I'm trying to set-up my first azure containerapps cloud deployment.
As multiply containers are involved, I want to utilize the sub command
az containerapp compose create
referencing our private docker registry (command line parameters --registry-username
, --registry-password
).
It seems that the registry password will be stored in a secret; the automatic secret creation fails due to naming conventions:
$ az containerapp compose create --environment my-containers --resource-group my-rg --registry-server dockerregistry.acme.com --registry-username [email protected] --registry-password <my-pw> --compose-file-path ./compose.yaml
Adding registry password as a secret with name "[email protected]"
(ContainerAppInvalidPropertyValue) Property 'secrets.name' has an invalid value '[email protected]'. A value must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character.
...
Now I tried to set-up a secret up-front, to reference it in the command, like documentation states:
--registry-password
The password to log in to container registry. If stored as a secret, value must start with 'secretref:' followed by the secret name.
But now I'm facing a chicken-egg-problem: To create a containerapp secret, I have to reference an existing containerapp:
az containerapp secret set --resource-group my-rg --name docker-registry --secrets [email protected] password=<my-pw>
The containerapp 'docker-registry' does not exist
I'm most probably mixing up secret types (a secret visible inside a container is systematically different from a secret that is used to connect to a registry with the purpose of spinning up the container), but the documentation is rather thin here.
Can someone help me out here?
Thanks a lot in advance for any hint.
Update:
Finally I managed to resolve this with terraform, where I could manage the secret in combination with container creation and at the same time specify the secret's name explicitly; this - however - does not use the original az sub command "compose"; it seems to me that this path is not yet well finished; e.g. there's no support for tearing down an compose infrastructure :(.
Azure itself does seem to promote "managed identities" instead, but I'm not sure whether that works for non-Azure registries.
Following github issues it seems that direct configurative access from container apps to key vault secrets is still on their todo-list, while should be out as a preview soon:
https://github.com/microsoft/azure-container-apps/issues/608
I have followed below steps to create an azure containerapps
I have created an Azure Key Vault and stored the password in the Key Vault using the following commands
Store the Container Registery secret in Keyvault using below command.
Output:
Once ran the above commands Azure Container app is created successfully in portal.