使用 KeyVault (Terraform) 从 ACR 中提取图像时出现 Azure App Service 错误
Azure App Service Error while pulling image from ACR using KeyVault (Terraform)
我正在尝试将图像从 ACR 拉到 Azure 应用服务。我已将 ACR 的凭据存储在 Key Vault 中。我在应用服务 Terraform 配置中使用 Key Vault 生成的端点。我的 TF 脚本看起来像这样
module "my-ui-service-temp" {
source = "app-service-noconn"
location = "${local.location}"
name = "webapp-temp"
resource_group_name = "${module.create-resource-group.name}"
app_service_plan_id = "${module.create-app-service-plan.id}"
app_service_plan_name = "${module.create-app-service-plan.name}"
namespace = "${local.namespace}-temp"
dotnetframework_version = "v4.0"
java_version = "1.8"
process_32bitworker = "true"
websockets_enabled = "true"
remote_debugging_enabled = "true"
local_mysql_enabled = "true"
php_version = "5.5"
remote_debugging_version = "VS2017"
tls_version = "1.2"
linuxfx_version = "DOCKER|myregistry.azurecr.io/my-webapp:latest"
//cors_allowed_origins = "*"
//ip_address_restriction = "10.198.54.79"
#ip_address_restriction = "198.203.177.177"
default_documents = [ "Default.htm", "Default.html", "Default.asp", "index.htm", "index.html", "iisstart.htm", "default.aspx", "index.php", "hostingstart.html"]
http2_enabled = "false"
scm_type = "none"
subnet_mask = "255.255.255.255"
app_settings {
"DOCKER_REGISTRY_SERVER_URL" = "myregistry.azurecr.io"
"DOCKER_REGISTRY_SERVER_USERNAME" = "https://myapp-kv-az.vault.azure.net/secrets/my-secret-kv-az/redacted"
"DOCKER_REGISTRY_SERVER_PASSWORD" = "https://myapp-kv-az.vault.azure.net/secrets/my-pass-az-pass/redacted"
}
}
这是我遇到的错误
2019-06-17 16:06:20.651 ERROR - Pulling docker image
registry.azurecr.io/myApp-webapp:latest failed: 2019-06-17
16:06:20.651 INFO - Pulling image from Docker hub:
registry.azurecr.io/myApp-webapp:latest 2019-06-17 16:06:20.676 ERROR
- DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get
https://registry.azurecr.io/v2/myApp-webapp/manifests/latest:
unauthorized: authentication required"}
2019-06-17 16:06:20.687 ERROR - Image pull failed: Verify docker image
configuration and credentials (if using private repository)
如果我在没有 KeyVault 的情况下直接传递我的 ACR 凭据,我能够毫无问题地提取映像并构建它。我假设它与 Key Vault 访问策略有关。
但是,错误消息说 - Docker API 响应状态代码=InternalServerError,响应={"message":"Get https://registry.azurecr.io/v2/myApp-webapp/manifests/latest: unauthorized: authentication required"},这让我很困扰!
我正在通过密钥保管库传递身份验证详细信息,但应用服务无法进行身份验证。
如果您想使用对密钥保管库的引用,您可以使用 official way 来实现。所以它看起来像这样:
app_settings {
"DOCKER_REGISTRY_SERVER_URL" = "myregistry.azurecr.io"
"DOCKER_REGISTRY_SERVER_USERNAME" = "@Microsoft.KeyVault(SecretUri="https://myapp-kv-az.vault.azure.net/secrets/my-secret-kv-az/redacted)"
"DOCKER_REGISTRY_SERVER_PASSWORD" = "@Microsoft.KeyVault(SecretUri=https://myapp-kv-az.vault.azure.net/secrets/my-pass-az-pass/redacted)"
}
已修复。而不是传递 @Microsoft.keyvault(SecretUri="")。
我用过
data "azurerm_key_vault_secret" "myacrServer" {
name = "myApp-acr-server-az"
vault_uri = "myApp-kv-az-acr.vault.azure.net"
}
然后在 Web 应用程序服务的 app_settings 中,我传递了该数据秘密值。
app_settings {
"DOCKER_REGISTRY_SERVER_USERNAME" = "${data.azurerm_key_vault_secret.myacrusname.value}"
}
我正在尝试将图像从 ACR 拉到 Azure 应用服务。我已将 ACR 的凭据存储在 Key Vault 中。我在应用服务 Terraform 配置中使用 Key Vault 生成的端点。我的 TF 脚本看起来像这样
module "my-ui-service-temp" {
source = "app-service-noconn"
location = "${local.location}"
name = "webapp-temp"
resource_group_name = "${module.create-resource-group.name}"
app_service_plan_id = "${module.create-app-service-plan.id}"
app_service_plan_name = "${module.create-app-service-plan.name}"
namespace = "${local.namespace}-temp"
dotnetframework_version = "v4.0"
java_version = "1.8"
process_32bitworker = "true"
websockets_enabled = "true"
remote_debugging_enabled = "true"
local_mysql_enabled = "true"
php_version = "5.5"
remote_debugging_version = "VS2017"
tls_version = "1.2"
linuxfx_version = "DOCKER|myregistry.azurecr.io/my-webapp:latest"
//cors_allowed_origins = "*"
//ip_address_restriction = "10.198.54.79"
#ip_address_restriction = "198.203.177.177"
default_documents = [ "Default.htm", "Default.html", "Default.asp", "index.htm", "index.html", "iisstart.htm", "default.aspx", "index.php", "hostingstart.html"]
http2_enabled = "false"
scm_type = "none"
subnet_mask = "255.255.255.255"
app_settings {
"DOCKER_REGISTRY_SERVER_URL" = "myregistry.azurecr.io"
"DOCKER_REGISTRY_SERVER_USERNAME" = "https://myapp-kv-az.vault.azure.net/secrets/my-secret-kv-az/redacted"
"DOCKER_REGISTRY_SERVER_PASSWORD" = "https://myapp-kv-az.vault.azure.net/secrets/my-pass-az-pass/redacted"
}
}
这是我遇到的错误
2019-06-17 16:06:20.651 ERROR - Pulling docker image registry.azurecr.io/myApp-webapp:latest failed: 2019-06-17 16:06:20.651 INFO - Pulling image from Docker hub: registry.azurecr.io/myApp-webapp:latest 2019-06-17 16:06:20.676 ERROR - DockerApiException: Docker API responded with status code=InternalServerError, response={"message":"Get https://registry.azurecr.io/v2/myApp-webapp/manifests/latest: unauthorized: authentication required"}
2019-06-17 16:06:20.687 ERROR - Image pull failed: Verify docker image configuration and credentials (if using private repository)
如果我在没有 KeyVault 的情况下直接传递我的 ACR 凭据,我能够毫无问题地提取映像并构建它。我假设它与 Key Vault 访问策略有关。
但是,错误消息说 - Docker API 响应状态代码=InternalServerError,响应={"message":"Get https://registry.azurecr.io/v2/myApp-webapp/manifests/latest: unauthorized: authentication required"},这让我很困扰!
我正在通过密钥保管库传递身份验证详细信息,但应用服务无法进行身份验证。
如果您想使用对密钥保管库的引用,您可以使用 official way 来实现。所以它看起来像这样:
app_settings {
"DOCKER_REGISTRY_SERVER_URL" = "myregistry.azurecr.io"
"DOCKER_REGISTRY_SERVER_USERNAME" = "@Microsoft.KeyVault(SecretUri="https://myapp-kv-az.vault.azure.net/secrets/my-secret-kv-az/redacted)"
"DOCKER_REGISTRY_SERVER_PASSWORD" = "@Microsoft.KeyVault(SecretUri=https://myapp-kv-az.vault.azure.net/secrets/my-pass-az-pass/redacted)"
}
已修复。而不是传递 @Microsoft.keyvault(SecretUri="")。
我用过
data "azurerm_key_vault_secret" "myacrServer" {
name = "myApp-acr-server-az"
vault_uri = "myApp-kv-az-acr.vault.azure.net"
}
然后在 Web 应用程序服务的 app_settings 中,我传递了该数据秘密值。
app_settings {
"DOCKER_REGISTRY_SERVER_USERNAME" = "${data.azurerm_key_vault_secret.myacrusname.value}"
}