search

microsoft / azure-container-apps

Roadmap and issues for Azure Container Apps
MIT License
363 stars 29 forks source link

Managed Certificates #607

Open SophCarp opened 1 year ago

SophCarp commented 1 year ago

ETA: Public Preview by end of March 2023

13excite commented 9 months ago

Certificate name of custom domains is generated automatically in the format $domain_name-$resource_group_name[:8]-$datetime . And it's with resource_group_name[:8] that problems arise. _If the slice of 8 characters from the resourcegroup ends in -, then the code doesn't check this and as a result it generates a double dash in the name, and the resource name looks like this test.example-prod-ds--231211091022

Even according to the Microsoft guidelines, the resource name should look in the format my-super-resource-name https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming

Also, many TF providers have checks for the correctness of the name, for example azurerm https://github.com/hashicorp/terraform-provider-azurerm/blob/main/internal/services/batch/validate/certificate_name.go#L13

dbeattie71 commented 6 months ago

With Pulumi, I've provisioned afd domains and used a managed certificate, it works great. ACA needs that :)

mcx808 commented 6 months ago

@linxcat - there is a resolution here which is that the functionality is provided by an extension:

https://github.com/MicrosoftDocs/azure-docs/issues/116721

I think the baffling documentation is still an issue though.

hoxton-webmaster commented 5 months ago

Since there is no way to easily setup an managedCertificate using Bicep. Has anyone found a way of preventing the deletion of a manually added custom domain when redeploying the container app with a new image version? This would also help when you hosted zone is not managed in azure.

@kobeyy did you find the solution for this ?

kobeyy commented 5 months ago

@hoxton-webmaster I managed to find a work around by using the azure cli to first lookup the id of the managed certificate and fill it in using a shell script. Since it was this difficult and hacky to get it working I decided to not use this Azure service as it is premature in my opinion. We halted our roll out to production because of this.

I've added the complete script below as text file.

...

# Workaround to prevent deletion of the custom domain binding by Bicep on a redeploy
get_custom_domain_id() {
    local subscription_id=$(az account show --query 'id' -o tsv)
    local managedEnvironments="/subscriptions/$subscription_id/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.App/managedEnvironments/"
    local firstContainerAppEnv=$(az resource show --ids "$managedEnvironments" --query 'value[0].id' -o tsv)
    local customDomainCertificateId=$(az resource show --ids "$firstContainerAppEnv/managedCertificates/" --query 'value[0].id' -o tsv)
    echo $customDomainCertificateId
}
get_custom_domain_name() {
    local subscription_id=$(az account show --query 'id' -o tsv)
    local managedEnvironments="/subscriptions/$subscription_id/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.App/managedEnvironments/"
    local firstContainerAppEnv=$(az resource show --ids "$managedEnvironments" --query 'value[0].id' -o tsv)
    local customDomainCertificateName=$(az resource show --ids "$firstContainerAppEnv/managedCertificates/" --query 'value[0].properties.subjectName' -o tsv)
    echo $customDomainCertificateName
}

# Function to deploy template
deploy_template() {
    TEMPLATE_FILE="$SCRIPT_DIR/$1"
    echo "Deploying template: $TEMPLATE_FILE"

    AZURE_COMMAND="az deployment group create --template-file \"$TEMPLATE_FILE\" \
                               --resource-group \"$RESOURCE_GROUP\" \
                               --parameters \"@$PARAMETER_FILE\""

    # Workaround to prevent deletion of the custom domain binding by Bicep on a redeploy
    # Inject the manually created custom domain binding into the deployment
    local customDomainCertId=$(get_custom_domain_id)
    if [ -n "$customDomainCertId" ]; then
        AZURE_COMMAND+=" customDomainCertificateId='$customDomainCertId'"
    fi

    local customDomainCertName=$(get_custom_domain_name)
    if [ -n "$customDomainCertName" ]; then
        AZURE_COMMAND+=" customDomainName='$customDomainCertName'"
    fi

    # Conditionally add parameters
    if [ -n "$CONTAINER_REGISTRY_PASSWORD" ]; then
        AZURE_COMMAND+=" containerRegistryPassword='$CONTAINER_REGISTRY_PASSWORD'"
    fi
    if [ -n "$CONTAINER_REGISTRY_USER" ]; then
        AZURE_COMMAND+=" containerRegistryUsername='$CONTAINER_REGISTRY_USER'"
    fi
    if [ -n "$PHP_CONTAINER_IMAGE" ]; then
        AZURE_COMMAND+=" phpContainerImage='$PHP_CONTAINER_IMAGE'"
    fi
    if [ -n "$NGINX_CONTAINER_IMAGE" ]; then
        AZURE_COMMAND+=" nginxContainerImage='$NGINX_CONTAINER_IMAGE'"
    fi
    if [ -n "$IMAGE_TAG" ]; then
        AZURE_COMMAND+=" imageTag='$IMAGE_TAG'"
    fi

    echo "Executing command: $AZURE_COMMAND"
    eval $AZURE_COMMAND
}

deploy_template "deploy.bicep"

full script

ExplorerSunil commented 1 month ago

Is it possible to create wild card subdomain certificate using container app? I couldn't get it to be working. I'm using azure portal to create certificates.