Skip to content

adding a read-only ContainerApps secret repository #11202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: dev
Choose a base branch
from
Open

adding a read-only ContainerApps secret repository #11202

wants to merge 7 commits into from
+330 −3

Conversation

brettsam
Copy link
Member

@brettsam brettsam commented Jul 22, 2025
edited
Loading

fixes #11166

Container Apps currently uses blob storage for it's secrets, which are not manageable easily. We're transitioning secrets to be managed via Container Apps itself. In this case, the secrets will be in a drive in the container the same way as our K8S secrets are.

The main difference here is that these are read-only. We have no mechanism for auto-generating these in Container Apps, so they need to be created separately.

Pull request checklist

IMPORTANT: Currently, changes must be backported to the in-proc branch to be included in Core Tools and non-Flex deployments.

  • Backporting to the in-proc branch is not required
    • Otherwise: Link to backporting PR
  • My changes do not require documentation changes
    • Otherwise: Documentation issue linked to PR
  • My changes should not be added to the release notes for the next release
    • Otherwise: I've added my notes to release_notes.md
  • My changes do not need to be backported to a previous version
    • Otherwise: Backport tracked by issue/PR #issue_or_pr
  • My changes do not require diagnostic events changes
    • Otherwise: I have added/updated all related diagnostic events and their documentation (Documentation issue linked to PR)
  • I have added all required tests (Unit tests, E2E tests)

@brettsam brettsam requested a review from a team as a code owner July 22, 2025 20:28
@fabiocav fabiocav requested a review from Copilot July 22, 2025 23:22
Copilot
Copilot AI reviewed Jul 22, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request adds support for Container Apps secrets by implementing a read-only secrets repository that reads secrets from mounted files in the container filesystem, transitioning from blob storage to Container Apps native secret management.

  • Introduces ContainerAppsSecretsRepository as a new read-only secrets repository implementation
  • Modifies SecretManager to handle nullable master keys for scenarios where secrets don't exist
  • Updates the secret manager provider to support the new "containerapps" secret storage type

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
ContainerAppsSecretsRepository.cs New read-only repository implementation that reads secrets from /run/secrets/functions-keys directory
DefaultSecretManagerProvider.cs Adds support for "containerapps" secret storage type and instantiation of the new repository
SecretManager.cs Updates to handle nullable master keys and removes unused import
ContainerAppsSecretsRepositoryTests.cs Comprehensive test suite covering secret reading, empty scenarios, and SecretManager integration

src/WebJobs.Script.WebHost/Security/KeyManagement/SecretManager.cs
Comment on lines 141 to +142
// before caching any secrets, validate them
string masterKeyValue = hostSecrets.MasterKey.Value;
string masterKeyValue = hostSecrets.MasterKey?.Value;
Copy link
Preview

Copilot AI Jul 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change to make masterKeyValue nullable without updating the ValidateHostSecrets method call could cause issues. The ValidateHostSecrets method may not be designed to handle null masterKeyValue parameter.

Copilot uses AI. Check for mistakes.

mathewc
mathewc reviewed Jul 23, 2025
View reviewed changes
src/WebJobs.Script.WebHost/Security/KeyManagement/ContainerAppsSecretsRepository.cs
}
}

// Always return a HostSecrets object, even if empty. This will prevent the SecretManager from thinking
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So who is responsible for ensuring that require keys like the master key are present? What happens if the key isn't present but /admin APIs are called by control plane?

@brettsam brettsam force-pushed the brettsam/env-secrets branch 2 times, most recently from 3dd38cf to 3bf0a43 Compare July 29, 2025 15:08
@brettsam brettsam force-pushed the brettsam/env-secrets branch from 3bf0a43 to bba7bad Compare August 11, 2025 15:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mathewc mathewc mathewc left review comments

Copilot code review Copilot Copilot left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Aspire: Add read-only secret repository for ACA
2 participants
@brettsam @mathewc