How do I supply a secret to az containerapps compose

Question

I'm trying to set-up my first azure containerapps cloud deployment.

As multiply containers are involved, I want to utilize the sub command

az containerapp compose create

referencing our private docker registry (command line parameters --registry-username, --registry-password).

It seems that the registry password will be stored in a secret; the automatic secret creation fails due to naming conventions:

$ az containerapp compose create --environment my-containers --resource-group my-rg --registry-server dockerregistry.acme.com --registry-username [email protected] --registry-password <my-pw> --compose-file-path ./compose.yaml
Adding registry password as a secret with name "[email protected]"
(ContainerAppInvalidPropertyValue) Property 'secrets.name' has an invalid value '[email protected]'. A value must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character.
...

Now I tried to set-up a secret up-front, to reference it in the command, like documentation states:

--registry-password
The password to log in to container registry. If stored as a secret, value must start with 'secretref:' followed by the secret name.

(https://learn.microsoft.com/en-us/cli/azure/containerapp/compose?view=azure-cli-latest#az-containerapp-compose-create).

But now I'm facing a chicken-egg-problem: To create a containerapp secret, I have to reference an existing containerapp:

az containerapp secret set --resource-group my-rg --name docker-registry --secrets [email protected] password=<my-pw>
The containerapp 'docker-registry' does not exist

c.f.: https://learn.microsoft.com/en-us/cli/azure/containerapp/secret?view=azure-cli-latest#az-containerapp-secret-set

I'm most probably mixing up secret types (a secret visible inside a container is systematically different from a secret that is used to connect to a registry with the purpose of spinning up the container), but the documentation is rather thin here.

Can someone help me out here?

Thanks a lot in advance for any hint.

Update:

Finally I managed to resolve this with terraform, where I could manage the secret in combination with container creation and at the same time specify the secret's name explicitly; this - however - does not use the original az sub command "compose"; it seems to me that this path is not yet well finished; e.g. there's no support for tearing down an compose infrastructure :(.

Azure itself does seem to promote "managed identities" instead, but I'm not sure whether that works for non-Azure registries.

Following github issues it seems that direct configurative access from container apps to key vault secrets is still on their todo-list, while should be out as a preview soon:

https://github.com/microsoft/azure-container-apps/issues/608

Answer 1

I have followed below steps to create an azure containerapps

I have created an Azure Key Vault and stored the password in the Key Vault using the following commands

1. Store the Container Registery secret in Keyvault using below command.

   az keyvault secret set --vault-name kamalikeyvault --name registry-password --value "upIWaixxxxxxxxxxxJ/UD/BeqJOHxceYlg8i+ACRAf7Lvc"
   

   2. Create an container app using below commands.

    $s = az keyvault secret show --name "registry-password" --vault-name "venkatvaulttest"
            $r=$s | ConvertFrom-Json
            $result=$r.value        
            $result
            az containerapp compose create --environment "venkatcontainerregistry" --resource-group "vnkat-RG" --registry-server venkatcontainerregistry.azurecr.io --registry-username "venkatcontainerregistry" --registry-password $result  --compose-file-path /home/dasari/docker-compose.yaml
   
   

Output:

Once ran the above commands Azure Container app is created successfully in portal.