Bug 2054120

Summary: [Backport to 4.9.z] [GSS][RFE] Restrict Noobaa from creating public endpoints for Azure Private Cluster
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Nimrod Becker <nbecker>
Component: Multi-Cloud Object GatewayAssignee: Nimrod Becker <nbecker>
Status: CLOSED DEFERRED QA Contact: Elad <ebenahar>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.6CC: assingh, cedric.girard, etamir, hnallurv, mmuench, ocs-bugs, odf-bz-bot
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-10-19 07:49:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nimrod Becker 2022-02-14 08:33:27 UTC 
This bug was initially created as a copy of Bug #1954708

I am copying this bug because: 



Description of problem (please be detailed as possible and provide log
snippests):
OCS installation creates Public IPs even with OCP installed as Private cluster on  Azure.

NAME                       TYPE           CLUSTER-IP       EXTERNAL-IP                                                              PORT(S)                                                    AGE
noobaa-mgmt                LoadBalancer   172.30.94.221    <External address>   80:31096/TCP,443:32117/TCP,8445:31852/TCP,8446:30608/TCP   179m
s3                         LoadBalancer   172.30.147.102   <External address>  80:31111/TCP,443:31831/TCP,8444:32682/TCP                  179m

Version of all relevant components (if applicable):
OCS 4.x

Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?
OCP doc points that no public resources will be created with the install.
https://docs.openshift.com/container-platform/4.6/installing/installing_azure/installing-azure-private.html#private-clusters-about-azure_installing-azure-private
OCP does adhere to it, but OCS creates Public resources for Noobaa.

Is there any workaround available to the best of your knowledge?
-> Use an Azure internal loadbalancer
https://access.redhat.com/solutions/4824111
-> Changing the svc type from LoadBalancer to ClusterIP, but this may affect Noobaa working.
-> Restriction by Azure network ACLs to prevent the public IPs to be reachable.

Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?
3

Can this issue reproducible?
Yes.

Can this issue reproduce from the UI?
Yes.

If this is a regression, please provide more details to justify this:
No. Seems to be same beahviour from older releases.

Steps to Reproduce:
1. Install OCP in Private mode on Azure Platform.
https://docs.openshift.com/container-platform/4.6/installing/installing_azure/installing-azure-private.html
2. Install OCS on it.
3. Check the s3 and noobaa-mgmt endpoints.
# oc get svc -n openshift-storage


Actual results:
The creation of the Public IPs was unexpected and unwanted in internal clusters.

Expected results:
Restrict Noobaa from creating any Public resources for Private clusters.

Additional info: