Skip to content

fix: fail-fast Azure abs:// auth validation in container entrypoint#92

Merged
EdGeraghty merged 3 commits into
azure-deploy-docsfrom
copilot/sub-pr-87
May 1, 2026
Merged

fix: fail-fast Azure abs:// auth validation in container entrypoint#92
EdGeraghty merged 3 commits into
azure-deploy-docsfrom
copilot/sub-pr-87

Conversation

Copy link
Copy Markdown

Copilot AI commented May 1, 2026
edited
Loading

The abs:// branch in check_litestream_replica_url only caught partial service-principal credentials but never failed when no auth mechanism was configured — a misconfigured deployment would pass entrypoint validation and crash when Litestream started.

Changes

  • Explicit three-path enforcement in the ABS://*) case — restructured from a single partial-SP guard into an if/elif/else chain:

    Path Signal Behaviour
    Account key LITESTREAM_AZURE_ACCOUNT_KEY set pass
    Service principal any AZURE_CLIENT_* var set all three required; missing vars still emit named errors
    Managed identity IDENTITY_ENDPOINT or MSI_ENDPOINT present pass (covers Container Apps, App Service, legacy runtimes)
    None emit actionable hints + log_error to terminate

  • Readable error output — the no-auth case emits log_warn hint lines enumerating all three options before the terminal log_error, instead of a single unwieldy message.

# With no credentials configured, output is now:
WARN: Azure Blob Storage ('abs://') requires one of:
WARN:   1. Account key:       set 'LITESTREAM_AZURE_ACCOUNT_KEY'
WARN:   2. Service principal: set 'AZURE_CLIENT_ID', 'AZURE_TENANT_ID', and 'AZURE_CLIENT_SECRET'
WARN:   3. Managed identity:  enable managed identity on the hosting platform
WARN:                         ('IDENTITY_ENDPOINT' or 'MSI_ENDPOINT' must be set by the Azure runtime)
ERROR: No Azure authentication mechanism configured for 'abs://' replica URL.

Copilot AI mentioned this pull request May 1, 2026
Merged
Copilot AI and others added 2 commits May 1, 2026 11:58
@EdGeraghty
fix: fail-fast Azure abs:// auth — require account key, full service …
53c27ec 
…principal, or managed identity signal

Agent-Logs-Url: https://github.com/privacyint/docker-headscale/sessions/b2256f84-bda2-4e8e-8c0f-0caa36d534bc

Co-authored-by: EdGeraghty <20861699+EdGeraghty@users.noreply.github.com>
@EdGeraghty
refactor: split long abs:// auth error into readable warn+error lines
52b8c25 
Agent-Logs-Url: https://github.com/privacyint/docker-headscale/sessions/b2256f84-bda2-4e8e-8c0f-0caa36d534bc

Co-authored-by: EdGeraghty <20861699+EdGeraghty@users.noreply.github.com>
Copilot AI changed the title [WIP] [WIP] Address feedback on Azure implementation and documentation updates fix: fail-fast Azure abs:// auth validation in container entrypoint May 1, 2026
Copilot AI requested a review from EdGeraghty May 1, 2026 12:00
@EdGeraghty EdGeraghty marked this pull request as ready for review May 1, 2026 12:00
@EdGeraghty EdGeraghty merged commit 520b785 into azure-deploy-docs May 1, 2026
3 checks passed
@EdGeraghty EdGeraghty deleted the copilot/sub-pr-87 branch May 1, 2026 12:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@EdGeraghty EdGeraghty EdGeraghty approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@EdGeraghty EdGeraghty

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@EdGeraghty