Bug 1929654

Summary: Registry for Azure uses legacy V1 StorageAccount
Product: OpenShift Container Platform Reporter: Mangirdas Judeikis <mjudeiki>
Component: Image RegistryAssignee: Ricardo Maraschini <rmarasch>
Status: CLOSED ERRATA QA Contact: Wenjing Zheng <wzheng>
Severity: high Docs Contact:
Priority: high    
Version: 4.6CC: aos-bugs, bdettelb, scuppett
Target Milestone: ---Keywords: ServiceDeliveryImpact
Target Release: 4.8.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Azure is recommending users to leverage Storage Accounts v2 instead of v1. Consequence: Under certain security profiles administrators can force Azure to not accept Storage Accounts v1 creation. As registry depends on v1 storage accounts a cluster install would fail in such environments. Fix: During cluster bootstrap the Operator now attempts to create and use V2 Storage Accounts. Clusters running on v1 will remain using V1. Result: Installation succeeds and Image Registry now reports Available.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 22:44:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1984979    

Description Mangirdas Judeikis 2021-02-17 11:35:03 UTC 
Description of problem:

Currently registry is using V1 StorageAccounts for Azure registry storage.
V1 is considered legacy and is being blocked by some customers with azure policy.

ARO started to notice failed clusters installs due to existence of this policy. 


Version-Release number of selected component (if applicable):

master


How reproducible:

1. Enable Azure policy to prevent v1 storage account usage
2. Install cluster
3. Fail


1. Code change required to start using V2 for new installs:

storage.AccountCreateParameters{
   Kind:     storage.StorageV2,

2. Existing accounts needs to be upgraded to v2 by image registry operator 
(https://docs.microsoft.com/en-us/azure/storage/common/storage-account-upgrade?tabs=azure-cli) 

This will require backport to 4.6
Comment 6 Wenjing Zheng 2021-03-15 10:06:43 UTC 
Verified on 4.8.0-0.nightly-2021-03-14-134919:
QE can see image registry is using StorageV2 storage service account from Azure console.
Comment 10 errata-xmlrpc 2021-07-27 22:44:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438