farmer icon indicating copy to clipboard operation
farmer copied to clipboard
verified publisher icon CompositionalIT

Can't supply container registry credentials to Container App.

Open isaacabraham opened this issue 3 years ago • 7 comments

Something is up with the Container App / Container Registry integration. I could swear that this worked a month or so ago, but I tried creating a new container app service today. This is the offending line:

containerApp {
    reference_registry_credentials [ Arm.ContainerRegistry.registries.resourceId mySuperRegistry.Name ]
}

where mySuperRegistry is an Azure container registry that already exists.

When I try an deploy the container app, I get the following validation error:

{'code': 'ContainerAppInvalidPropertyValue', 'message': "Property 'secrets.name' has an invalid value '[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', 'mySuperRegistry'), '2019-05-01').username]'. A value must consist of lower case alphanumeric characters, '-'
 or '.', and must start and end with an alphanumeric character."}
)

Here's an extract of the raw ARM template:

          "registries": [
            {
              "passwordSecretRef": "[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', 'mySuperRegistry'), '2019-05-01').username]",
              "server": "[reference(resourceId('Microsoft.ContainerRegistry/registries', 'mySuperRegistry'), '2019-05-01').loginServer]",
              "username": "[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', 'mySuperRegistry'), '2019-05-01').username]"
            }
          ],
          "secrets": [
            {
              "name": "[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', 'mySuperRegistry'), '2019-05-01').username]",
              "value": "[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', 'mySuperRegistry'), '2019-05-01').passwords[0].value]"
            }
          ]

It's almost as though ARM hasn't seen that secrets.name is an expression, and has instead tried to parse the expression as a raw string.

@ninjarobot Have you any idea about this - or if this ever used to work? @anthonychu has anything changed in the way that secret names are handled in terms of ARM template support - maybe something has changed since the namespace move?

isaacabraham avatar Apr 29 '22 21:04 isaacabraham

Sounds like it’s the same as this https://github.com/microsoft/azure-container-apps/issues/153

anthonychu avatar Apr 30 '22 06:04 anthonychu

Ok, at least I'm not imagining things! Thanks

isaacabraham avatar Apr 30 '22 12:04 isaacabraham

Just hit this as well, this line does not pass the template validation, which I think is a different issue - ARM doesn't seem to be evaluating the name expression, treating it as a constant instead.

et1975 avatar May 03 '22 16:05 et1975

@et1975 that's exactly the same issue :-)

isaacabraham avatar May 04 '22 15:05 isaacabraham

I was referring to the linked ARM/biceps issue, which is specifically about naming of the registry. The PR I have opened fixed both issues.

et1975 avatar May 04 '22 15:05 et1975

I see! I think it's the same underlying issue - ARM isn't evaluating expressions in the template in certain fields.

The fix you've put in is of course a really nice workaround, by not using an ARM expression at all.

isaacabraham avatar May 05 '22 21:05 isaacabraham

@isaacabraham - looking to close this one if the fix solved the issue?

martinbryant avatar Sep 01 '23 10:09 martinbryant