Skip to content

New-AzContainerAppVolumeObject does not appear to support "Secrets" #27777

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
simoncroak opened this issue May 15, 2025 · 1 comment
Open

New-AzContainerAppVolumeObject does not appear to support "Secrets" #27777

simoncroak opened this issue May 15, 2025 · 1 comment
Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. ContainerApp Microsoft.App customer-reported Service Attention This issue is responsible by Azure service team.

Comments

@simoncroak
Copy link

Description

When creating a new container app or updating an existing container app, mounting a secret as a volume does not appear to work as expected. Using the "New-AzContainerAppVolumeObject" command using the -Secret parameter

The created volume is of type "Ephemeral" and not "Secret"

Issue script & Debug output

Given the following powershell:

$rgName = {{{ Hidden }}}
$location = "westcentralus"
$cae = {{{ Hidden }}}

$secretRef = New-AzContainerAppSecretObject -Name "registration" -Value "registration-value"

$configurationObject = New-AzContainerAppConfigurationObject -Secret $secretRef

$secretVolumeItem = New-AzContainerAppSecretVolumeItemObject -SecretRef "registration"
$volume = New-AzContainerAppVolumeObject -Name "registation-vol" -Secret $secretVolumeItem
$volumeMount = New-AzContainerAppVolumeMountObject -MountPath "/usr/local/share/mulesoft/flex-gateway/conf.d" -VolumeName "registation-vol"
  
$probe = New-AzContainerAppProbeObject -Type "Liveness" -HttpGetPath "/health" -HttpGetPort 8080 -InitialDelaySecond 3 -PeriodSecond 3 -HttpGetHttpHeader $probeHttpGetHttpHeader

$containerDefinition = New-AzContainerAppTemplateObject -Image "registry.hub.docker.com/mulesoft/flex-gateway:1.9.1" -Name "test" -Probe $probe -VolumeMount $volumeMount

$EnvId = (Get-AzContainerAppManagedEnv -ResourceGroupName $rgName -Name $cae).Id

New-AzContainerApp -Name "test" -Location $location -EnvironmentId $EnvId -TemplateContainer $containerDefinition -ResourceGroupName $rgName -TemplateVolume $volume -Configuration $configurationObject


This results in the following container app configuration:


Configuration                        : {
                                         "secrets": [
                                           {
                                             "name": "registration"
                                           }
                                         ],
                                         "activeRevisionsMode": "Single",
                                         "maxInactiveRevisions": 100
                                       }
CustomDomainVerificationId           : 420231918D0418A4CE35B887A57347E7EEADF0DA85445258BCE0D70DF7C6B304
EnvironmentId                        : {{{hidden}}}
EventStreamEndpoint                  : {{{hidden}}}
ExtendedLocationName                 : 
ExtendedLocationType                 : 
Id                                   : {{{hidden}}}
IdentityPrincipalId                  : 
IdentityTenantId                     : 
IdentityType                         : None
IdentityUserAssignedIdentity         : {
                                       }
LatestReadyRevisionName              : test--066t5bw
LatestRevisionFqdn                   : 
LatestRevisionName                   : test--066t5bw
Location                             : West Central US
ManagedBy                            : 
ManagedEnvironmentId                 : {{{hidden}}}
Name                                 : test
OutboundIPAddress                    : 
ProvisioningState                    : Succeeded
ResourceGroupName                    : {{{hidden}}}
ScaleMaxReplica                      : 10
ScaleMinReplica                      : 
ScaleRule                            : 
SystemDataCreatedAt                  : 5/15/2025 9:17:09 PM
SystemDataCreatedBy                  : {{{hidden}}}
SystemDataCreatedByType              : User
SystemDataLastModifiedAt             : 5/15/2025 9:17:09 PM
SystemDataLastModifiedBy             : {{{hidden}}}
SystemDataLastModifiedByType         : User
Tag                                  : {
                                       }
TemplateContainer                    : {{
                                         "resources": {
                                           "cpu": 0.5,
                                           "memory": "1Gi",
                                           "ephemeralStorage": "2Gi"
                                         },
                                         "image": "registry.hub.docker.com/mulesoft/flex-gateway:1.9.1",
                                         "name": "test",
                                         "volumeMounts": [
                                           {
                                             "volumeName": "registation-vol",
                                             "mountPath": "/usr/local/share/mulesoft/flex-gateway/conf.d"
                                           }
                                         ],
                                         "probes": [
                                           {
                                             "httpGet": {
                                               "path": "/health",
                                               "port": 8080
                                             },
                                             "initialDelaySeconds": 3,
                                             "periodSeconds": 3,
                                             "type": "Liveness"
                                           }
                                         ]
                                       }}
TemplateInitContainer                : 
TemplateRevisionSuffix               : 
TemplateServiceBind                  : 
TemplateTerminationGracePeriodSecond : 
TemplateVolume                       : {{
                                         "name": "registation-vol",
                                         "storageType": "EmptyDir"
                                       }}
Type                                 : Microsoft.App/containerApps
WorkloadProfileName                  : Consumption

Environment data

Name                           Value
----                           -----
PSVersion                      7.5.0
PSEdition                      Core
GitCommitId                    7.5.0
OS                             Microsoft Windows 10.0.26100
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     4.0.2                 Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script     2.0.1                 Az.App                              {Disable-AzContainerAppRevision, Enable-AzContainerAppRevision, Get-AzContainerApp, Get-AzContainerAppAuthConfig…}

Error output

In this case there is no error, a container app is created (or updated) just with a ephemeral volume mount not a secret mount
@simoncroak simoncroak added bug This issue requires a change to an existing behavior in the product in order to be resolved. needs-triage This is a new issue that needs to be triaged to the appropriate team. labels May 15, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported needs-triage This is a new issue that needs to be triaged to the appropriate team. and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels May 15, 2025
@isra-fel isra-fel added Service Attention This issue is responsible by Azure service team. ContainerApp Microsoft.App and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels May 16, 2025
@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link
Contributor

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @howang-ms, @Greedygre.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. ContainerApp Microsoft.App customer-reported Service Attention This issue is responsible by Azure service team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@isra-fel @simoncroak