Add unsafe.containers (#11233)

* Add unsafe.containers

* lint

* Move unsafe field under main container config

* fixups

* fixup

Author: emily-shen

.changeset/few-candies-melt.md

@@ -0,0 +1,6 @@
+---
+"@cloudflare/workers-utils": minor
+"wrangler": minor
+---
+
+Add `containers.unsafe` to allow internal users to use additional container features

packages/workers-utils/src/config/environment.ts

@@ -252,6 +252,12 @@ export type ContainerApp = {
 	 * @default 0
 	 */
 	rollout_active_grace_period?: number;
+
+	/**
+	 * Directly passed to the API without wrangler-side validation or transformation.
+	 * @hidden
+	 */
+	unsafe?: Record<string, unknown>;
 };
 
 /**
@@ -1078,7 +1084,6 @@ export interface EnvironmentNonInheritable {
 		metadata?: {
 			[key: string]: unknown;
 		};
-
 		/**
 		 * Used for internal capnp uploads for the Workers runtime
 		 */

packages/workers-utils/src/config/validation.ts

@@ -2901,6 +2901,21 @@ function validateContainerApp(
 				);
 			}
 
+			// unsafe.containers
+			if ("unsafe" in containerAppOptional) {
+				if (
+					(containerAppOptional.unsafe &&
+						typeof containerAppOptional.unsafe !== "object") ||
+					Array.isArray(containerAppOptional.unsafe)
+				) {
+					diagnostics.errors.push(
+						`The field "containers.unsafe" should be an object but got ${JSON.stringify(
+							typeof containerAppOptional.unsafe
+						)}.`
+					);
+				}
+			}
+
 			validateAdditionalProperties(
 				diagnostics,
 				field,
@@ -2922,6 +2937,7 @@ function validateContainerApp(
 					"rollout_kind",
 					"durable_objects",
 					"rollout_active_grace_period",
+					"unsafe",
 				]
 			);
 			if ("configuration" in containerAppOptional) {

packages/wrangler/src/__tests__/config/configuration.test.ts

@@ -4796,6 +4796,35 @@ describe("normalizeAndValidateConfig()", () => {
 			});
 		});
 
+		it("should accept unsafe fields under containers", () => {
+			const { diagnostics } = normalizeAndValidateConfig(
+				{
+					containers: [
+						{
+							name: "test-container",
+							class_name: "TestContainer",
+							image: "registry.cloudflare.com/test:image",
+							unsafe: {
+								custom_field: "value",
+							},
+						},
+					],
+				} as unknown as RawConfig,
+				undefined,
+				undefined,
+				{ env: undefined }
+			);
+
+			expect(diagnostics.renderWarnings()).toMatchInlineSnapshot(`
+				"Processing wrangler configuration:
+				"
+			`);
+			expect(diagnostics.renderErrors()).toMatchInlineSnapshot(`
+				"Processing wrangler configuration:
+				"
+			`);
+		});
+
 		describe("[placement]", () => {
 			it(`should error if placement hint is set with placement mode "off"`, () => {
 				const { diagnostics } = normalizeAndValidateConfig(

packages/wrangler/src/__tests__/containers/deploy.test.ts

@@ -1858,6 +1858,127 @@ describe("wrangler deploy with containers dry run", () => {
 	});
 });
 
+describe("containers.unsafe configuration", () => {
+	runInTempDir();
+	const std = mockConsoleMethods();
+	mockAccountId();
+	mockApiToken();
+
+	beforeEach(() => {
+		setupCommonMocks();
+		fs.writeFileSync(
+			"index.js",
+			`export class ExampleDurableObject {}; export default{};`
+		);
+	});
+
+	it("should merge containers.unsafe config into create request", async () => {
+		mockGetVersion("Galaxy-Class");
+		writeWranglerConfig({
+			...DEFAULT_DURABLE_OBJECTS,
+			containers: [
+				{
+					...DEFAULT_CONTAINER_FROM_REGISTRY,
+					unsafe: {
+						custom_field: "custom_value",
+						nested: { field: "nested_value" },
+						configuration: { network: "nested_value" },
+					},
+				},
+			],
+		});
+
+		mockGetApplications([]);
+
+		mockCreateApplication({
+			name: "my-container",
+			max_instances: 10,
+			custom_field: "custom_value",
+			nested: { field: "nested_value" },
+			configuration: {
+				// @ts-expect-error - testing with custom unsafe fields
+				network: "nested_value",
+				image: "registry.cloudflare.com/some-account-id/hello:world",
+			},
+		});
+
+		await runWrangler("deploy index.js");
+
+		expect(std.err).toMatchInlineSnapshot(`""`);
+	});
+
+	it("should merge containers.unsafe config into modify request", async () => {
+		mockGetVersion("Galaxy-Class");
+		writeWranglerConfig({
+			...DEFAULT_DURABLE_OBJECTS,
+			containers: [
+				{
+					...DEFAULT_CONTAINER_FROM_REGISTRY,
+					max_instances: 20,
+					rollout_step_percentage: 10,
+					unsafe: {
+						unsafe_field: "unsafe_value",
+						configuration: { network: "unsafe_network_value" },
+					},
+				},
+			],
+		});
+
+		mockGetApplications([
+			{
+				id: "abc",
+				name: "my-container",
+				instances: 0,
+				max_instances: 10,
+				created_at: new Date().toString(),
+				version: 1,
+				account_id: "1",
+				scheduling_policy: SchedulingPolicy.DEFAULT,
+				configuration: {
+					image: "registry.cloudflare.com/some-account-id/my-container:old",
+					disk: {
+						size: "2GB",
+						size_mb: 2000,
+					},
+					vcpu: 0.0625,
+					memory: "256MB",
+					memory_mib: 256,
+				},
+				constraints: {
+					tier: 1,
+				},
+				durable_objects: {
+					namespace_id: "1",
+				},
+			},
+		]);
+
+		mockModifyApplication({
+			max_instances: 20,
+			// @ts-expect-error - testing unsafe.containers with custom fields
+			unsafe_field: "unsafe_value",
+			configuration: {
+				image: "registry.cloudflare.com/some-account-id/hello:world",
+			},
+		});
+
+		mockCreateApplicationRollout({
+			description: "Progressive update",
+			strategy: "rolling",
+			kind: "full_auto",
+			step_percentage: 10,
+			target_configuration: {
+				image: "registry.cloudflare.com/some-account-id/hello:world",
+				network: "unsafe_network_value",
+			},
+		});
+
+		await runWrangler("deploy index.js");
+
+		expect(std.err).toMatchInlineSnapshot(`""`);
+	});
+});
+
 // Docker mock factory
 function createDockerMockChain(
 	containerName: string,

packages/wrangler/src/containers/deploy.ts

@@ -45,6 +45,9 @@ import type {
 } from "@cloudflare/containers-shared";
 import type { Config, ContainerApp } from "@cloudflare/workers-utils";
 
+/**
+ * Source overwrites target
+ */
 function mergeDeep<T>(target: T, source: Partial<T>): T {
 	if (typeof target !== "object" || target === null) {
 		return source as T;
@@ -238,12 +241,16 @@ export async function apply(
 
 	// let's always convert normalised container config -> CreateApplicationRequest
 	// since CreateApplicationRequest is a superset of ModifyApplicationRequestBody
-	const appConfig = containerConfigToCreateRequest(
-		accountId,
-		containerConfig,
-		imageRef,
-		args.durable_object_namespace_id,
-		prevApp
+	const appConfig = mergeIfUnsafe(
+		config,
+		containerConfigToCreateRequest(
+			accountId,
+			containerConfig,
+			imageRef,
+			args.durable_object_namespace_id,
+			prevApp
+		),
+		containerConfig.name
 	);
 
 	if (prevApp !== undefined && prevApp !== null) {
@@ -272,7 +279,12 @@ export async function apply(
 			)
 		);
 
-		const modifyReq = createApplicationToModifyApplication(appConfig);
+		// this will have removed the unsafe fields, so we need to add them back in after
+		const modifyReq = mergeIfUnsafe(
+			config,
+			createApplicationToModifyApplication(appConfig),
+			appConfig.name
+		);
 		/** only used for diffing */
 		const nowContainer = mergeDeep(
 			normalisedPrevApp,
@@ -340,6 +352,7 @@ export async function apply(
 			.forEach((el) => log(`  ${el}`));
 		newline();
 		// add to the actions array to create the app later
+
 		await doAction({
 			action: "create",
 			application: appConfig,
@@ -349,6 +362,27 @@ export async function apply(
 	endSection("Applied changes");
 }
 
+/**
+ * If there is an unsafe container config that matches this container by class_name,
+ * merge the unsafe config into the Create/Modify request.
+ */
+function mergeIfUnsafe<
+	T extends CreateApplicationRequest | ModifyApplicationRequestBody,
+>(fullConfig: Config, containerConfig: T, name: string) {
+	const unsafeContainerConfig = fullConfig.containers?.find((original) => {
+		return original.name === name && original.unsafe !== undefined;
+	});
+
+	if (unsafeContainerConfig) {
+		return mergeDeep<T>(
+			containerConfig,
+			unsafeContainerConfig.unsafe as Partial<T>
+		);
+	} else {
+		return containerConfig;
+	}
+}
+
 export function formatError(err: ApiError): string {
 	try {
 		const maybeError = JSON.parse(err.body.error);