Skip to content

PPHA-925: Convert the container registry to generic #306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mrlockstar merged 1 commit into from
May 27, 2026
Merged

PPHA-925: Convert the container registry to generic #306

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions infrastructure/modules/container-app-job/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,3 +70,25 @@ module "job" {
fetch_secrets_from_app_key_vault = true
}
```

## Generic private registry authentication

The module can authenticate to any private container registry by providing the registry server URL, username and a Key Vault secret URI containing the password. The module will create a container registry credential in the container app referencing the Key Vault secret for secure authentication.

Example:
```hcl
module "container-app-job" {

source = "../../../dtos-devops-templates/infrastructure/modules/container-app-job"

name = "ca-workload-name-${var.environment}"
resource_group_name = var.resource_group_name
location = var.location
container_app_environment_id = module.container-app-environment.id

container_registry_server = "ghcr.io"
container_registry_username = "github-username"
container_registry_secret_uri = module.app-key-vault.secrets["ghcr-token"].versionless_id

}
```
14 changes: 7 additions & 7 deletions infrastructure/modules/container-app-job/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,22 +40,22 @@ resource "azurerm_container_app_job" "this" {
}

dynamic "secret" {
for_each = var.ghcr_pat_secret_uri != null ? [1] : []
for_each = var.container_registry_secret_uri != null ? [1] : []

content {
name = "ghcr-token"
key_vault_secret_id = var.ghcr_pat_secret_uri
name = "password"
key_vault_secret_id = var.container_registry_secret_uri
identity = module.container_app_identity.id
}
}

dynamic "registry" {
for_each = var.ghcr_pat_secret_uri != null ? [1] : []
for_each = var.container_registry_secret_uri != null ? [1] : []

content {
server = "ghcr.io"
username = var.ghcr_username
password_secret_name = "ghcr-token"
server = var.container_registry_server
username = var.container_registry_username
password_secret_name = "password"
}
}

Expand Down
24 changes: 24 additions & 0 deletions infrastructure/modules/container-app-job/tfdocs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,30 @@ Type: `list(string)`

Default: `null`

### <a name="input_container_registry_secret_uri"></a> [container\_registry\_secret\_uri](#input\_container\_registry\_secret\_uri)

Description: Key Vault secret URI containing the registry password or token

Type: `string`

Default: `null`

### <a name="input_container_registry_server"></a> [container\_registry\_server](#input\_container\_registry\_server)

Description: Container registry hostname (for example ghcr.io)

Type: `string`

Default: `null`

### <a name="input_container_registry_username"></a> [container\_registry\_username](#input\_container\_registry\_username)

Description: Username used to authenticate to the container registry

Type: `string`

Default: `null`

### <a name="input_cron_expression"></a> [cron\_expression](#input\_cron\_expression)

Description: Cron formatted repeating schedule of a Cron Job eg. '0 5 * * *'. Optional.
Expand Down
18 changes: 12 additions & 6 deletions infrastructure/modules/container-app-job/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,16 +161,22 @@ variable "time_window" {
default = 30
}

variable "ghcr_username" {
variable "container_registry_server" {
type = string
description = ""
default = null
description = "Container registry hostname (for example ghcr.io)"
default = null
}

variable "container_registry_username" {
type = string
description = "Username used to authenticate to the container registry"
default = null
}

variable "ghcr_pat_secret_uri" {
variable "container_registry_secret_uri" {
type = string
description = "URI of the GitHub Container Registry Personal Access Token stored in Key Vault. This is used to authenticate to GHCR if var.docker_image is hosted there. The secret must be in the format 'username:token'."
default = null
description = "Key Vault secret URI containing the registry password or token"
default = null
}

locals {
Expand Down
23 changes: 23 additions & 0 deletions infrastructure/modules/container-app/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,3 +153,26 @@ We will allow using the previously pinned "4.34.0" or newer, as defined in the c
New version definition is `version = ">= 4.34.0"`

More on the provider version constraints in terraform modules can be found [here](https://developer.hashicorp.com/terraform/language/modules/develop/providers#provider-version-constraints-in-modules).


## Generic private registry authentication

The module can authenticate to any private container registry by providing the registry server URL, username and a Key Vault secret URI containing the password. The module will create a container registry credential in the container app referencing the Key Vault secret for secure authentication.

Example:
```hcl
module "container-app" {

source = "../../../dtos-devops-templates/infrastructure/modules/container-app"

name = "ca-workload-name-${var.environment}"
resource_group_name = var.resource_group_name
location = var.location
container_app_environment_id = module.container-app-environment.id

container_registry_server = "ghcr.io"
container_registry_username = "github-username"
container_registry_secret_uri = module.app-key-vault.secrets["ghcr-token"].versionless_id

}
```
14 changes: 7 additions & 7 deletions infrastructure/modules/container-app/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,22 +62,22 @@ resource "azurerm_container_app" "main" {
}

dynamic "secret" {
for_each = var.ghcr_pat_secret_uri != null ? [1] : []
for_each = var.container_registry_secret_uri != null ? [1] : []

content {
name = "ghcr-token"
key_vault_secret_id = var.ghcr_pat_secret_uri
name = "password"
key_vault_secret_id = var.container_registry_secret_uri
identity = module.container_app_identity.id
}
}

dynamic "registry" {
for_each = var.ghcr_pat_secret_uri != null ? [1] : []
for_each = var.container_registry_secret_uri != null ? [1] : []

content {
server = "ghcr.io"
username = var.ghcr_username
password_secret_name = "ghcr-token"
server = var.container_registry_server
username = var.container_registry_username
password_secret_name = "password"
}
}

Expand Down
24 changes: 24 additions & 0 deletions infrastructure/modules/container-app/tfdocs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,30 @@ Type: `list(string)`

Default: `[]`

### <a name="input_container_registry_secret_uri"></a> [container\_registry\_secret\_uri](#input\_container\_registry\_secret\_uri)

Description: Key Vault secret URI containing the registry password or token

Type: `string`

Default: `null`

### <a name="input_container_registry_server"></a> [container\_registry\_server](#input\_container\_registry\_server)

Description: Container registry hostname (for example ghcr.io)

Type: `string`

Default: `null`

### <a name="input_container_registry_username"></a> [container\_registry\_username](#input\_container\_registry\_username)

Description: Username used to authenticate to the container registry

Type: `string`

Default: `null`

### <a name="input_enable_alerting"></a> [enable\_alerting](#input\_enable\_alerting)

Description: Whether monitoring and alerting is enabled for the PostgreSQL Flexible Server.
Expand Down
18 changes: 12 additions & 6 deletions infrastructure/modules/container-app/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -202,16 +202,22 @@ variable "probe_path" {
default = null
}

variable "ghcr_username" {
variable "container_registry_server" {
type = string
description = ""
default = null
description = "Container registry hostname (for example ghcr.io)"
default = null
}

variable "container_registry_username" {
type = string
description = "Username used to authenticate to the container registry"
default = null
}

variable "ghcr_pat_secret_uri" {
variable "container_registry_secret_uri" {
type = string
description = "URI of the GitHub Container Registry Personal Access Token stored in Key Vault. This is used to authenticate to GHCR if var.docker_image is hosted there. The secret must be in the format 'username:token'."
default = null
description = "Key Vault secret URI containing the registry password or token"
default = null
}

locals {
Expand Down