How-To: Pull Bicep Recipes from private OCI container registry.

Learn how to setup your Radius environment to use Bicep Recipe templates published to a private OCI container registry.

Prerequisites

Before you get started, you’ll need to make sure you have the following tools and resources:

Step 1: Obtain private OCI container registry authentication credentials

Radius supports three authentication methods for accessing private container registries:

Basic Authentication: This method uses a username and password for authentication and is applicable to all OCI complaint registries. Obtain the username and password details used to login to private registry.
Azure Workload Identity: This federated identity-based authentication is used for connecting to Azure Container Registry (ACR). Here is the guide to setup Azure Workload Identity for Radius. Obtain clientId and tenant ID used during the setup.
AWS IRSA: This federated identity-based authentication is used for accessing Amazon Elastic Container Registry (ECR). Here is the guide to setup the AWS IRSA for Radius. Obtain roleARN from the role created during the setup.

Step 2: Define a secret store resource

Create a Radius Secret Store to securely store and manage the secrets information required for authenticating with a private registry. Define the namespace for the cluster that will contain your Kubernetes Secret with the resource property and specify the type of secret e.g. basicAuthentication, azureWorkloadIdeneity, awsIRSA.

While this example shows a Radius-managed secret store where Radius creates the underlying secrets infrastructure, you can also bring your own existing secrets. Refer to the secrets documentation for more information.

Secret store example for secret type awsIRSA:

resource registrySecrets 'Applications.Core/secretStores@2023-10-01-preview' = {
  name: 'registry-secrets'
  properties: {
    resource: 'registry-secrets/ecr'
    type: 'awsIRSA'
    data: {
      roleARN: {
        value: 'arn:aws:iam::<account-id>:role/test-role'
      }
    }
  }
}

Step 3: Configure authentication for private bicep registries and add a Bicep recipe

recipeConfig allows you to configure how Recipes should be setup and run. One available option is to specify the registry secrets for pulling Bicep Recipes from private registries. For more information refer to the Radius Environment schema page.

In your env.bicep file add an Environment resource that includes a recipeConfig which leverages the previously defined secret store for private OCI registry authentication.

resource env 'Applications.Core/environments@2023-10-01-preview' = {
  name: 'my-env'
  properties: {
    compute: {
      kind: 'kubernetes'
      namespace: 'my-namespace'
    }
    recipeConfig: {
      bicep:{
        authentication:{
          //  The hostname of your container registry, such as 'docker.io' or '<registry-name>.azurecr.io'
          '<account-id>.dkr.ecr.<region>.amazonaws.com':{
            secret: registrySecrets.id
          }
        }
      }
    }
    recipes: {
      'Applications.Messaging/rabbitMQQueues': {
        default: {
          templateKind: 'bicep'
          templatePath: '<account-id>.dkr.ecr.<region>.amazonaws.com/test-private-ecr:2.0'
        }
      }
    }
  }
}

Step 5: Deploy your Radius Environment

Deploy your new Radius Environment:

rad deploy ./env.bicep

Your Radius Environment is now ready to utilize your Radius Recipes stored inside your private registry. For more information on Radius Recipes visit the Recipes overview page.

Cleanup

You can delete a Radius Environment by running the following command:

rad env delete my-env

Feedback

Was this page helpful?

Glad to hear it! Please feel free to star our repo and join our Discord server to stay up to date with the project.

Sorry to hear that. If you would like to also contribute a suggestion visit and tell us how we can improve.