In production we use Azure Container Registry and AKS. For development, we have K3s on our dev server (on-prem). Is it possible for K3s to pull images from a private registry such as Azure Container Registry?
The short answer is Yes, even if the Azure Container Registry is a private registry, but if you have the username and password with the right permissions, then you can pull the image in it via the username and password. You can take a look at the steps in Azure Container Registry authentication with service principals.
Related
I tried on-premises synchronizes container images by using Connected Registry in Azure Container Registry.
And I followed ACR documentation to create a setup (https://learn.microsoft.com/en-us/azure/container-registry/quickstart-deploy-connected-registry-iot-edge-cli)
Getting error while deploying the modules
Troubleshoot - Container Log
ACR Token Details
ACR Scope Details
getting insufficient scope error. But I gave ReadWrite permission for all the repositories. Is there any other way to solve this issue?
Please check if you have given the permissions content/read , content/write scopes for the required registry for repository push , which I hope you have already done if the repo is present.
If the permissions are configured properly , please check if the admin user is enabled .
The scopes may also refer to the actual role permission to operate
For the Azure Container Registry, you may log in in two ways.
One - Using the command az acr login -n azureacrServer -u username -p password. Then you have the owner permission after logging in.
The other one is that log in with a service principal using the command docker login azureacrServer -u servicePrincipalId -p sppassword. In this way, you just have the permission of the service principal after logging in
Please check
Registry authentication options and container registry repository scoped permissions
References:
Quickstart - Create connected registry using the portal - Azure Container Registry | Microsoft Docs
Pull images from a connected registry - Azure Container Registry | Microsoft Docs
I am creating azure webapp (multi container app) using CLI. My docker images are in azure container registry(ACR). how do i pass my registry credentials to it or pass some flag that it recognise that images need to be pulled from ACR.
here is my command running from my linux machine (logged in with az login)
az webapp create --resource-group RishiCTS --plan rishi-kpi --name rishi-models --multicontainer-config-type compose --multicontainer-config-file docker-compose-models.yml
update: In azure portal I can pass docker-compose and select image source as ACR, but this start only first service from docker-compose.
You just need to set the image in the YAML like this:
image: myregistry.azurecr.io/image:tag
Then the Web App will pull the image from your Container Registry. You can take a look at the example for multiple containers. And then you need to add the credential of the ACR with the environment variables:
DOCKER_REGISTRY_SERVER_USERNAME - The username for the ACR server.
DOCKER_REGISTRY_SERVER_URL - The full URL to the ACR server. (For
example, https://my-server.azurecr.io.)
DOCKER_REGISTRY_SERVER_PASSWORD - The password for the ACR server.
More details here.
I have successfully created a docker image that runs inside a docker container. The container successfully executes the image (a .NET app) but the image crashes shortly after startup because it encounters an error with Azure Services. The reason is because the docker container is attempting to access Azure Services to fetch an authorization token (to fetch secrets from a key vault) and does not have authority to do so.
I should note that it is possible to run the app locally outside of a container via the Azure CLI after using az login to verify my credentials. Then, when the app is started via Azure CLI, it is 'allowed' to access Azure Services to get autho tokens and consequentially fetch data from my key vault.
Would like to know if there is a way to run an az login script with credentials inside a docker container before the .NET app image executes, so that I can start the application from within the Azure CLI (inside the container) after my credentials have been verified. I have looked through the documentation and have not seen a way to configure something like this.
To use the Azure CLI and login inside the container, you need to install the Azure CLI inside the container, then login with an non-interactive model. I would recommend the service principal. You can take a look at the command:
az login --service-principal -u <app-url> -p <password-or-cert> --tenant <tenant>
For more details, see Create an Azure service principal with Azure CLI. After login, then you can start your application as need.
Here are 2 options which don't require Azure CLI in the container, Azure Managed Identity from within a docker container running locally,
inject an access token into the container using ENV variable
use device authentication flow to obtain an access token
I read this answers a while ago. I was looking for the similar solution but using the service principal. I found that Docker can run Kubernetes and there is AAD-Pod-Identity https://github.com/Azure/aad-pod-identity which can do work for me, but it doesn't work for Docker Kubernetes. I forked their Go repository and make modification for mic component. Now it works for Docker Kubernetes, not sure whether Azure team has plans get these modifications on board or not.
You can get detailed instructions how to get things running here: https://github.com/Wallsmedia/aad-pod-identity
Azure CLI would not work for a Docker, because you have setup Azure CLI and login and then run your application.
I want to use a Azure Container Registry of a different account in a Build pipeline in Azure DevOps.
When I try to add a Docker Registry Service Connection and select Azure Container Registry, it only lets me choose between the subscription of the current account.
When I try to add the Azure Resource Manager of the Subscription of a different account which contains the Azure Container Registry in the Service Connections, it says it cannot find any Azure Container Registry.
So how do I accomplish this?
I have the same situation in which the Azure Container Registry (ACR) is in a different Azure AD from the Azure DevOps build pipelines.
I'll outline the steps I used:
Create an app registration in the Azure AD where the ACR exists.
Give it a name like myregistry-app
Go to the myregistry-app Certificates and secrets page and create a new secret. Copy the value as you cannot retrieve it later.
Also copy the myregistry-app application id. You can find it on the overview screen.
Now go to the ACR Access Control (IAM) screen for your container registry.
Add a role assignment and assign the myregistry-app identity the Contributor role.
Back in your build pipeline create a Docker task and click on the New button under the Container Registry section.
In the popup dialog Add a Docker Registry service connection choose the Others radio button.
Put in the URL to your ACR which you can find on the container registry overview page.
Use the application id for myregistry-app as the Docker ID.
Use the myregistry-app secret for the password.
This is currently working for me. There may be a better way
Here's the setup:
Azure Container Registry
Service Fabric
VMSS with SystemAssigned identity (aka "Managed Service Identity" aka MSI)
VMSS identity given "Reader" role access to the Azure Container Registry
ApplicationManifest.xml
ServiceManifest.xml referencing a container in the registry
Cool.
Except service fabric can't launch instances of the app because it can't pull the container from the registry. When I RDP into a VM and pull, it tells me "authentication required"
I understand that I can add <RepositoryCredentials …> into my ApplicationManifest.xml. With my password. To the container admin account. Which seems "bad", even if encrypted. Definitely less convenient than having MSI working.
Working locally, MSI works fine after a couple little az acr commands.
Can it all be wrapped up somehow in the ApplicationManifest/ServiceManifest.xml files, so that MSI is honored when pulling from Azure Container Registry?