This article will show you how to add a private Azure Container Registry (ACR) instance to Coder.
Step 1: Set up authentication for Coder
Coder supports the following methods for authenticating with ACR:
- Static credentials that the
docker login
command can consume - Alpha: Azure Active Directory (AAD) Pod Identity
Option A: Provision static credentials for Coder
ACR provides several options for using static credentials, including:
- Registry Administrator Account (not enabled by default)
- AAD Service Principal (SP)
- Individual AAD Identity
- Repository-scoped Access Token
Depending on your ACR SKU, some of the above features may not be available to you. Additionally, depending on the method you use, you may need to regenerate the static credentials used by Coder from time to time.
Please consult the Azure Container Registry Documentation for more details.
Once you've chosen the option for using static credentials, make a note of your username and password and proceed to step 2 of this guide.
Option B: Use an Azure Active Directory (AAD) Pod Identity
This is currently an alpha feature. To use this feature, enable the feature flag under
Manage > Admin > Infrastructure > Azure Container Registry authentication
.
AAD Pod Identity allows you to assign an AAD identity to pods in your Azure Kubernetes (AKS) cluster. You can assign Coder an AAD identity with pull access to an ACR instance so that Coder can access the registry without needing to provide static credentials.
-
Create your Azure role assignments and install AAD Pod Identity on your clusters.
Consult the AAD Pod Identity Documentation for additional support on configuring this feature.
-
Once you have configured an Azure Identity Binding, ensure that you label the
coderd
deployment pods with the correctaadpodidbinding
label.For example, if you name the Azure Identity
coder-identity
, then the pods in yourcoderd
deployment should all have the labelaadpodidbinding: coder-identity
. -
Verify that the Azure Identity binding is set up correctly. First, run:
kubectl run -it --rm --image=mcr.microsoft.com/azure-cli:latest --labels=aadpodidbinding=coder-identity aadpodidtest -- bash
Then, run the following command, replacing the variables
$SUBSCRIPTION_ID
,$RESOURCE_GROUP
, and$IDENTITY_NAME
where appropriate:bash-5.1# az login --identity -u /subscriptions/$SUBSCRIPTION_ID/resourcegroups/$RESOURCE_GROUP/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$IDENTITY_NAME # Expected output: [ { "environmentName": "AzureCloud", "homeTenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "isDefault": true, "managedByTenants": [], "name": "Microsoft Azure Sponsorship", "state": "Enabled", "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "user": { "assignedIdentityInfo": "MSIResource-/subscriptions/$SUBSCRIPTION_ID/resourcegroups/$RESOURCE_GROUP/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$IDENTITY_NAME", "name": "userAssignedIdentity", "type": "servicePrincipal" } } ]
If you see output similar to the above, then you have successfully configured AAD Pod Identity!
Troubleshooting
You can manually check that Coder is able to acquire a token from the Azure
Instance Metadata Service (IMDS) by running the following (be sure to replace
the variable $CLIENTID
with the ID of the user-assigned entity you are using):
kubectl -n coder exec -it deployment/coderd -- curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&client_id=$CLIENTID&resource=https%3A%2F%2Fmanagement.azure.com' -H 'Metadata:true'
If you receive an error similar to the following, try restarting coderd
by
running the command kubectl rollout restart deployment coderd
: the coderd
pod:
{"error":"invalid_request","error_description":"Identity not found"}
If you run into further issues, please check the official troubleshooting documentation for AAD Pod Identity.
-
Next, set the
aadpodidbinding
label in your Helmvalues.yaml
:extraLabels: aadpodidbinding: coder-identity
-
You will then need to upgrade the Helm deployment:
helm upgrade coder coder/coder --values values.yaml
-
Finally, enable the feature flag under
Manage > Admin > Infrastructure > Azure Registry Authentication
if you haven't already.
Step 2: Add your Azure Container Registry to Coder
You can add your private ACR instance at the same time that you add your images. To import an image:
-
In Coder, go to Images and click on Import Image in the upper-right.
-
In the dialog that opens, you'll be prompted to pick a registry. However, to add a registry, click Add a new registry located immediately below the registry selector.
-
Provide a registry name and the registry.
-
Depending on how you are authenticating:
-
If you are using Static Credentials, then set the registry kind to Generic Registry and provide the username and password as normal.
-
If you are using AAD Pod Identity, set Registry Kind to Microsoft Azure Container Registry. You do not have to provide a username or password if you are using AAD Pod Identity.
-
-
Continue with the process of adding your image.
-
When done, click Import.