Skip to content

Refactor recipe settings resources to match the feature spec and support Radius.Security/secrets#12303

Open
sylvainsf wants to merge 7 commits into
mainfrom
sylvainsf/fix-12122-security-secrets-recipe-configs
Open

Refactor recipe settings resources to match the feature spec and support Radius.Security/secrets#12303
sylvainsf wants to merge 7 commits into
mainfrom
sylvainsf/fix-12122-security-secrets-recipe-configs

Conversation

@sylvainsf

Copy link
Copy Markdown
Contributor

Supersedes #12181 (moved off the personal fork to an upstream sylvainsf/* branch; history unchanged, rebased on main).

Description

Fixes #12122. Radius.Core/bicepConfigs and Radius.Core/terraformConfigs rejected Radius.Security/secrets for registry/module credentials, accepting only Applications.Core/secretStores. Fixing that surfaced two deeper problems — a naming divergence from the feature spec and a secret-kind coupling in the Bicep auth path — which this PR also corrects.

1. Support Radius.Security/secrets in the recipe secret loader (the bug)

The recipe secret loader was hardcoded to the Applications.Core/secretStores ListSecrets API and never dispatched on the referenced resource type. It now parses the secret resource ID and routes accordingly:

  • Applications.Core/secretStores keeps the existing ListSecrets path, behavior-identical.
  • Radius.Security/secrets is read by locating the backing Kubernetes Secret its recipe materializes (via status.outputResources) and reading the values directly. This is required because a provisioned Radius.Security/secrets has its sensitive data redacted from the database once provisioning succeeds, so the plaintext only lives in the backing Kubernetes Secret.

The Kubernetes client provider is threaded into the loader at both wiring sites (dynamic-rp and the recipe controller config).

2. Refactor: rename ConfigsSettings to match the spec

These resource types were introduced (in #11780) as Radius.Core/terraformConfigs / bicepConfigs based on the earlier branch work by Yetkin/Vishwa, but the authoritative feature spec authored by @zachcasper (terraform-bicep-settings) names them Radius.Core/terraformSettings / bicepSettings. The naming divergence originated here, not in the spec, and the types are not yet referenced on the docs site — so this renames them to match the spec before they ship more widely:

  • TypeSpec models/segments and the environment terraformSettings / bicepSettings properties.
  • Datamodel types, converters, conversions, the frontend validator package, setup routing, the built-in provider manifests, and the embedded OpenAPI metadata mapping.
  • Regenerated clients, fakes, swagger, and bicep-types.

The legacy recipeConfig transport types (datamodel.BicepConfigProperties, datamodel.TerraformConfigProperties) and the Applications.Core/environments path are intentionally untouched — these are new-environment-only resources.

3. Refactor: select Bicep registry auth from the settings resource, not the secret kind

Per the spec, the secret kind is optional and the Bicep auth method comes from the bicepSettings resource. Previously the Bicep driver chose the registry auth client from the secret's kind, so a kind-less Radius.Security/secrets carrying only username/password failed with "invalid type". The bicepSettings.authenticationMethod is now threaded through and used to select the auth client (BasicAuth, AzureWI, AwsIrsa). The Applications.Core/secretStores path leaves the method empty and continues to use the secret store's own type.

Type of change

Contributor checklist

  • Existing and new functional tests, unit tests, integration tests, and end-to-end tests pass locally where runnable (functional test requires a cluster — runs in dynamicrp-noncloud CI).
  • Code generated from TypeSpec is regenerated (make generate).
  • Design documents updated (the spec lives in radius-project/design-notes; this PR aligns the implementation to it).

Tests

  • Unit tests for the type-dispatching loader and the Radius.Security/secrets backing-secret reader.
  • Test_TerraformSettings_SecuritySecret_Credentials — a functional test that provisions a Radius.Security/secrets resource and references it from a terraformSettings resource for private registry credentials, exercising the new loader end-to-end.

Fixes #12122

sylvainsf and others added 3 commits July 1, 2026 17:49
…adius.Security/secrets

This change addresses issue #12122, where Radius.Core/bicepConfigs and
Radius.Core/terraformConfigs rejected Radius.Security/secrets for registry and
module credentials, accepting only Applications.Core/secretStores. While fixing
that, the work revealed two deeper problems, which this change also corrects.

Support Radius.Security/secrets in the recipe secret loader

The recipe secret loader was hardcoded to the Applications.Core/secretStores
ListSecrets API and never dispatched on the referenced resource type. It now
parses the secret resource ID and routes to the correct reader:

- Applications.Core/secretStores keeps the existing ListSecrets path unchanged.
- Radius.Security/secrets is read by locating the backing Kubernetes Secret the
  resource's recipe materializes (via status.outputResources) and reading its
  values directly. This is required because a provisioned Radius.Security/secrets
  has its sensitive data redacted from the database once provisioning succeeds,
  so the plaintext only exists in the backing Kubernetes Secret.

The Kubernetes client provider is threaded into the loader at both wiring sites
(dynamic-rp and the recipe controller config). The Applications.Core path is left
behavior-identical.

Rename Configs -> Settings to match the feature spec

The resource types were introduced as Radius.Core/terraformConfigs and
Radius.Core/bicepConfigs, but the authoritative feature spec authored by
@zachcasper (terraform-bicep-settings) names them Radius.Core/terraformSettings
and Radius.Core/bicepSettings. The naming divergence originated in this repo, not
the spec, and the resource types are not yet referenced on the docs site, so this
renames them to match the spec before they ship more widely:

- TypeSpec models, segments, and the environment properties terraformSettings and
  bicepSettings.
- Datamodel types, converters, conversions, the frontend validator package, setup
  routing, the built-in provider manifests, and the embedded OpenAPI metadata
  mapping.
- Regenerated clients, fakes, swagger, and bicep-types.

The legacy recipeConfig transport types (datamodel.BicepConfigProperties,
datamodel.TerraformConfigProperties) and the Applications.Core/environments path
are intentionally left unchanged; these are new-environment-only resources.

Select Bicep registry auth from the settings resource, not the secret kind

Per the feature spec, the secret kind property is optional and the Bicep
authentication method comes from the bicepSettings resource. Previously the Bicep
driver chose the registry auth client from the secret's kind, so a kind-less
Radius.Security/secrets carrying only username and password failed with
"invalid type". The bicepSettings authenticationMethod is now threaded through and
used to select the auth client (BasicAuth, AzureWI, AwsIrsa), so a kind-less
Radius.Security/secrets works for BasicAuth. The Applications.Core/secretStores
path, which leaves the method empty, continues to use the secret store's own type.

Tests

- Unit tests for the type-dispatching loader and the Radius.Security/secrets
  backing-secret reader.
- A functional test (Test_TerraformSettings_SecuritySecret_Credentials) that
  provisions a Radius.Security/secrets resource and references it from a
  terraformSettings resource for private registry credentials, exercising the new
  loader end-to-end.

Fixes #12122

Signed-off-by: Sylvain Niles <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <[email protected]>
Signed-off-by: Sylvain Niles <[email protected]>
…path

Rewrite the security-secrets unit test to exercise loadSecuritySecret
end to end (kind extraction, backing-secret lookup, key filtering, and
error paths) via a fake generic-resources transport plus a fake
clientset, rather than only exercising the fake clientset and
ParseResource directly. Addresses PR review feedback and raises
security_secrets.go coverage.

Signed-off-by: Sylvain Niles <[email protected]>
Copilot AI review requested due to automatic review settings July 2, 2026 01:20
@sylvainsf sylvainsf requested review from a team as code owners July 2, 2026 01:20
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aligns the implementation of Terraform/Bicep recipe configuration resources with the feature spec by renaming Radius.Core/*ConfigsRadius.Core/*Settings, and fixes #12122 by extending the recipe secret loader to support Radius.Security/secrets (via reading the backing Kubernetes Secret). It also updates the Bicep registry auth selection path to be driven by the settings resource’ authenticationMethod rather than the referenced secret’s kind.

Changes:

  • Rename TypeSpec/models/clients/handlers/manifests from terraformConfigs/bicepConfigs to terraformSettings/bicepSettings, and update environment properties accordingly.
  • Extend configloader.SecretsLoader to dispatch between Applications.Core/secretStores and Radius.Security/secrets, reading the latter from the backing Kubernetes Secret.
  • Thread bicepSettings.authenticationMethod through to registry auth client selection (instead of coupling to secret kind), and add/adjust unit + functional tests.

Contributor doc impact (advisory):

  • docs/architecture/terraform-bicep-config.md and docs/architecture/README.md still reference terraformConfigs/bicepConfigs and likely need an update to terraformSettings/bicepSettings.

Reviewed changes

Copilot reviewed 46 out of 55 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
typespec/Radius.Core/terraformSettings.tsp Renames Terraform config resource/model to terraformSettings and updates secret reference docs to include Radius.Security/secrets.
typespec/Radius.Core/main.tsp Switches imports from *Configs to *Settings.
typespec/Radius.Core/environments.tsp Renames environment properties to terraformSettings / bicepSettings.
typespec/Radius.Core/bicepSettings.tsp Renames Bicep config resource/model to bicepSettings and updates secret reference docs to include Radius.Security/secrets.
test/functional-portable/dynamicrp/noncloud/resources/testdata/tfbicep-combined-test.bicep Updates resource types and environment property names to *Settings.
test/functional-portable/dynamicrp/noncloud/resources/testdata/terraformsettings-securitysecret-test.bicep Adds new functional test template for Radius.Security/secretsterraformSettings credentials path.
test/functional-portable/dynamicrp/noncloud/resources/testdata/terraformsettings-redis-test.bicep Updates template to use terraformSettings and new recipe definition fields.
test/functional-portable/dynamicrp/noncloud/resources/testdata/bicepsettings-test.bicep Updates template to use bicepSettings and new environment property name.
test/functional-portable/dynamicrp/noncloud/resources/terraformsettings_bicepsettings_test.go Renames/extends functional tests for *Settings, adds regression test for #12122.
pkg/ucp/initializer/service_test.go Updates Radius.Core RP summary expectations for new resource names.
pkg/ucp/initializer/radius_core_openapi.go Updates embedded OpenAPI type mapping keys/definitions to *Settings.
pkg/rp/util/registry.go Overrides SecretData.Type based on bicepSettings.authenticationMethod to select the correct registry auth client.
pkg/rp/util/config.go Renames helper fetchers to FetchTerraformSettings / FetchBicepSettings and updates generated clients used.
pkg/recipes/controllerconfig/config.go Threads Kubernetes provider into the secrets loader wiring.
pkg/recipes/configloader/security_secrets.go Implements Radius.Security/secrets backing-Kubernetes-Secret reader.
pkg/recipes/configloader/security_secrets_test.go Adds unit tests for backing secret resolution + Radius.Security/secrets secret loading.
pkg/recipes/configloader/secrets.go Adds type-dispatching secret loader supporting both secretStores and security secrets + new ctor signature.
pkg/recipes/configloader/environment.go Updates v20250801 environment config resolution for terraformSettings/bicepSettings and threads auth method.
pkg/recipes/configloader/environment_v20250801_bridge_test.go Updates bridge tests for new resource names/clients and auth method threading.
pkg/dynamicrp/options.go Updates dynamic-rp wiring to pass Kubernetes provider into secrets loader.
pkg/corerp/setup/setup.go Registers terraformSettings / bicepSettings resources and updates controller wiring.
pkg/corerp/setup/setup_test.go Updates handler/operation expectations for new routes/types.
pkg/corerp/setup/operations.go Renames operations to *Settings/* and updates display metadata.
pkg/corerp/frontend/controller/environments/v20250801preview/validateconfigref_test.go Updates validateConfigRef tests for new config ref properties/types.
pkg/corerp/frontend/controller/environments/v20250801preview/createorupdateenvironment.go Updates config ref validation for terraformSettings / bicepSettings.
pkg/corerp/frontend/controller/environments/v20250801preview/createorupdateenvironment_test.go Updates recipe pack validation test data to use new resource type in wrong-type test.
pkg/corerp/frontend/controller/bicepsettings/validator.go Renames validator package and updates types to BicepSettings; enforces conditional required fields.
pkg/corerp/frontend/controller/bicepsettings/validator_test.go Updates validator tests to BicepSettings.
pkg/corerp/datamodel/terraformsettings.go Renames Terraform config datamodel to TerraformSettings and updates secret reference docs.
pkg/corerp/datamodel/recipe_types.go Extends registry secret config to include AuthenticationMethod.
pkg/corerp/datamodel/environment_v20250801preview.go Renames environment datamodel properties to terraformSettings/bicepSettings.
pkg/corerp/datamodel/converter/terraformsettings_converter.go Renames converters to TerraformSettings* and updates versioned models.
pkg/corerp/datamodel/converter/bicepsettings_converter.go Renames converters to BicepSettings* and updates versioned models.
pkg/corerp/datamodel/bicepsettings.go Renames Bicep config datamodel to BicepSettings and updates secret reference docs.
pkg/corerp/api/v20250801preview/zz_generated_terraformsettings_client.go Regenerates Terraform settings client/routes/types for terraformSettings.
pkg/corerp/api/v20250801preview/zz_generated_responses.go Regenerates response types for *Settings clients/resources.
pkg/corerp/api/v20250801preview/zz_generated_options.go Regenerates options types for *Settings clients.
pkg/corerp/api/v20250801preview/zz_generated_models.go Regenerates models for *Settings resources and environment property names.
pkg/corerp/api/v20250801preview/zz_generated_client_factory.go Regenerates client factory methods for *Settings.
pkg/corerp/api/v20250801preview/zz_generated_bicepsettings_client.go Adds new generated Bicep settings client for bicepSettings.
pkg/corerp/api/v20250801preview/zz_generated_bicepconfigs_client.go Removes old generated Bicep configs client.
pkg/corerp/api/v20250801preview/terraformsettings_conversion.go Updates versioned ↔ datamodel conversions for Terraform settings.
pkg/corerp/api/v20250801preview/terraformsettings_conversion_test.go Updates conversion tests for Terraform settings rename.
pkg/corerp/api/v20250801preview/fake/zz_generated_terraformsettings_server.go Updates fake server/transport to TerraformSettings*.
pkg/corerp/api/v20250801preview/fake/zz_generated_server_factory.go Updates fake server factory wiring for *Settings clients.
pkg/corerp/api/v20250801preview/fake/zz_generated_bicepsettings_server.go Updates fake server/transport to BicepSettings*.
pkg/corerp/api/v20250801preview/environment_conversion.go Updates environment conversion for renamed config ref properties.
pkg/corerp/api/v20250801preview/bicepsettings_conversion.go Updates versioned ↔ datamodel conversions for Bicep settings.
pkg/corerp/api/v20250801preview/bicepsettings_conversion_test.go Updates conversion tests for Bicep settings rename.
hack/bicep-types-radius/generated/radius/radius.core/2025-08-01-preview/types.json Updates generated Bicep types to *Settings and updated docs.
hack/bicep-types-radius/generated/index.json Updates Bicep types index keys to *Settings.
deploy/manifest/built-in-providers/self-hosted/radius_core.yaml Updates built-in provider type names to terraformSettings/bicepSettings.
deploy/manifest/built-in-providers/dev/radius_core.yaml Updates built-in provider type names to terraformSettings/bicepSettings.
Files not reviewed (7)
  • pkg/corerp/api/v20250801preview/fake/zz_generated_server_factory.go: Generated file
  • pkg/corerp/api/v20250801preview/zz_generated_bicepsettings_client.go: Generated file
  • pkg/corerp/api/v20250801preview/zz_generated_client_factory.go: Generated file
  • pkg/corerp/api/v20250801preview/zz_generated_models.go: Generated file
  • pkg/corerp/api/v20250801preview/zz_generated_models_serde.go: Generated file
  • pkg/corerp/api/v20250801preview/zz_generated_options.go: Generated file
  • pkg/corerp/api/v20250801preview/zz_generated_responses.go: Generated file
Comments suppressed due to low confidence (6)

test/functional-portable/dynamicrp/noncloud/resources/testdata/bicepsettings-test.bicep:26

  • The secret store and namespace names in this template still use the old bicepconfig-* naming (secret name + properties.resource path), but the updated functional test expects bicepsettings-*. As-is, the test will fail because it looks for bicepsettings-test-secret in namespace bicepsettings-test-ns while the template creates bicepconfig-test-secret in bicepconfig-test-ns.
    test/functional-portable/dynamicrp/noncloud/resources/testdata/bicepsettings-test.bicep:45
  • The environment block still uses the old bicepconfig-* naming for the environment name and Kubernetes namespace. The test pre-creates bicepsettings-test-ns and validates an environment named bicepsettings-test-env, so this mismatch will break the functional test.
    test/functional-portable/dynamicrp/noncloud/resources/terraformsettings_bicepsettings_test.go:34
  • Typo in comment: terraformSettingss should be terraformSettings.
    test/functional-portable/dynamicrp/noncloud/resources/terraformsettings_bicepsettings_test.go:95
  • Typo in comment: bicepSettingss should be bicepSettings.
    test/functional-portable/dynamicrp/noncloud/resources/terraformsettings_bicepsettings_test.go:153
  • Typos in this comment block: terraformSettingss should be terraformSettings.
    test/functional-portable/dynamicrp/noncloud/resources/terraformsettings_bicepsettings_test.go:234
  • Typos in this comment block: terraformSettingss/bicepSettingss should be terraformSettings/bicepSettings.

Comment thread pkg/recipes/configloader/security_secrets.go
@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 60.91954% with 68 lines in your changes missing coverage. Please review.
✅ Project coverage is 53.02%. Comparing base (bf1015c) to head (3af57ac).
⚠️ Report is 7 commits behind head on main.

Files with missing lines Patch % Lines
pkg/recipes/configloader/secrets.go 33.33% 12 Missing ⚠️
pkg/recipes/configloader/security_secrets.go 85.07% 5 Missing and 5 partials ⚠️
...erp/api/v20250801preview/environment_conversion.go 0.00% 4 Missing and 4 partials ⚠️
pkg/rp/util/registry.go 46.66% 7 Missing and 1 partial ⚠️
pkg/rp/util/config.go 0.00% 6 Missing ⚠️
...erp/datamodel/converter/bicepsettings_converter.go 0.00% 5 Missing ⚠️
...datamodel/converter/terraformsettings_converter.go 0.00% 5 Missing ⚠️
...ents/v20250801preview/createorupdateenvironment.go 0.00% 2 Missing and 2 partials ⚠️
pkg/recipes/configloader/environment.go 73.33% 3 Missing and 1 partial ⚠️
pkg/corerp/datamodel/bicepsettings.go 0.00% 2 Missing ⚠️
... and 3 more
Additional details and impacted files
@@            Coverage Diff             @@
##             main   #12303      +/-   ##
==========================================
+ Coverage   52.97%   53.02%   +0.04%     
==========================================
  Files         754      755       +1     
  Lines       48686    48782      +96     
==========================================
+ Hits        25791    25866      +75     
- Misses      20469    20480      +11     
- Partials     2426     2436      +10     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

Unit Tests

    2 files  ± 0    452 suites  ±0   7m 37s ⏱️ +8s
5 675 tests +19  5 673 ✅ +19  2 💤 ±0  0 ❌ ±0 
6 872 runs  +19  6 870 ✅ +19  2 💤 ±0  0 ❌ ±0 

Results for commit 3af57ac. ± Comparison against base commit bf1015c.

This pull request removes 33 and adds 52 tests. Note that renamed tests count towards both.
github.com/radius-project/radius/pkg/corerp/api/v20250801preview ‑ TestBicepConfig_ConvertFrom_TwoEntriesAreDistinct
github.com/radius-project/radius/pkg/corerp/api/v20250801preview ‑ TestBicepConfig_ConvertFrom_Wrong_Type
github.com/radius-project/radius/pkg/corerp/api/v20250801preview ‑ TestBicepConfig_ConvertTo_AwsIrsa
github.com/radius-project/radius/pkg/corerp/api/v20250801preview ‑ TestBicepConfig_ConvertTo_AzureWI
github.com/radius-project/radius/pkg/corerp/api/v20250801preview ‑ TestBicepConfig_ConvertTo_BasicAuth
github.com/radius-project/radius/pkg/corerp/api/v20250801preview ‑ TestBicepConfig_ConvertTo_EmptyRegistryAuthentications
github.com/radius-project/radius/pkg/corerp/api/v20250801preview ‑ TestBicepConfig_ConvertTo_NilEntrySkipped
github.com/radius-project/radius/pkg/corerp/api/v20250801preview ‑ TestBicepConfig_RoundTrip_Identity
github.com/radius-project/radius/pkg/corerp/api/v20250801preview ‑ TestTerraformConfig_ConvertFrom_Wrong_Type
github.com/radius-project/radius/pkg/corerp/api/v20250801preview ‑ TestTerraformConfig_ConvertTo_Both
…
github.com/radius-project/radius/pkg/components/database/apiserverstore ‑ Test_APIServer_Client/save_can_update_repeatedly_with_matching_etag
github.com/radius-project/radius/pkg/components/database/inmemory ‑ Test_InMemoryClient/save_can_update_repeatedly_with_matching_etag
github.com/radius-project/radius/pkg/corerp/api/v20250801preview ‑ TestBicepSettings_ConvertFrom_TwoEntriesAreDistinct
github.com/radius-project/radius/pkg/corerp/api/v20250801preview ‑ TestBicepSettings_ConvertFrom_Wrong_Type
github.com/radius-project/radius/pkg/corerp/api/v20250801preview ‑ TestBicepSettings_ConvertTo_AwsIrsa
github.com/radius-project/radius/pkg/corerp/api/v20250801preview ‑ TestBicepSettings_ConvertTo_AzureWI
github.com/radius-project/radius/pkg/corerp/api/v20250801preview ‑ TestBicepSettings_ConvertTo_BasicAuth
github.com/radius-project/radius/pkg/corerp/api/v20250801preview ‑ TestBicepSettings_ConvertTo_EmptyRegistryAuthentications
github.com/radius-project/radius/pkg/corerp/api/v20250801preview ‑ TestBicepSettings_ConvertTo_NilEntrySkipped
github.com/radius-project/radius/pkg/corerp/api/v20250801preview ‑ TestBicepSettings_RoundTrip_Identity
…

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

Functional Tests - dynamicrp-noncloud

67 tests  +3   67 ✅ +3   19m 1s ⏱️ +54s
 1 suites ±0    0 💤 ±0 
 1 files   ±0    0 ❌ ±0 

Results for commit 3af57ac. ± Comparison against base commit bf1015c.

This pull request removes 9 and adds 12 tests. Note that renamed tests count towards both.
github.com/radius-project/radius/test/functional-portable/dynamicrp/noncloud/resources ‑ Test_BicepConfig_CRUD
github.com/radius-project/radius/test/functional-portable/dynamicrp/noncloud/resources ‑ Test_BicepConfig_CRUD/deploy_testdata/bicepconfig-test.bicep
github.com/radius-project/radius/test/functional-portable/dynamicrp/noncloud/resources ‑ Test_BicepConfig_CRUD/execute_function_in_test_step
github.com/radius-project/radius/test/functional-portable/dynamicrp/noncloud/resources ‑ Test_TerraformConfig_BicepConfig_Combined
github.com/radius-project/radius/test/functional-portable/dynamicrp/noncloud/resources ‑ Test_TerraformConfig_BicepConfig_Combined/deploy_testdata/tfbicep-combined-test.bicep
github.com/radius-project/radius/test/functional-portable/dynamicrp/noncloud/resources ‑ Test_TerraformConfig_BicepConfig_Combined/execute_function_in_test_step
github.com/radius-project/radius/test/functional-portable/dynamicrp/noncloud/resources ‑ Test_TerraformConfig_Redis
github.com/radius-project/radius/test/functional-portable/dynamicrp/noncloud/resources ‑ Test_TerraformConfig_Redis/deploy_testdata/terraformconfig-redis-test.bicep
github.com/radius-project/radius/test/functional-portable/dynamicrp/noncloud/resources ‑ Test_TerraformConfig_Redis/execute_function_in_test_step
github.com/radius-project/radius/test/functional-portable/dynamicrp/noncloud/resources ‑ Test_BicepSettings_CRUD
github.com/radius-project/radius/test/functional-portable/dynamicrp/noncloud/resources ‑ Test_BicepSettings_CRUD/deploy_testdata/bicepsettings-test.bicep
github.com/radius-project/radius/test/functional-portable/dynamicrp/noncloud/resources ‑ Test_BicepSettings_CRUD/execute_function_in_test_step
github.com/radius-project/radius/test/functional-portable/dynamicrp/noncloud/resources ‑ Test_TerraformSettings_BicepSettings_Combined
github.com/radius-project/radius/test/functional-portable/dynamicrp/noncloud/resources ‑ Test_TerraformSettings_BicepSettings_Combined/deploy_testdata/tfbicep-combined-test.bicep
github.com/radius-project/radius/test/functional-portable/dynamicrp/noncloud/resources ‑ Test_TerraformSettings_BicepSettings_Combined/execute_function_in_test_step
github.com/radius-project/radius/test/functional-portable/dynamicrp/noncloud/resources ‑ Test_TerraformSettings_Redis
github.com/radius-project/radius/test/functional-portable/dynamicrp/noncloud/resources ‑ Test_TerraformSettings_Redis/deploy_testdata/terraformsettings-redis-test.bicep
github.com/radius-project/radius/test/functional-portable/dynamicrp/noncloud/resources ‑ Test_TerraformSettings_Redis/execute_function_in_test_step
github.com/radius-project/radius/test/functional-portable/dynamicrp/noncloud/resources ‑ Test_TerraformSettings_SecuritySecret_Credentials
…

♻️ This comment has been updated with latest results.

sylvainsf added 4 commits July 2, 2026 10:18
… rename docs to *Settings

- security_secrets.go: skip Kubernetes Secret output resources with an empty
  namespace so findKubernetesSecretOutputResource keeps searching instead of
  issuing a GET against an empty namespace; add unit coverage.
- terraformsettings-securitysecret-test.bicep: use the current recipePacks
  fields (kind/source) instead of the legacy recipeKind/recipeLocation.
- bicepsettings-test.bicep: rename the secret store, namespace, and environment
  from bicepconfig-* to bicepsettings-* to match the functional test.
- terraformsettings_bicepsettings_test.go: fix terraformSettingss/bicepSettingss
  comment typos.
- docs/architecture: rename terraform-bicep-config.md to
  terraform-bicep-settings.md and update all resource-type/model references and
  examples from *Configs to *Settings (the shipped names), keeping the legacy
  shared TerraformConfigProperties transport type and Applications.Core
  references intact; update the README and extensibility links.

Signed-off-by: Sylvain Niles <[email protected]>
…OpenAPI spec

The ARM-RPC namespace builder derives a resource's route parameter by trimming
a trailing "s" from the type name (e.g. environments -> environmentName). For
terraformSettings/bicepSettings that yields terraformSettingName/bicepSettingName,
but the TypeSpec-generated OpenAPI spec keeps the plural stem
(terraformSettingsName/bicepSettingsName). API validation matches the chi route
pattern against the spec path via case-insensitive string equality, so the
mismatched parameter name made every PUT/PATCH/GET on these resources fail with
"HttpRequestPayloadAPISpecValidationFailed: failed to parse route: undefined
route path".

Set ResourceParamName explicitly for both resources so the registered route
matches the spec path. This unblocks the dynamicrp-noncloud functional tests
(Test_TerraformSettings_Redis, Test_BicepSettings_CRUD,
Test_TerraformSettings_BicepSettings_Combined, and the security-secret path).

Signed-off-by: Sylvain Niles <[email protected]>
…g it

Radius.Core environments require their Kubernetes namespace to already exist.
RPTest.CreateInitialResources only auto-creates the namespace named after the
test (ct.Name), so NewPreviewEnvPreSetup worked only for callers that happened
to reuse that same name as the preview namespace. Test_TerraformSettings_
SecuritySecret_Credentials uses a distinct preview namespace (tfsec-secrets-ns)
that nothing created, so preview env creation failed with
"Namespace 'tfsec-secrets-ns' does not exist in the Kubernetes cluster".

Ensure the preview environment's namespace exists (via the deployment-target
Kubernetes client, matching CreateInitialResources) before the env create CLI
call. EnsureNamespace is idempotent, so existing callers whose namespace is
already created are unaffected.

Signed-off-by: Sylvain Niles <[email protected]>
The recipe secret loader read Radius.Security/secrets through the shared
GenericResourcesClient, which is generated against api-version
2023-10-01-preview. Radius.Security/secrets only supports 2025-08-01-preview, so
the GET was rejected with:

  BadRequest: api version "2023-10-01-preview" is not supported for resource type
  "Radius.Security/secrets" by location "global"

which surfaced to recipe deployment as LoadSecretsFailed and failed
Test_TerraformSettings_SecuritySecret_Credentials.

Override the client's API version per request via a shallow copy of the ARM
client options (ClientOptions.APIVersion). The arm pipeline applies this as the
api-version query parameter, replacing the generated default, without mutating
the shared options.

Signed-off-by: Sylvain Niles <[email protected]>
@radius-functional-tests

radius-functional-tests Bot commented Jul 3, 2026

Copy link
Copy Markdown

Radius functional test overview

🔍 Go to test action run

Click here to see the test run details
Name Value
Repository radius-project/radius
Commit ref 3af57ac
Unique ID func4973328723
Image tag pr-func4973328723
  • Dapr: 1.14.4
  • Azure KeyVault CSI driver: 1.4.2
  • Azure Workload identity webhook: 1.3.0
  • Bicep recipe location ghcr.io/radius-project/dev/test/testrecipes/test-bicep-recipes/<name>:pr-func4973328723
  • Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
  • applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-func4973328723
  • dynamic-rp test image location: ghcr.io/radius-project/dev/dynamic-rp:pr-func4973328723
  • controller test image location: ghcr.io/radius-project/dev/controller:pr-func4973328723
  • ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-func4973328723
  • deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting corerp-cloud functional tests...
⌛ Starting ucp-cloud functional tests...
✅ ucp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

bicepConfigs / terraformConfigs reject Radius.Security/secrets for registry secrets; only Applications.Core/secretStores accepted

2 participants