"az containerapp create" missing `--registry-server` parameter
guice opened this issue · 4 comments
I'm trying to deploy an application, and I keep getting an error:
(InvalidParameterValueInContainerTemplate) The following field(s) are either invalid or missing. Field 'template.containers.appName-fe.image' is invalid with details: 'Invalid value: "[acr].azurecr.io/full-name-fe:aca-deploy": GET https:?scope=repository%3Afull-name-fe%3Apull&service=[acr].azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information.';.
The command used is:
az containerapp create \
-n appName-fe \
-i [acr].azurecr.io/full-name-fe:aca-deploy \
--environment appName-dev \
--ingress external \
--target-port 3000The login used is successful:
CA_GH_ACTION_ACR_ACCESS_TOKEN=$(az acr login --name [acrName] --output json --expose-token | jq -r '.accessToken')
echo "CA_GH_ACTION_ACR_ACCESS_TOKEN=${CA_GH_ACTION_ACR_ACCESS_TOKEN}" >> $GITHUB_ENV
docker login [acr].azurecr.io -u 00000000-0000-0000-0000-000000000000 -p $CA_GH_ACTION_ACR_ACCESS_TOKEN
CA_GH_ACTION_REGISTRY_URL=[acr].azurecr.io
echo "CA_GH_ACTION_REGISTRY_URL=${CA_GH_ACTION_REGISTRY_URL}" >> $GITHUB_ENV
WARNING: You can perform manual login using the provided access token below, for example: 'docker login loginServer -u 00000000-0000-0000-0000-000000000000 -p accessToken'
WARNING! Using -*** the CLI is insecure. Use --password-stdin.
Login Succeeded
I have validated locally there is a missing parameter:
➜ full-name-fe git:(aca-deploy) ✗ az containerapp create \
-g appName-dev \
-n appName-fe \
-i [acr].azurecr.io/full-name-fe:aca-deploy \
--environment appName-api-dev \
--ingress external \
--target-port 3000
(InvalidParameterValueInContainerTemplate) The following field(s) are either invalid or missing. Field 'template.containers.appName-fe.image' is invalid with details: 'Invalid value: "[acr].azurecr.io/full-name-fe:aca-deploy": GET https:?scope=repository%3Afull-name-fe%3Apull&service=[acr].azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information.';.
➜ full-name-fe git:(aca-deploy) ✗ az containerapp create \
-g appName-dev \
-n appName-fe \
-i [acr].azurecr.io/full-name-fe:aca-deploy \
--environment appName-api-dev \
--ingress external \
--target-port 3000 \
--registry-server [acr].azurecr.io
No credential was provided to access Azure Container Registry. Trying to look up credentials...
Adding registry password as a secret with name "ecrazurecrio-ecrname"
/ Running ..^C
➜ full-name-fe git:(aca-deploy) ✗ All I did was add --registry-server [acr].azurecr.io to the CLI command.
I can't find anywhere to get this action to also add this parameter. acrName and registryUrl cannot be used together. Is there some registryServer variable not documented?
The Azure setup is two resource groups; I'll use RG-A and RG-B.
- RG-A contain the [acrName] registry
- RG-B is the deployment target resource group
- The action parameters uses
resourceGroup:RG-B. - Github login is done via federated credentials, and logs in successfully in a previous step in the same job workflow.
Action Definition:
- name: ACA Deploy
uses: azure/container-apps-deploy-action@v1
with:
acrName: [acrName]
# registryUrl: ${{ vars.REGISTRY_LOGIN_SERVER }}
imageToDeploy: [..] # [acr].azurecr.io/full-name-fe:aca-deploy from cli above
resourceGroup: [..] # "RG-B" mentioned above
containerAppName: appName-fe
environmentVariables: # {junk stuff I'm leaving out}
targetPort: 3000
containerAppEnvironment: appName-devRelated: Azure/azure-cli-extensions#5238
After talking to one of the ACA PMs, I learned that I needed to specify the --registry-server argument.
For those that run across this, I found a hack that so totally worked. It's a good there's no input validation - code injection FTW.
- name: ACA Deploy
uses: azure/container-apps-deploy-action@v1
with:
# [... snip ..]
targetPort: 3000 --registry-server ${{ vars.REGISTRY_LOGIN_SERVER }}
# [... snip ..]Command that was ran within the pipline:
az containerapp up \
-g [rg-b] \
-n [appName] \
-i ecrName.azurecr.io/[repo]:aca-deploy \
--target-port 3000 --registry-server [ecrName].azurecr.io \
\
--env-vars NEXTAUTH_URL=*** \@guice Hey Philip, thanks for filing this issue (along with the very fun workaround 😄)
The action currently sets the --registry-server argument (along with --registry-username and --registry-password) based on two different sets of inputs provided
- ACR provided:
acrName,acrUsernameandacrPassword - General registry provided:
registryUrl,registryUsernameandregistryPassword
If you're providing acrName when calling this action, then you can also provide the acrUsername and acrPassword inputs to ensure that the --registry-* arguments are provided to the create or up command call made under-the-hood.
Is this a sufficient solution, or are you trying to avoid providing secret values for the acrUsername and acrPassword inputs with this action? Just want to ensure I understand your scenario.
or are you trying to avoid providing secret values for the acrUsername and acrPassword inputs with this action
This. I'm logging in using OIDC via federated credentials. I'm avoiding using username / password combinations.
If you're providing acrName when calling this action, then you can also provide the acrUsername and acrPassword inputs
How about allowing registryUrl with acrName and use it on --registry-server if provided? I don't know exactly all the combinations here. So, take my suggestion with a grain of salt. I do see, currently, you do not allow the combination of the two. Allowing registryUrl and acrName would remove the need for the tertiary acrName and acrUsername and acrPassword checks.