Enhance Azure implementation and update documentation#87
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
Adds Azure Container Apps deployment support and tooling to render provider deployment templates, alongside documentation updates for Azure/Fly.io and Azure Blob authentication options.
Changes:
- Added an Azure Container Apps deployment guide (
docs/backends/azure-container-apps.md). - Introduced a
Makefileto render deployment configs from templates (fly.toml,azure-container-apps.yaml). - Updated docs/config notes for Fly.io and Azure Blob authentication behaviour.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
templates/secrets.template.env |
Documents Azure Blob auth options (account key / managed identity / service principal). |
scripts/container-entrypoint.sh |
Relaxes Azure Blob replica URL validation to allow non-account-key auth flows. |
docs/backends/fly-io.md |
Switches Fly.io guide to use make render-fly-config. |
docs/backends/azure-container-apps.md |
New end-to-end Azure Container Apps deployment guide. |
README.md |
References Azure/Fly deployment guides and the new make rendering targets. |
Makefile |
Adds rendering targets and env var checks for template rendering. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This directory is gitignored so I missed it
There was a problem hiding this comment.
Pull request overview
This PR adds first-class Azure Container Apps deployment support (templates + documentation) and introduces a Makefile-based workflow for rendering provider deployment templates, while also clarifying Azure Blob authentication options for Litestream.
Changes:
- Added an Azure Container Apps deployment guide and a reusable YAML template for deploying with persistent storage and optional Litestream replication.
- Introduced a
Makefileto renderfly.tomlandazure-container-apps.yamlfrom templates with basic environment validation. - Updated Fly.io documentation and clarified Litestream Azure authentication options (account key vs managed identity/service principal).
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
templates/secrets.template.env |
Documents additional Azure Blob auth options (managed identity / service principal) for Litestream. |
templates/fly.template.toml |
Renames MagicDNS base-domain env var in the Fly template. |
templates/azure-container-apps.template.yaml |
Adds a Container Apps YAML template including identity, ingress, env vars, and Azure Files mount. |
scripts/container-entrypoint.sh |
Relaxes validation for abs:// Litestream replication to allow non-account-key Azure auth methods. |
docs/backends/fly-io.md |
Switches Fly template rendering instructions to make render-fly-config. |
docs/backends/azure-container-apps.md |
Adds a comprehensive Azure Container Apps deployment guide, including optional Litestream backup. |
README.md |
Links to the new Azure guide and documents new make targets. |
Makefile |
Adds render-fly-config / render-azure-container-apps and an envsubst availability check. |
Comments suppressed due to low confidence (1)
templates/fly.template.toml:20
internal_portis set to8080, but in this image Headscale listens on127.0.0.1:8080and Caddy listens on:8008(whenCADDY_FRONTEND=DISABLE_HTTPS, as set above). Fly will forward traffic tointernal_port, so8080will not be reachable externally and deployments will fail. Update the template to forward to8008(or change the container to listen on0.0.0.0:8080, but that would bypass Caddy and the admin GUI handling).
[[services]]
internal_port = 8080
protocol = "tcp"
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
@EdGeraghty I've opened a new pull request, #88, to work on those changes. Once the pull request is ready, I'll request review from you. |
…ream URL Agent-Logs-Url: https://github.com/privacyint/docker-headscale/sessions/4b3e8248-4d6f-421d-a6c4-e5c103558d01 Co-authored-by: EdGeraghty <20861699+EdGeraghty@users.noreply.github.com>
Agent-Logs-Url: https://github.com/privacyint/docker-headscale/sessions/4b3e8248-4d6f-421d-a6c4-e5c103558d01 Co-authored-by: EdGeraghty <20861699+EdGeraghty@users.noreply.github.com>
|
@EdGeraghty I've opened a new pull request, #89, to work on those changes. Once the pull request is ready, I'll request review from you. |
…tion The guide previously exported the storage account key into the shell environment in three places (Step 2, Step 6 blob creation, Step 6 Option A). Exported variables are visible via `env`, crash dumps, and shell-history tooling, all of which are undesirable for a high-value secret. All three occurrences are now rewritten to use inline command substitution directly on the `az` argument, so the key value is never placed in a named shell variable at all. Agent-Logs-Url: https://github.com/privacyint/docker-headscale/sessions/4e335591-6a37-479b-a7a5-b099b3ac96b0 Co-authored-by: EdGeraghty <20861699+EdGeraghty@users.noreply.github.com>
docs(azure): replace exported STORAGE_ACCOUNT_KEY with inline command substitution
…/azure Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Before, they just needed to exist in the environment
There was a problem hiding this comment.
Pull request overview
This PR adds Azure Container Apps as a first-class deployment option, alongside tooling and documentation updates to make rendering provider templates and configuring Azure Blob authentication easier.
Changes:
- Added an Azure Container Apps deployment guide and a corresponding YAML template.
- Introduced a
Makefileto renderfly.tomlandazure-container-apps.yamlfrom templates (viaenvsubst), and updated Fly.io docs to use it. - Extended Litestream Azure Blob auth documentation and added entrypoint validation for multiple Azure auth mechanisms.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
Makefile |
Adds make targets to render provider deployment configs via envsubst. |
README.md |
References new Azure docs and documents the new make render targets. |
docs/backends/azure-container-apps.md |
New end-to-end Azure Container Apps deployment guide, incl. storage, domains, and Litestream auth options. |
templates/azure-container-apps.template.yaml |
New Azure Container Apps YAML template rendered by make render-azure-container-apps. |
docs/backends/fly-io.md |
Switches template rendering guidance from raw envsubst to make render-fly-config. |
templates/fly.template.toml |
Renames the DNS base-domain env var to HEADSCALE_DNS_BASE_DOMAIN. |
templates/secrets.template.env |
Documents Azure Blob auth options (account key, managed identity, service principal). |
scripts/variables-check.sh |
Tightens env-var validation by distinguishing “defined” vs “populated”. |
scripts/container-entrypoint.sh |
Adds Azure Blob auth validation for abs:// Litestream replica URLs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Member
Author
|
@copilot apply changes based on the comments in this thread. Because of branch restrictions, do all your work in a sub-pr |
|
@EdGeraghty I've opened a new pull request, #91, to work on those changes. Once the pull request is ready, I'll request review from you. |
Agent-Logs-Url: https://github.com/privacyint/docker-headscale/sessions/74646d5a-272d-49c5-8fdf-e7d8b804503e Co-authored-by: EdGeraghty <20861699+EdGeraghty@users.noreply.github.com>
Remove IDENTITY_ENDPOINT requirement for managed identity Azure Blob auth
There was a problem hiding this comment.
Pull request overview
Adds first-class Azure Container Apps deployment support and aligns deployment tooling/docs across Azure and Fly.io, including clearer Litestream authentication options for Azure Blob Storage.
Changes:
- Added an Azure Container Apps deployment guide and a reusable
azure-container-apps.yamltemplate. - Introduced a
Makefileto render provider deployment templates (fly.toml,azure-container-apps.yaml) with basic env var validation. - Updated entrypoint/env-var validation to treat empty values as missing and documented/partially validated additional Azure Blob auth methods.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
templates/secrets.template.env |
Documents Azure Blob auth options (account key, managed identity, service principal). |
templates/fly.template.toml |
Renames the Headscale DNS env var in the Fly template. |
templates/azure-container-apps.template.yaml |
Adds a parameterised Azure Container Apps YAML template including identity, ingress, and Azure Files mount. |
scripts/variables-check.sh |
Adds env_var_is_populated and changes “required”/default logic to treat empty strings as unset. |
scripts/container-entrypoint.sh |
Updates Litestream abs:// validation to allow keyless auth paths (managed identity / service principal). |
docs/backends/fly-io.md |
Updates Fly instructions to use make render-fly-config and documents make/envsubst requirement. |
docs/backends/azure-container-apps.md |
New end-to-end Azure Container Apps deployment guide (storage, domains/HTTPS, Litestream options). |
README.md |
References new Azure guide and documents the new make render targets. |
Makefile |
Adds help, render-fly-config, and render-azure-container-apps targets using envsubst. |
Comments suppressed due to low confidence (1)
scripts/variables-check.sh:50
check_env_var_or_set_defaultnow treats an empty string the same as “unset” (because it usesenv_var_is_populated), but the function comment still says “Check environment variable is set, or default”. Please update the comment to reflect the new behaviour so callers know that intentionally setting an empty value will be overridden by the default.
########################################
# Check environment variable is set, or default (and optionally validate with regex - now you have two problems)
# Arguments:
# $1 - Variable name
# $2 - Default value
# $3 - Validation regex pattern (optional)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
@EdGeraghty I've opened a new pull request, #92, to work on those changes. Once the pull request is ready, I'll request review from you. |
…principal, or managed identity signal Agent-Logs-Url: https://github.com/privacyint/docker-headscale/sessions/b2256f84-bda2-4e8e-8c0f-0caa36d534bc Co-authored-by: EdGeraghty <20861699+EdGeraghty@users.noreply.github.com>
Agent-Logs-Url: https://github.com/privacyint/docker-headscale/sessions/b2256f84-bda2-4e8e-8c0f-0caa36d534bc Co-authored-by: EdGeraghty <20861699+EdGeraghty@users.noreply.github.com>
fix: fail-fast Azure abs:// auth validation in container entrypoint
There was a problem hiding this comment.
Pull request overview
This PR adds Azure Container Apps as a first-class deployment backend for docker-headscale, alongside improvements to deployment tooling and clearer guidance for Litestream’s Azure Blob Storage authentication options.
Changes:
- Added an Azure Container Apps deployment guide and an accompanying Container Apps YAML template.
- Introduced a
Makefilewith targets to render provider deployment configs (fly.toml,azure-container-apps.yaml) viaenvsubst. - Improved Azure Blob auth validation in the container entrypoint (account key, service principal, or managed identity).
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| templates/secrets.template.env | Documents Azure Blob auth options (account key, managed identity, service principal). |
| templates/fly.template.toml | Updates env var name and Fly internal port to match the container’s listening port. |
| templates/azure-container-apps.template.yaml | Adds a reusable Azure Container Apps YAML template for deployment. |
| scripts/variables-check.sh | Adds “populated” env var checks and makes require_env_var enforce non-empty values. |
| scripts/container-entrypoint.sh | Validates Azure Blob auth for abs:// Litestream replica URLs across supported mechanisms. |
| docs/backends/fly-io.md | Switches to using make render-fly-config and documents required local tooling. |
| docs/backends/azure-container-apps.md | Adds a comprehensive Azure Container Apps deployment guide (incl. storage, domains, Litestream). |
| README.md | References the new Azure guide and documents available render targets. |
| Makefile | Adds render targets and envsubst checks for deployment template generation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces first-class support for Azure Container Apps as a deployment target, improves deployment template rendering and documentation, and enhances environment variable validation for Azure Blob Storage authentication. The major changes include a new Makefile with template rendering targets, new and updated documentation for Azure and Fly.io deployments, and improved environment variable checks in shell scripts.
Deployment Automation and Templates:
Makefilewith targets to renderfly.tomlandazure-container-apps.yamlfrom their respective templates, ensuring required environment variables are set andenvsubstis available. (Makefile)templates/azure-container-apps.template.yamlfor reusable Azure deployment configuration, supporting persistent storage and environment variable substitution.Documentation Updates:
docs/backends/azure-container-apps.md, covering prerequisites, resource creation, deployment steps, persistent storage, custom domains, HTTPS, and Litestream backup options.README.mdto reference the new Makefile targets and Azure deployment guide, and added links to backend-specific instructions. [1] [2] [3]Environment Variable Handling and Validation:
scripts/variables-check.sh, addingenv_var_is_populatedand updating checks to ensure variables are both defined and non-empty. [1] [2] [3]scripts/container-entrypoint.shto support account key, service principal, and managed identity authentication, with detailed error messages and validation.Configuration Consistency:
templates/fly.template.tomlto useHEADSCALE_DNS_BASE_DOMAIN(fixing a typo) and set the internal port to8008for consistency with Azure deployment.These changes make multi-provider deployment easier, provide clear Azure deployment documentation, and ensure robust environment validation for cloud storage integration.
Closes #43