[confcom]: Radius support#9915
Open
micromaomao wants to merge 18 commits into
Open
Conversation
❌Azure CLI Extensions Breaking Change Test
|
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds Radius template support to the confcom Azure CLI extension, enabling policy container definition extraction from Radius Bicep templates and inserting generated policies back into templates.
Changes:
- Introduces
confcom containers from_radiusandconfcom radius policy_insertpreview commands. - Adds Radius sample templates + golden expected outputs and new unit/command-level tests.
- Adds ARM template parsing helpers and bumps package version/history to 2.1.0.
Reviewed changes
Copilot reviewed 29 out of 29 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| src/confcom/setup.py | Bumps extension version to 2.1.0. |
| src/confcom/HISTORY.rst | Documents new Radius-related commands. |
| src/confcom/samples/radius/** | Adds sample Radius Bicep inputs and golden policy container outputs. |
| src/confcom/azext_confcom/lib/templates.py | Adds template parsing + parameter/variable evaluation helpers. |
| src/confcom/azext_confcom/command/containers_from_radius.py | Implements container extraction/mapping from Radius templates. |
| src/confcom/azext_confcom/command/radius_policy_insert.py | Implements policy insertion into Radius templates. |
| src/confcom/azext_confcom/custom.py | Wires new commands into extension entrypoints. |
| src/confcom/azext_confcom/commands.py | Registers new CLI command groups/commands. |
| src/confcom/azext_confcom/_params.py | Adds CLI arguments for the new commands. |
| src/confcom/azext_confcom/_help.py | Adds help text and examples for the new commands. |
| src/confcom/azext_confcom/tests/latest/** | Adds unit + golden-file tests for Radius support. |
| linter_exclusions.yml | Exempts new positionals from lint rules. |
Comments suppressed due to low confidence (1)
src/confcom/azext_confcom/command/containers_from_radius.py:1
- The function docstring states 'Ephemeral volumes (kind=="ephemeral") are writable by default' and the samples use
kind: 'ephemeral'/'persistent', but the implementation only treatskind == \"emptyDir\"as ephemeral and routes everything else toazureFileVolume(read-only by default unlesspermission/rbac == write). This will incorrectly mapephemeralvolumes as persistent/RO. Either (mandatory) update the mapper to accept the Applications.Core schema values (ephemeral/persistent) and map them appropriately, or (alternative) update the docstring + samples to use the canonical kinds (emptyDir/persistentVolume) consistently.
# --------------------------------------------------------------------------------------------
Member
Author
|
/azp run |
|
Commenter does not have sufficient privileges for PR 9915 in repo Azure/azure-cli-extensions |
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
Member
Author
|
@yonzhan fixed lints, can you run again? If all good pls merge, thanks! |
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
…_policy_insert) - `az confcom containers_from_radius`: Extract container definitions from Radius bicep templates for policy generation - `az confcom radius_policy_insert`: Insert generated policy into Radius templates' ccePolicy annotation Supports the full Applications.Core/containers spec: - container.image (required) - container.env (value + secretRef) - container.command/args/workingDir - container.volumes - container.livenessProbe/readinessProbe (exec probes) - connections (CONNECTIONS_* env injection) - runtimes.kubernetes.pod.containers (sidecars) - command/containers_from_radius.py: Main extraction logic - command/radius_policy_insert.py: Policy insertion into templates - lib/deployments.py: ARM/bicep template parsing helper - tests/latest/test_confcom_radius.py: Golden sample tests + edge cases - samples/radius/: Demo and sidecar test samples with placeholder goldens Golden files are placeholder TODOs - run tests in devcontainer to generate actual outputs, then commit. Tests will skip until goldens are populated.
- Fix volume unit test - Fix samples - Delete working-dir sample as there is no way to override working dir on ACI. - Mark samples that uses radius demo :latest image tag with TODO
We should also consider removing the "platform" argument of this command and `containers from_image` altogether (or really, make the platfrom argument actually the image platform, then detect if aci/vn2 is passed in, and if yes, translate it to a new "runtime" (name TBD) argument). Also, after platform_rules feature, aci or vn2 won't matter anymore (or at least not here - they will only matter in the final `az confcom acipolicygen --with-containers` call, but that's only if no infra fragments).
Fix the following (likely newly introduced) lints: ``` ERROR: ************* Module azext_confcom._params src/confcom/azext_confcom/_params.py:54:17: W4904: Using deprecated class FileType of module argparse (deprecated-class) src/confcom/azext_confcom/_params.py:73:17: W4904: Using deprecated class FileType of module argparse (deprecated-class) src/confcom/azext_confcom/_params.py:558:17: W4904: Using deprecated class FileType of module argparse (deprecated-class) ************* Module azext_confcom.container src/confcom/azext_confcom/container.py:577:4: W0102: Dangerous default value dict() (builtins.dict) as argument (dangerous-default-value) ``` Touches some non-related code, but I think the changes are good. Assisted-by: GitHub Copilot:claude-opus-4.7 copilot-review Signed-off-by: Tingmao Wang <m@maowtm.org>
Assisted-by: GitHub Copilot:claude-opus-4.7 copilot-review Signed-off-by: Tingmao Wang <m@maowtm.org>
Member
Author
|
@yonzhan Fixed tests, can you rerun? If all good pls merge, thanks! |
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
micromaomao
force-pushed
the
radius-support
branch
from
eac418d to
9c2d0b5
Compare
Member
Author
|
/azp run |
|
Commenter does not have sufficient privileges for PR 9915 in repo Azure/azure-cli-extensions |
Member
Author
|
@yonzhan |
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
Comment on lines
+76
to
82
| if not os.path.isfile(signed_fragment): | ||
| eprint(f"Signed fragment file not found: {signed_fragment}") | ||
| oras_attach( | ||
| signed_fragment=signed_fragment, | ||
| signed_fragment_path=signed_fragment, | ||
| manifest_tag=manifest_tag, | ||
| platform=platform, | ||
| ) |
Comment on lines
+446
to
+449
| with open(template, 'r') as f: | ||
| content = re.sub(r'^extension\s+\S+.*$', '', f.read(), flags=re.MULTILINE) | ||
| with open(temp_template_path, 'w') as out: | ||
| out.write(content) |
Comment on lines
+194
to
+207
| kind = mount_info.get("kind") | ||
| # The API reference uses "permission"; the human-readable docs use "rbac". | ||
| access = mount_info.get("permission") or mount_info.get("rbac") | ||
|
|
||
| # TODO: these constants are defined in src/confcom/azext_confcom/data/internal_config.json | ||
| if kind == "emptyDir": | ||
| read_only = access == "read" | ||
| source = "sandbox:///tmp/atlas/emptydir/.+" | ||
| elif kind == "secret": | ||
| read_only = access != "write" | ||
| source = "sandbox:///tmp/atlas/secretsVolume/.+" | ||
| else: | ||
| read_only = access != "write" | ||
| source = "sandbox:///tmp/atlas/azureFileVolume/.+" |
Comment on lines
+15
to
+18
| _CCE_POLICY_PATTERN = re.compile( | ||
| r'["\']?ccePolicy["\']?\s*:\s*["\'][^"\']*["\']', | ||
| re.IGNORECASE, | ||
| ) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Author: Dominic Ayre dominicayre@microsoft.com
Co-authored-by: Tingmao Wang tingmaowang@microsoft.com
Test:
This checklist is used to make sure that common guidelines for a pull request are followed.
Related command
General Guidelines
azdev style <YOUR_EXT>locally? (pip install azdevrequired)python scripts/ci/test_index.py -qlocally? (pip install wheel==0.30.0required)For new extensions:
About Extension Publish
There is a pipeline to automatically build, upload and publish extension wheels.
Once your pull request is merged into main branch, a new pull request will be created to update
src/index.jsonautomatically.You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify
src/index.json.