Added "az acr" commands #859
Conversation
|
Hi @djyou, I'm your friendly neighborhood Azure Pull Request Bot (You can call me AZPRBOT). Thanks for your contribution!
TTYL, AZPRBOT; |
|
/cc @sajayantony @sivagms #ByDesign |
| from . import models | ||
|
|
||
|
|
||
| class ContainerRegistryConfiguration(Configuration): |
There was a problem hiding this comment.
ontainerRegistryConfiguratio [](start = 7, length = 28)
Is this not part of the compute SDK? #Resolved
There was a problem hiding this comment.
Azure container registry is a different service from compute or ACS. ACS is one consumer of the registry and container registry can be used without Azure VMs or websites. We have deployed from this registry into other cloud providers and local network machines, and we regularly use it as part of our development process via the CI containers. #Resolved
|
/cc @mayurid #ByDesign |
|
@djyou : Do you guys have a Swagger spec and generated SDKS? #Resolved |
|
Yes, we do have a swagger spec and the generated SDK is under /src/command_modules/azure-cli-acr/azure/cli/command_modules/acr/containerregistry/, which will eventually go to SDK for Python repo, but for now we haven't separated it from the CLI. #Resolved |
| ''' | ||
| if len(registry_name) < 5 or len(registry_name) > 60: | ||
| logger.error('The registry name must be between 5 and 60 characters.') | ||
| raise SystemExit(1) |
There was a problem hiding this comment.
Instead of logging to error and then raising SystemExit, raise CLIError.
i.e. raise CLIError('The registry name must be between 5 and 60 characters.')
For an example, see https://github.com/Azure/azure-cli/blob/master/src/command_modules/azure-cli-network/azure/cli/command_modules/network/_validators.py#L69 #Resolved
| help='Key of storage account.' | ||
| ) | ||
|
|
||
| register_cli_argument('acr', 'registry_name', arg_type=registry_name_type) |
There was a problem hiding this comment.
registry_name_type [](start = 55, length = 18)
You can delete the "CliArgumentType" definition since you aren't reusing it and simply put the parameters inline. This line would become:
register_cli_argument('acr', 'registry_name', options_list=('--name', '-n'), help='Name of container registry', validator=validate_registry_name)This will apply to storage account name/key as well (any place you don't need to reuse a base definition). #Resolved
|
LGTM |
|
/cc @DavidObando |
tjprescott
changed the title
|
/cc @JasonRShaver |
|
|
||
| def registry_not_found(registry_name): | ||
| raise CLIError( | ||
| 'ERROR: Registry {} cannot be found in the current subscription.'\ |
There was a problem hiding this comment.
We don't put 'ERROR:' before CLIErrors because they are logged to logging.error() anyway.
Otherwise, if colored logging is disabled or we are logging to a file, you'll see "ERROR: ERROR: Registry not found"
| ) | ||
| ) | ||
|
|
||
| if not result.name_available: #pylint: disable=E1101 |
There was a problem hiding this comment.
We use the pylint error names instead of codes so it's clear when reading the code what is being disabled. So this would be # pylint: disable=no-member
|
|
||
| def validate_role(namespace): | ||
| if namespace.role and not namespace.role.lower() in ALLOWED_ROLES: | ||
| raise CLIError('The role {} is not allowed. Allowed roles (Owner, Contributor, Reader).'\ |
There was a problem hiding this comment.
Suggest instead of hard-coding the string '(Owner, Contributor, Reader)', could do ', '.join(ALLOWED_ROLES)
| ] | ||
|
|
||
| DEPENDENCIES = [ | ||
| 'azure==2.0.0rc6', |
There was a problem hiding this comment.
Do you depend on the SDK, if so, you should use the specific components you need e.g. azure-mgmt-* instead.
Looks like that's why the build is failing with Keyvault errors as you're including an incompatible version of keyvault.
There was a problem hiding this comment.
LGTM @tjprescott should also take a look since he provided feedback on the earlier iterations.
There was a problem hiding this comment.
A few random comments, but the biggest issue is that it looks like the changes we discussed after last week's meeting have not been made (regarding new/existing storage account and taking out the ability to create a SP as part of the registry create command).
| az acr create: Create a container registry. | ||
|
|
||
| Arguments | ||
| --location -l [Required]: Location. |
There was a problem hiding this comment.
During the meeting we talked about location being optional and inheriting from the resource group if not provided.
There was a problem hiding this comment.
We are only supporting one location currently (but will increase) and it is very unlikely that the location for the resource group would be the one that we support. I would keep it as required for now.
| --app-id : The app id of an existing service principal. If provided, no | ||
| --new-sp or -p should be specified. | ||
| --enable-admin : Enable admin user. | ||
| --new-sp : Create a new service principal. If provided, no --app-id should |
There was a problem hiding this comment.
During the meeting we talked about removing this entirely and displaying the commands to create the service principal in the examples section.
There was a problem hiding this comment.
The create_for_rbac PR is still pending, we will remove the code when it is merged.
| --new-sp : Create a new service principal. If provided, no --app-id should | ||
| be specified. Optional: Use -p to specify a password. | ||
| --password -p : Password used to log into a container registry. | ||
| --role -r : Name of role. Allowed roles: owner, contributor, reader. |
There was a problem hiding this comment.
I believe this is another parameter that we discussed removing since the SP creation wouldn't be part of the registry create command.
There was a problem hiding this comment.
Will be removed once create_for_rbac PR is merged.
| --password -p : Password used to log into a container registry. | ||
| --role -r : Name of role. Allowed roles: owner, contributor, reader. | ||
| Default: reader. | ||
| --storage-account-name -s : Name of new or existing storage account. If not provided, a |
There was a problem hiding this comment.
This isn't consistent with what we discussed during the meeting. We talked about either creating a new SA (if omitted) or treating it as an exiting SA if provided and throwing an error if the SA didn't actually exist in the subscription.
There was a problem hiding this comment.
Description issue, will fix. The code is doing the right thing.
| az acr create -n myRegistry -g myResourceGroup -l southus | ||
| Create a container registry with an existing storage account | ||
| az acr create -n myRegistry -g myResourceGroup -l southus -s myStorageAccount | ||
| Create a container registry with a new service principal |
There was a problem hiding this comment.
We discussed breaking this scenario into the three CLI commands (SP create for RBAC, role assignment create, registry create)
There was a problem hiding this comment.
Will be removed once create_for_rbac PR is merged.
|
|
||
| register_cli_argument('acr', 'role', | ||
| options_list=('--role', '-r'), | ||
| help='Name of role. Allowed roles: {}'.format(', '.join(ALLOWED_ROLES)), |
There was a problem hiding this comment.
Assuming --role remains a valid parameter, you should use **enum_choice_list(ALLOWED_ROLES) as this will make your choice list case insensitive. While it will work with a list of strings, even better would be to use the autorest generated enum object, if one exists. It will be less maintenance burden for you.
| return resource_id[resource_id.index(resource_group_keyword) + len(resource_group_keyword): | ||
| resource_id.index('/providers/')] | ||
|
|
||
| def create_service_principal(registry_name, password=None): |
There was a problem hiding this comment.
During the meeting we discussed omitting this implementation and making use of the existing commands to create a service principal.
| client = get_arm_service_client() | ||
| resource_group_name = namespace.resource_group_name | ||
|
|
||
| if not client.resource_groups.check_existence(resource_group_name): |
There was a problem hiding this comment.
Nowhere in the CLI do we make checking for resource_group existence part of client-side validation. You're welcome to of course, but it would be additional maintenance burden for you. Most services return a pretty clear error if the specified resource group doesn't exist.
There was a problem hiding this comment.
The code has a step to validate template deployment for a resource group. It will also return false if the resource group doesn't exist, so we can't differentiate between the resource group doesn't exist and the deployment is invalid. Can we keep it here and if it turns out to be a burden, we will remove it. #ByDesign
| 'The resource group {} does not exist in the current subscription.'\ | ||
| .format(resource_group_name)) | ||
|
|
||
| def validate_password(namespace): |
There was a problem hiding this comment.
For security reasons, I would recommend allowing the user to omit password from the command line and submit it interactively like we do for az login. @johanste do you agree?
There was a problem hiding this comment.
We will be removing this password here for SP. The only case the user needs to provide a password is in repository command group and when the user has to use an SP to list repositories (since we cannot retrieve SP password from anywhere). I tend to think that this is OK, at least for now, since if the user does docker login using the same credential, the username/password will also be stored by the OS. Even for az login, the user can also do az login -u myUsername -p myPassword. If this is a general concern, we definitely want to have a work item and track this. @sajayantony
| if namespace.password and not namespace.new_sp: | ||
| raise CLIError('--password has to be used with --new-sp.') | ||
|
|
||
| def validate_role(namespace): |
There was a problem hiding this comment.
This is not necessary and will never be executed. Because allowed roles is in a choice list, the fact that the supplied value is not in the list will be caught earlier by argparse and thus it will never reach here.
djyou
force-pushed
the
master
branch
4 times, most recently
from
c511d86
to
9e071be
Compare
|
@tjprescott I believe we have addressed these issues as much as we can. Thanks for your feedback! |
|
@tjprescott if there is anything blocking this from merging, please let us know. |
1. Added commands to manage Azure container registries (create/delete/show/list/update). 2. Integrated repository list and show-tags commands to manage repositories. 3. Added storage command group to manage storage account for container registries. 4. Added credential command group to manage admin user credentials. 5. Added mgmt_acr SDK for Python.
This change is