 10 forks source link

[BLOCKING] Can't specify --registry-identity parameter #44

Open julioct opened 1 month ago

julioct commented 1 month ago

When creating a container app, you can use the --registry-identity parameter to avoid using username/password combination when ACA needs to authenticate with ACR to pull the image to deploy.

As a side benefit, this also sets the User-assigned managed identity that the container app will use, which is key to let the container app access several other Azure resources without the need for connection strings or any sort of API keys.

However, I can't find a way to specify the --registry-identity parameter with the AzureContainerAppsRC task.

As a workaround, I tried injecting the missing parameter into the ingress parameter, which is very hacky:

  - job: Deploy

    variables:
      acrName: '[MYACR]'
      registryIdentity: '/subscriptions/[SUBSCRIPTIONID]/resourcegroups/[RESOURCE GROUP]/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-sfa5ktnjiw4d4'

    steps:
    - task: AzureContainerAppsRC@1
      displayName: 'Deploy to ACA'
      inputs:
        azureSubscription: 'Azure Sponsorship'
        imageToDeploy: '$(acrName).azurecr.io/catalog-service:$(Build.BuildNumber)'
        containerAppName: 'catalog-service'
        resourceGroup: 'rg-gamestore02'
        ingress: 'internal --registry-server $(acrName).azurecr.io --registry-identity $(registryIdentity)'
        acrName: '$(acrName)'

But this only works during initial app creation, not for subsequent updates, where the task fails due to it trying to update the ingress.

The command executed by the task:

az containerapp create -n catalog-service -g [RESOURCE GROUP] -i [MYACR].azurecr.io/catalog-service:1.0.33 --environment cae-sfa5ktnjiw4d4 --ingress internal --registry-server [MYACR].azurecr.io --registry-identity /subscriptions/[SUBSCRIPTIONID]/resourcegroups/[RESOURCE GROUP]/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-sfa5ktnjiw4d4 --target-port 8080

Can we either add support for the --registry-identity argument or just add an extraArguments argument where I can add any other desired arguments?

Also, notice that when specifying --registry-identity you also need to specify --registry-server, or it won't work.

julioct commented 1 month ago

Update: the --user-assigned parameter is also needed for this to work properly.

Here's the command I ended up using via the Azure CLI task:

- task: AzureCLI@2
  displayName: 'Deploy to ACA'
  inputs:
    azureSubscription: 'Azure Sponsorship'
    scriptType: 'pscore'
    scriptLocation: 'inlineScript'
    inlineScript: | 
      'az containerapp create `
      -n catalog-service `
      -g $(resourceGroup) `
      -i $(acrName).azurecr.io/catalog-service:$(Build.BuildNumber) `
      --environment $(containerAppEnv) `
      --ingress internal `
      --target-port 8080 `
      --registry-server $(acrName).azurecr.io `
      --registry-identity $(registryIdentity) `
      --user-assigned $(registryIdentity)'