Azure Container Registry plugin for Backstage
The Azure Container Registry (ACR) plugin displays information about your container images available in the Azure Container Registry.
For administrators
Installing and configuring the ACR plugin
-
Run the following command to install the ACR plugin:
yarn workspace app add @janus-idp/backstage-plugin-acr -
Set the proxy to the desired ACR server in the
app-config.yamlfile as follows:# app-config.yaml
proxy:
endpoints:
'/acr/api':
target: 'https://mycontainerregistry.azurecr.io/acr/v1/'
credentials: require
changeOrigin: true
headers:
# If you use Bearer Token for authorization, please replace the 'Basic' with 'Bearer' in the following line.
Authorization: 'Basic ${ACR_AUTH_TOKEN}'
# Change to "false" in case of using self hosted artifactory instance with a self-signed certificate
secure: true[!NOTE] The value inside each route is either a simple URL string, or an object on the format accepted by http-proxy-middleware. Additionally, it has an optional
credentialskey which can have the following values:require: Callers must provide Backstage user or service credentials with each request. The credentials are not forwarded to the proxy target. This is the default.forward: Callers must provide Backstage user or service credentials with each request, and those credentials are forwarded to the proxy target.dangerously-allow-unauthenticated: No Backstage credentials are required to access this proxy target. The target can still apply its own credentials checks, but the proxy will not help block non-Backstage-blessed callers. If you also add allowedHeaders: ['Authorization'] to an endpoint configuration, then the Backstage token (if provided) WILL be forwarded.
Note that if you have
backend.auth.dangerouslyDisableDefaultAuthPolicyset to true, the credentials value does not apply; the proxy will behave as if all endpoints were set to dangerously-allow-unauthenticated. -
Set the authorization using one of the following options:
-
Basic authorization:
- Navigate to the ACR portal and go to the Access Keys tab.
- Retrieve the username and password of the Admin user and use the Basic Auth Header Generator tool or run
echo printf '<username>:<password>' | base64in a terminal to convert the credentials into a basic token. - Set the generated token as
ACR_AUTH_TOKENin environment variables.
-
OAuth2: - Generate bearer access token using the process described in Authenticate with an Azure Container Registry.
-
One method is to generate a bearer token using your basic authorization token, i.e.
curl --location 'https://<yourregistry>.azurecr.io/oauth2/token?scope=repository%3A*%3A*&service=<yourregistry>.azurecr.io' \
--header 'Authorization: Basic <basic_token>' -
Set the generated token as
ACR_AUTH_TOKENin environment variables. Make sure to replace theBasicin theapp-config.yamlwithBearer
-
-
-
Enable an additional tab on the entity view page using the
packages/app/src/components/catalog/EntityPage.tsxfile as follows:packages/app/src/components/catalog/EntityPage.tsximport { AcrPage, isAcrAvailable } from '@janus-idp/backstage-plugin-acr';
const serviceEntityPage = (
<EntityLayout>
// ...
<EntityLayout.Route
if={e => Boolean(isAcrAvailable(e))}
path="/acr"
title="ACR"
>
<AcrPage />
</EntityLayout.Route>
</EntityLayout>
); -
Annotate your entity using the following annotations:
metadata:
annotations:
'azure-container-registry/repository-name': `<REPOSITORY-NAME>',
For users
Using the ACR plugin in Backstage
ACR is a front-end plugin that enables you to view information about the container images from your Azure Container Registry in Backstage.
Prerequisites
- Your Backstage application is installed and running.
- You have installed the ACR plugin. For installation instructions, see Installing and configuring the ACR plugin.
Procedure
-
Open your Backstage application and select a component from the Catalog page.
-
Go to the ACR tab.
The ACR tab in the Backstage UI contains a list of container images and related information, such as TAG, CREATED, LAST MODIFIED, and MANIFEST.