Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Container App Update Fails from null secrets #259

Closed
2 tasks
lastcoolnameleft opened this issue Jun 8, 2022 · 11 comments
Closed
2 tasks

Container App Update Fails from null secrets #259

lastcoolnameleft opened this issue Jun 8, 2022 · 11 comments
Labels
bug Something isn't working investigating currently looking into the issue

Comments

@lastcoolnameleft
Copy link

Please provide us with the following information:

This issue is a: (mark with an x)

  • [ X ] bug report -> please search issues before submitting
  • documentation issue or request
  • regression (a behavior that used to work and stopped in a new release)

Issue description

There appears to be an issue where a Container Registry secret was created from a previous Container App, but is null and it prevents other Container Apps from being modified.

Steps to reproduce

Create a Container App and specify registry credentials.
Create another container app and don't specify registry credentials.
Try to update the 2nd container app YAML and it fails with secrets being null.

az containerapp create \
  --name $ACA_WEB_NAME \
  --resource-group $RESOURCE_GROUP \
  --image $ACA_WEB_IMAGE \
  --environment $ACA_ENV_NAME \
  --target-port 3334 \
  --ingress 'external' \
  --registry-server $REGISTRY_SERVER \
  --registry-username $REGISTRY_USERNAME \
  --registry-password $REGISTRY_PASSWORD \
  --cpu 0.5 --memory 1.0Gi \
  --min-replicas 1 
             

➜  ACA_NAME=helloworld

➜  az containerapp create \
  --name $ACA_NAME \
  --resource-group $RESOURCE_GROUP \
  --environment $ACA_ENV_NAME \
  --image mcr.microsoft.com/azuredocs/containerapps-helloworld:latest \
  --target-port 80 \
  --ingress 'external' \
  --query properties.configuration.ingress.fqdn
Command group 'containerapp' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
- Running ..
Container app created. Access your app at https://helloworld.livelycliff-917e6386.eastus.azurecontainerapps.io/

"helloworld.livelycliff-917e6386.eastus.azurecontainerapps.io"

➜  az containerapp show -n $ACA_WEB_NAME -g $RESOURCE_GROUP -o yaml > helloworld.yaml

WARNING: Command group 'containerapp' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

## NOTE.  No changes to helloworld.yaml have been made.  But in the file, there is a refernce to a secret that I don't think should be there from a previous Container App.  
"spaghettidetective" is a Container App I created beforehand.

properties:
  configuration:
    registries:
    - passwordSecretRef: spaghettidetectiveazurecrio-spaghettidetective
      server: spaghettidetective.azurecr.io
      username: spaghettidetective
    secrets:
    - name: spaghettidetectiveazurecrio-spaghettidetective

➜  az containerapp update -n $ACA_WEB_NAME -g $RESOURCE_GROUP --yaml helloworld.yaml
Command group 'containerapp' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Invalid Request: Container app secret(s) with name(s) 'spaghettidetectiveazurecrio-spaghettidetective' cannot have a value of null.

Expected behavior

I expect to be able to update an un-modified configuration without error. Ultimately, I'd like to be able to modify the YAML to add a mount, but this prevents me from getting that far.

Actual behavior

Updating the Container App YAML fails, even if it's unmodified. I believe it's due to a Contaienr Registry secret from a previous Container App.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context

Ex. Did this issue occur in the CLI or the Portal?

@ghost ghost added the Needs: triage 🔍 Pending a first pass to read, tag, and assign label Jun 8, 2022
@lastcoolnameleft
Copy link
Author

After playing with it some more, it appears that the same issue occurs when updating a Container App which uses a Private Registry

ACR_NAME=spaghettidetective
REGISTRY_SERVER=${ACR_NAME}.azurecr.io
REGISTRY_USERNAME=$(az acr credential show -n $ACR_NAME --query username -o tsv)
REGISTRY_PASSWORD=$(az acr credential show -n $ACR_NAME --query "passwords[0].value" -o tsv)
ACA_WEB_NAME=web
ACA_WEB_IMAGE=spaghettidetective.azurecr.io/obico-server-web:4

az containerapp create \
  --name $ACA_WEB_NAME \
  --resource-group $RESOURCE_GROUP \
  --image $ACA_WEB_IMAGE \
  --environment $ACA_ENV_NAME \
  --target-port 3334 \
  --ingress 'external' \
  --registry-server $REGISTRY_SERVER \
  --registry-username $REGISTRY_USERNAME \
  --registry-password $REGISTRY_PASSWORD \
  --cpu 0.5 --memory 1.0Gi \
  --min-replicas 1
az containerapp show -n $ACA_WEB_NAME -g $RESOURCE_GROUP -o yaml > web_app.yaml
# Don't change the yaml
az containerapp update -n $ACA_WEB_NAME -g $RESOURCE_GROUP --yaml web_app.yaml

Command group 'containerapp' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Invalid Request: Container app secret(s) with name(s) 'spaghettidetectiveazurecrio-spaghettidetective' cannot have a value of null.

@dariagrigoriu dariagrigoriu added investigating currently looking into the issue Needs: Author Feedback and removed Needs: triage 🔍 Pending a first pass to read, tag, and assign labels Jun 13, 2022
@dariagrigoriu
Copy link
Collaborator

This issue should be addressed by end of June.

@ghost
Copy link

ghost commented Jun 18, 2022

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.

@evklein
Copy link

evklein commented Jul 7, 2022

Did this get closed out? I am getting this in the exact same circumstances.

@georgeOsdDev
Copy link

Same issue here.
az containerapp show not contains secret value but only secret name, so we could not reuse exported yaml if container app use secret for below scenario.

https://docs.microsoft.com/en-us/azure/container-apps/storage-mounts?pivots=aca-cli#azure-files

@georgeOsdDev
Copy link

@torosent torosent added bug Something isn't working and removed Needs: Author Feedback labels Jul 8, 2022
@StrawnSC
Copy link

Hey all, sorry about this. The problem here is that the update command uses a GET followed by a PUT to perform the update. Since the GET API doesn't return secrets, the update fails. We currently have a PR in review to change the CLI to use the PATCH API to perform updates with az containerapp update. This change should go out with the next version of the CLI extension

@torosent
Copy link
Member

ref #299 (comment)

@ioaccept
Copy link

Hello I have the same problem. Does anyone have an idea for a workaround? When can I expect the next version?

@ranjeetkpGit
Copy link

Can not use Azure Container Registry with 'az containerapp update'
Hi ,

I am not able to use Azure Container Registry with 'az containerapp update' command in following way

  • If Admin enabled in Azure Container Registry - Throws Unauthorized error

  • If Admin not enabled in Azure Container Registry - Throws Unauthorized error

Is there any way to use Azure container Registry with 'az containerapp update' command?

@kendallroden
Copy link
Contributor

Hi @ranjeetkpGit please create a new issue if you are experiencing this problem as it is unrelated to the initial report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working investigating currently looking into the issue
Projects
None yet
Development

No branches or pull requests

9 participants