-
Notifications
You must be signed in to change notification settings - Fork 1.6k
Support --token-store, --sas-url-secret, --sas-url-secret-name, --yes for container app auth #6660
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 3 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -8,6 +8,10 @@ | |
|
|
||
| from ._client_factory import handle_raw_exception | ||
| from .base_resource import BaseResource | ||
| from ._constants import BLOB_STORAGE_TOKEN_STORE_SECRET_SETTING_NAME | ||
| from ._utils import safe_set | ||
| from knack.prompting import prompt_y_n | ||
| from azure.cli.core.azclierror import ArgumentUsageError | ||
|
|
||
|
|
||
| class ContainerAppAuthDecorator(BaseResource): | ||
|
|
@@ -116,3 +120,40 @@ def get_argument_excluded_paths(self): | |
| class ContainerAppPreviewAuthDecorator(ContainerAppAuthDecorator): | ||
| def construct_payload(self): | ||
| super().construct_payload() | ||
| self.set_up_token_store() | ||
|
|
||
| def set_up_token_store(self): | ||
| if self.get_argument_token_store() is None: | ||
| return | ||
|
|
||
| if self.get_argument_token_store() is False: | ||
| safe_set(self.existing_auth, "login", "tokenStore", "enabled", value=False) | ||
| return | ||
|
|
||
| safe_set(self.existing_auth, "login", "tokenStore", "enabled", value=True) | ||
|
|
||
| if self.get_argument_sas_url_secret() is None and self.get_argument_sas_url_secret_name() is None: | ||
| raise ArgumentUsageError('Usage Error: only blob storage token store is supported. --sas-url-secret and --sas-url-secret-name should provide exactly one when token store is enabled') | ||
| if self.get_argument_sas_url_secret() is not None and self.get_argument_sas_url_secret_name() is not None: | ||
| raise ArgumentUsageError('Usage Error: --sas-url-secret and --sas-url-secret-name cannot both be set') | ||
| if self.get_argument_sas_url_secret() is not None and not self.get_argument_yes(): | ||
| msg = 'Configuring --sas-url-secret will add a secret to the containerapp. Are you sure you want to continue?' | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. is it required to add prompt?
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. if yes parameter is not passed, there is prompt to let user confirm it.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It's the same behavior as others. For example: az containerapp microsoft update xxx |
||
| if not prompt_y_n(msg, default="n"): | ||
| raise ArgumentUsageError('Usage Error: --sas-url-secret cannot be used without agreeing to add secret to the containerapp.') | ||
|
|
||
| sas_url_setting_name = BLOB_STORAGE_TOKEN_STORE_SECRET_SETTING_NAME | ||
| if self.get_argument_sas_url_secret_name() is not None: | ||
| sas_url_setting_name = self.get_argument_sas_url_secret_name() | ||
| safe_set(self.existing_auth, "login", "tokenStore", "azureBlobStorage", "sasUrlSettingName", value=sas_url_setting_name) | ||
|
|
||
| def get_argument_token_store(self): | ||
| return self.get_param("token_store") | ||
|
|
||
| def get_argument_sas_url_secret(self): | ||
| return self.get_param("sas_url_secret") | ||
|
|
||
| def get_argument_sas_url_secret_name(self): | ||
| return self.get_param("sas_url_secret_name") | ||
|
|
||
| def get_argument_yes(self): | ||
| return self.get_param("yes") | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -115,7 +115,8 @@ | |
| NAME_INVALID, NAME_ALREADY_EXISTS, ACR_IMAGE_SUFFIX, HELLO_WORLD_IMAGE, LOG_TYPE_SYSTEM, LOG_TYPE_CONSOLE, | ||
| MANAGED_CERTIFICATE_RT, PRIVATE_CERTIFICATE_RT, PENDING_STATUS, SUCCEEDED_STATUS, DEV_POSTGRES_IMAGE, DEV_POSTGRES_SERVICE_TYPE, | ||
| DEV_POSTGRES_CONTAINER_NAME, DEV_REDIS_IMAGE, DEV_REDIS_SERVICE_TYPE, DEV_REDIS_CONTAINER_NAME, DEV_KAFKA_CONTAINER_NAME, | ||
| DEV_KAFKA_IMAGE, DEV_KAFKA_SERVICE_TYPE, DEV_MARIADB_CONTAINER_NAME, DEV_MARIADB_IMAGE, DEV_MARIADB_SERVICE_TYPE, DEV_SERVICE_LIST, CONTAINER_APPS_SDK_MODELS) | ||
| DEV_KAFKA_IMAGE, DEV_KAFKA_SERVICE_TYPE, DEV_MARIADB_CONTAINER_NAME, DEV_MARIADB_IMAGE, DEV_MARIADB_SERVICE_TYPE, DEV_SERVICE_LIST, | ||
| CONTAINER_APPS_SDK_MODELS, BLOB_STORAGE_TOKEN_STORE_SECRET_SETTING_NAME) | ||
|
|
||
| logger = get_logger(__name__) | ||
|
|
||
|
|
@@ -5036,7 +5037,9 @@ def update_auth_config(cmd, resource_group_name, name, set_string=None, enabled= | |
| runtime_version=None, config_file_path=None, unauthenticated_client_action=None, | ||
| redirect_provider=None, require_https=None, | ||
| proxy_convention=None, proxy_custom_host_header=None, | ||
| proxy_custom_proto_header=None, excluded_paths=None): | ||
| proxy_custom_proto_header=None, excluded_paths=None, | ||
| token_store=None, sas_url_secret=None, sas_url_secret_name=None, | ||
| yes=False): | ||
| raw_parameters = locals() | ||
| containerapp_auth_decorator = ContainerAppPreviewAuthDecorator( | ||
| cmd=cmd, | ||
|
|
@@ -5046,6 +5049,8 @@ def update_auth_config(cmd, resource_group_name, name, set_string=None, enabled= | |
| ) | ||
|
|
||
| containerapp_auth_decorator.construct_payload() | ||
| if containerapp_auth_decorator.get_argument_token_store() and containerapp_auth_decorator.get_argument_sas_url_secret() is not None: | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. why not add it in construct_payload()?
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. set_secrets func is defined in this file, to avoid dependency loop, so place the logic here
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @Juliehzl |
||
| set_secrets(cmd, name, resource_group_name, secrets=[f"{BLOB_STORAGE_TOKEN_STORE_SECRET_SETTING_NAME}={containerapp_auth_decorator.get_argument_sas_url_secret()}"], no_wait=True, disable_max_length=True) | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. combine the method to depcorator to avoid duplicate usage when moving to GA and refine the logic to be same with facbook/microsoft... commands
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Will do it in next PR. |
||
| return containerapp_auth_decorator.create_or_update() | ||
|
|
||
|
|
||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.