Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing registry_credentials in digitalocean_app.service.image for registry_type = "GHCR" #1132

Closed
matthiasbruns opened this issue Mar 23, 2024 · 4 comments
Closed

Missing registry_credentials in digitalocean_app.service.image for registry_type = "GHCR" #1132

matthiasbruns opened this issue Mar 23, 2024 · 4 comments
Labels
do-api Depends on changes to the DigitalOcean API

Comments

@matthiasbruns
Copy link

Is your feature request related to a problem? Please describe.

I am using GitHub packages to deploy to DigitalOcean App Platform. I want to switch from manual UI configuration to terraform but hit a roadblock.
Since our packages registry is private, I used to configure the deployment with "username:api_key" for the GitHub access.
There is no such option in the app provider.

Describe the solution you'd like

resource "digitalocean_app" "backend" {
  spec {
    name   = local.app_name

    service {
      //...

      image {
        registry      = "registry
        registry_type = "GHCR"
        repository    = "repository"
        tag           = "main"
        **registry_credentials= "username:password"** //<-- add something like this
      }
    }
  }

  lifecycle {
    prevent_destroy = true
  }
}

Describe alternatives you've considered

My current solution is to deploy the app via terraform, let the build fail on DigitalOcean and configure the credentials in the UI afterwards. But when the Spec has to change due to a change in terraform, this will break and registry_credentials will be gone again.

Additional context

digitalocean_app
@andrewsomething andrewsomething added the do-api Depends on changes to the DigitalOcean API label Mar 25, 2024
@matthiasbruns
Copy link
Author

Can I help somehow? I wasn't able to find anything about the credentials in the api docs for the DO api. Maybe I am blind, if there is something, can you point me to it? Implementing this should be easy then.,

@andrewsomething andrewsomething mentioned this issue Apr 11, 2024
Merged
@andrewsomething
Copy link
Member

Hi @matthiasbruns,

Sorry for the delayed response. It looks like registry_credentials is only currently documented here:

https://docs.digitalocean.com/products/app-platform/how-to/deploy-from-container-images/#deploy-container-using-the-apps-spec

I've reached out to the App Platform team to get it included in the App Spec and API referance docs.

I've also opened a PR (#1137) to help address this. Though registry_credentials unfortunately has the same draw back as other App Platform secret values when used with Terraform. From the link above:

The registry_credentials field requires you to initially submit your access credentials in clear text, but App Platform then encrypts and stores these values similar to secret environment variables. After submitting the spec, App Platform replaces the values in the spec with encrypted values. Once the values are encrypted, you can safely store the spec in the app’s repo.

So it requires manually changing the value in the Terraform configuration to the returned encrypted one or using a lifecycle block to ignore the changes as Terraform wants to reconcile state. E.g.

  lifecycle {
    ignore_changes = [
        spec.0.service.0.image["registry_credentials"]
    ]
  }

@andrewsomething
Copy link
Member

Closed via #1137

@matthiasbruns
Copy link
Author

Thank you for hinting me to the spec entry :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
do-api Depends on changes to the DigitalOcean API
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrewsomething @matthiasbruns