search

CompositionalIT / farmer

Repeatable Azure deployments with ARM templates - made easy!
https://compositionalit.github.io/farmer
MIT License
527 stars 157 forks source link

Can't supply container registry credentials to Container App. #921

Open isaacabraham opened 2 years ago

isaacabraham commented 2 years ago

Something is up with the Container App / Container Registry integration. I could swear that this worked a month or so ago, but I tried creating a new container app service today. This is the offending line:

containerApp {
    reference_registry_credentials [ Arm.ContainerRegistry.registries.resourceId mySuperRegistry.Name ]
}

where mySuperRegistry is an Azure container registry that already exists.

When I try an deploy the container app, I get the following validation error:

{'code': 'ContainerAppInvalidPropertyValue', 'message': "Property 'secrets.name' has an invalid value '[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', 'mySuperRegistry'), '2019-05-01').username]'. A value must consist of lower case alphanumeric characters, '-'
 or '.', and must start and end with an alphanumeric character."}
)

Here's an extract of the raw ARM template:

          "registries": [
            {
              "passwordSecretRef": "[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', 'mySuperRegistry'), '2019-05-01').username]",
              "server": "[reference(resourceId('Microsoft.ContainerRegistry/registries', 'mySuperRegistry'), '2019-05-01').loginServer]",
              "username": "[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', 'mySuperRegistry'), '2019-05-01').username]"
            }
          ],
          "secrets": [
            {
              "name": "[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', 'mySuperRegistry'), '2019-05-01').username]",
              "value": "[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', 'mySuperRegistry'), '2019-05-01').passwords[0].value]"
            }
          ]

It's almost as though ARM hasn't seen that secrets.name is an expression, and has instead tried to parse the expression as a raw string.

@ninjarobot Have you any idea about this - or if this ever used to work? @anthonychu has anything changed in the way that secret names are handled in terms of ARM template support - maybe something has changed since the namespace move?

anthonychu commented 2 years ago

Sounds like it’s the same as this https://github.com/microsoft/azure-container-apps/issues/153

isaacabraham commented 2 years ago

Ok, at least I'm not imagining things! Thanks

et1975 commented 2 years ago

Just hit this as well, this line does not pass the template validation, which I think is a different issue - ARM doesn't seem to be evaluating the name expression, treating it as a constant instead.

isaacabraham commented 2 years ago

@et1975 that's exactly the same issue :-)

et1975 commented 2 years ago

I was referring to the linked ARM/biceps issue, which is specifically about naming of the registry. The PR I have opened fixed both issues.

isaacabraham commented 2 years ago

I see! I think it's the same underlying issue - ARM isn't evaluating expressions in the template in certain fields.

The fix you've put in is of course a really nice workaround, by not using an ARM expression at all.

martinbryant commented 1 year ago

@isaacabraham - looking to close this one if the fix solved the issue?