Bug 1958376

Summary: [IPI on Azure] unable to install IPI PRIVATE OpenShift cluster in Azure due to organization policies
Product: OpenShift Container Platform Reporter: Etienne Simard <esimard>
Component: Image RegistryAssignee: Oleg Bulatov <obulatov>
Status: CLOSED ERRATA QA Contact: XiuJuan Wang <xiuwang>
Severity: medium Docs Contact:
Priority: high    
Version: 4.7CC: aos-bugs, oarribas, obulatov, pawankum, wewang, xiuwang
Target Milestone: ---   
Target Release: 4.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-18 17:31:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1943175    
Bug Blocks:    

Description Etienne Simard 2021-05-07 18:43:27 UTC 
Description of problem:

(copy of https://bugzilla.redhat.com/show_bug.cgi?id=1943175)

Version:
4.7.2, also 4.6.something

Platform:
azure

Please specify:
* IPI

What happened?
Customer reports unable to install IPI PRIVATE OpenShift cluster in Azure. This previously worked, but when certain policies were applied to the customer's Azure account, it stopped working.

The installer breaks on:

Error creating Azure Storage Account "clusterpjacy": 
    - {"name":"[Preview]: Storage account public access should be disallowed"
    - "policyDefinition":{"name":"Azure Storage should have the minimal TLS version of 1.2...

What did you expect to happen?
Installer completes successfully.



Actual results:

Security policies prohibits the storage account created by the image registry.


Currently, the image registry creates a Storage Account without setting these newer AccountProperties:

- AllowBlobPublicAccess
- MinimumTLSVersion 


Expected results:

No policy triggered and successful installation and operation of OpenShift when deploying on Azure.


Additional info:

Azure provides new storage account properties that are required to be set in order to pass customers policies in Azure:

- AllowBlobPublicAccess set to false
- MinimumTLSVersion 'TLS12'

The work has been done for the Installer managed storage account in the linked Bugzilla.
Comment 1 pawankum 2021-07-01 08:49:14 UTC 
Hello Etienne,

Do we have any further update on this if AllowBlobPublicAccess can be set to false?



Regards
Pawan Kumar
Comment 2 pawankum 2021-07-01 09:06:17 UTC 
Hello Etienne,

Do we have any further update on this if AllowBlobPublicAccess can be set to false?



Regards
Pawan Kumar
Comment 3 Oleg Bulatov 2021-07-02 16:40:17 UTC 
No progress on this BZ this sprint due to higher severity bugs.
Comment 4 Oleg Bulatov 2021-07-24 20:36:43 UTC 
PRs are awaiting review.
Comment 5 XiuJuan Wang 2021-07-30 10:23:26 UTC 
Launch cluster from pr.
After installation successfully, check the storage account created by image registry in azure webconsole. It has set disallow blob public access and MinimumTLSVersion to 1.2.

imageregistrywxjaz7flkqs
Blob public access. Disabled
Minimum TLS version Version 1.2
Comment 7 XiuJuan Wang 2021-08-04 07:25:28 UTC 
In comment #5, I had verified this bug.
Comment 11 errata-xmlrpc 2021-10-18 17:31:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759
Comment 12 Oleg Bulatov 2021-10-26 20:46:57 UTC 
*** Bug 2016615 has been marked as a duplicate of this bug. ***
Comment 13 pawankum 2022-02-17 14:27:38 UTC 
Hello All,

I can see this bug has been closed with errata on 4.9 version. But I still got same issue in 4.9 version. Can you please update?

I attached the new case on this.



Regards,
Pawan Kumar