gpt4 book ai didi

azure - 如何配置我的二头肌脚本以允许容器应用程序使用跨订阅的托管身份从 ACR 中提取图像

转载 作者:行者123 更新时间:2023-12-02 08:14:27 27 4
gpt4 key购买 nike

我正在我的组织中试用 Bicep 和容器应用程序,我们已经在同一租户内但在不同的订阅中分离出了问题,如下所示:

  1. 开发
  2. 生产
  3. 管理

我希望能够使用 Bicep 脚本(每个订阅都有一个单独的脚本)部署每个订阅,并且最好仅使用托管身份以确保安全。

在管理订阅中,我们有一个 ACR,它有意禁用管理员帐户,因为我不想通过用户名/密码拉取。问题一,这可能吗?看来我们应该能够针对容器应用程序配置 AcrPull 角色,而不需要太多麻烦。

这个想法是,容器应用程序部署后,它就会从 Acr 中提取出来,并且可以主动使用。我不需要像 Azure DevOps 这样的中介来处理编排。

在二头肌中,我已经成功配置了工作区、容器环境,但是在部署我的实际应用程序时,我有点卡住了 - 它因一些我仍在深入研究的难以理解的错误消息而失败。我发现了很多使用管理员/密码方法的示例,但似乎缺乏替代方案的文档,这让我担心如果我追求的是不可行的东西。也许用户身份是我的解决方案?

我的二头肌脚本(同时针对管理员/密码进行测试)如下所示:

  name: containerAppName
location: location

identity: {
type: 'SystemAssigned'
}

properties: {
managedEnvironmentId: containerAppEnvId
configuration: {
secrets: [
{
name: 'container-registry-password'
value: containerRegistry.listCredentials().passwords[0].value
}
]
ingress: {
external: true
targetPort: targetPort
allowInsecure: false
traffic: [
{
latestRevision: true
weight: 100
}
]
}
registries: [
{
server: '${registryName}.azurecr.io'
username: containerRegistry.listCredentials().username
passwordSecretRef: 'container-registry-password'
}
]
}
template: {
revisionSuffix: 'firstrevision'
containers: [
{
name: containerAppName
image: containerImage
resources: {
cpu: json(cpuCore)
memory: '${memorySize}Gi'
}
}
]
scale: {
minReplicas: minReplicas
maxReplicas: maxReplicas
}
}
}
}

However this is following an admin/password approach. For using managed identity, firstly do I need to put a registry entry in there?

``` registries: [
{
server: '${registryName}.azurecr.io'
username: containerRegistry.listCredentials().username
passwordSecretRef: 'container-registry-password'
}
]

If so, the listCredentials().username obviously won't work with admin/password disabled. Secondly, what would I then need in the containers section

containers: [
{
name: containerAppName
image: containerImage ??
resources: {
cpu: json(cpuCore)
memory: '${memorySize}Gi'
}
}
]

As there appears to be no mention of the need for pointing at a repository, or indeed specifying anything other than a password/admin account. Is it that my requirement is impossible as the container app needs to be provisioned before managed identity can be applied to it? Is this a chicken vs egg problem?

最佳答案

您可以使用用户分配的身份:

  1. 创建用户分配的身份
  2. 向用户分配的身份授予权限
  3. 为容器应用分配身份
# container-registry-role-assignment.bicep
param registryName string
param roleId string
param principalId string

// Get a reference to the existing registry
resource registry 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' existing = {
name: registryName
}

// Create role assignment
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: guid(registry.id, roleId, principalId)
scope: registry
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleId)
principalId: principalId
principalType: 'ServicePrincipal'
}
}

然后从你的主目录:

param name string
param identityName string
param environmentName string
param containerImage string
param location string = resourceGroup().location

param containerRegistrySubscriptionId string = subscription().subscriptionId
param containerRegistryResourceGroupName string = resourceGroup().name
param containerRegistryName string

// Create identtiy
resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = {
name: identityName
location: location
}

// Assign AcrPull permission
module roleAssignment 'container-registry-role-assignment.bicep' = {
name: 'container-registry-role-assignment'
scope: resourceGroup(containerRegistrySubscriptionId, containerRegistryResourceGroupName)
params: {
roleId: '7f951dda-4ed3-4680-a7ca-43fe172d538d' // AcrPull
principalId: identity.properties.principalId
registryName: containerRegistryName
}
}

// Get a reference to the container app environment
resource managedEnvironment 'Microsoft.App/managedEnvironments@2022-03-01' existing = {
name: environmentName
}

// create the container app
resource containerapp 'Microsoft.App/containerApps@2022-03-01' = {
dependsOn:[
roleAssignment
]
name: name
...
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${identity.id}': {}
}
}
properties: {
managedEnvironmentId: managedEnvironment.id
configuration: {
...
registries: [
{
server: '${containerRegistryName}.azurecr.io'
identity: identity.id
}
]
}
template: {
...
containers: [
{
name: name
image: '${containerRegistryName}.azurecr.io/${containerImage}'
...
}
]
}
}
}

关于azure - 如何配置我的二头肌脚本以允许容器应用程序使用跨订阅的托管身份从 ACR 中提取图像,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/74413085/

27 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com