From 81fcdd1ce956889147aa3251d24ff7703ec98c81 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 1 May 2026 11:38:13 +0000 Subject: [PATCH 1/2] Initial plan From d6785f7e1ca96cdce55a3942dd2f980738b53d8e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 1 May 2026 11:41:32 +0000 Subject: [PATCH 2/2] fix: relax managed identity check; remove IDENTITY_ENDPOINT requirement Agent-Logs-Url: https://github.com/privacyint/docker-headscale/sessions/74646d5a-272d-49c5-8fdf-e7d8b804503e Co-authored-by: EdGeraghty <20861699+EdGeraghty@users.noreply.github.com> --- scripts/container-entrypoint.sh | 24 +++++++++++++------- templates/azure-container-apps.template.yaml | 11 ++++++--- 2 files changed, 24 insertions(+), 11 deletions(-) diff --git a/scripts/container-entrypoint.sh b/scripts/container-entrypoint.sh index 41f0116..e7b3451 100755 --- a/scripts/container-entrypoint.sh +++ b/scripts/container-entrypoint.sh @@ -113,14 +113,22 @@ check_litestream_replica_url() { require_env_var "LITESTREAM_SECRET_ACCESS_KEY" ;; ABS://*) - # Azure Blob Storage requires at least one auth mechanism: - # 1. Account key - # 2. Service principal (client ID + tenant ID + client secret) - # 3. Managed identity (IDENTITY_ENDPOINT set by the Azure runtime) - env_var_is_populated "LITESTREAM_AZURE_ACCOUNT_KEY" \ - || { env_var_is_populated "AZURE_CLIENT_ID" && env_var_is_populated "AZURE_TENANT_ID" && env_var_is_populated "AZURE_CLIENT_SECRET"; } \ - || env_var_is_populated "IDENTITY_ENDPOINT" \ - || log_error "Azure Blob Storage ('abs://') requires at least one auth mechanism: 'LITESTREAM_AZURE_ACCOUNT_KEY', service-principal vars ('AZURE_CLIENT_ID', 'AZURE_TENANT_ID', 'AZURE_CLIENT_SECRET'), or managed identity ('IDENTITY_ENDPOINT')." + # Azure Blob Storage supports three auth mechanisms: + # 1. Account key — set LITESTREAM_AZURE_ACCOUNT_KEY + # 2. Service principal — set AZURE_CLIENT_ID + AZURE_TENANT_ID + AZURE_CLIENT_SECRET + # 3. Managed identity — no extra variables required; the Azure runtime provides credentials + if env_var_is_populated "AZURE_CLIENT_ID" \ + || env_var_is_populated "AZURE_TENANT_ID" \ + || env_var_is_populated "AZURE_CLIENT_SECRET"; then + # Partial service-principal credentials are always a misconfiguration. + env_var_is_populated "AZURE_CLIENT_ID" \ + || log_error "Service-principal auth for Azure Blob Storage requires 'AZURE_CLIENT_ID'." + env_var_is_populated "AZURE_TENANT_ID" \ + || log_error "Service-principal auth for Azure Blob Storage requires 'AZURE_TENANT_ID'." + env_var_is_populated "AZURE_CLIENT_SECRET" \ + || log_error "Service-principal auth for Azure Blob Storage requires 'AZURE_CLIENT_SECRET'." + fi + # If no explicit credentials are provided, managed identity is assumed. ;; *) log_error "Invalid 'LITESTREAM_REPLICA_URL'. Must start with 's3://', 'abs://', or be set to 'DISABLED_I_KNOW_WHAT_IM_DOING'." diff --git a/templates/azure-container-apps.template.yaml b/templates/azure-container-apps.template.yaml index e35d4b2..e2bf21c 100644 --- a/templates/azure-container-apps.template.yaml +++ b/templates/azure-container-apps.template.yaml @@ -12,9 +12,14 @@ properties: external: true targetPort: 8008 transport: auto - # For shared-key Azure Blob replication, add a secret here and add a - # corresponding `LITESTREAM_AZURE_ACCOUNT_KEY` env var below using `secretRef` - # instead of an inline value. + # For shared-key Azure Blob replication, add a secret entry here and reference it + # via a `secretRef` in the `LITESTREAM_AZURE_ACCOUNT_KEY` env var below. + # Example secret entry: + # - name: litestream-azure-account-key + # value: + # Then add this env var under the container's `env:` block: + # - name: LITESTREAM_AZURE_ACCOUNT_KEY + # secretRef: litestream-azure-account-key secrets: [] template: containers: