1929654 – Registry for Azure uses legacy V1 StorageAccount

Bug 1929654 - Registry for Azure uses legacy V1 StorageAccount

Summary: Registry for Azure uses legacy V1 StorageAccount

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Image Registry
Sub Component:
Version:	4.6
Hardware:	All
OS:	All
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.8.0
Assignee:	Ricardo Maraschini
QA Contact:	Wenjing Zheng
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1984979
TreeView+	depends on / blocked

Reported:	2021-02-17 11:35 UTC by Mangirdas Judeikis
Modified:	2021-07-27 22:45 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: Azure is recommending users to leverage Storage Accounts v2 instead of v1. Consequence: Under certain security profiles administrators can force Azure to not accept Storage Accounts v1 creation. As registry depends on v1 storage accounts a cluster install would fail in such environments. Fix: During cluster bootstrap the Operator now attempts to create and use V2 Storage Accounts. Clusters running on v1 will remain using V1. Result: Installation succeeds and Image Registry now reports Available.
Clone Of:
Environment:
Last Closed:	2021-07-27 22:44:46 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift cluster-image-registry-operator pull 665	0	None	open	Bug 1929654: Creating StorageAccount V2 instead of V1	2021-02-24 10:02:40 UTC
Red Hat Product Errata	RHSA-2021:2438	0	None	None	None	2021-07-27 22:45:22 UTC

Description Mangirdas Judeikis 2021-02-17 11:35:03 UTC

Description of problem:

Currently registry is using V1 StorageAccounts for Azure registry storage.
V1 is considered legacy and is being blocked by some customers with azure policy.

ARO started to notice failed clusters installs due to existence of this policy. 


Version-Release number of selected component (if applicable):

master


How reproducible:

1. Enable Azure policy to prevent v1 storage account usage
2. Install cluster
3. Fail


1. Code change required to start using V2 for new installs:

storage.AccountCreateParameters{
   Kind:     storage.StorageV2,

2. Existing accounts needs to be upgraded to v2 by image registry operator 
(https://docs.microsoft.com/en-us/azure/storage/common/storage-account-upgrade?tabs=azure-cli) 

This will require backport to 4.6

Comment 6 Wenjing Zheng 2021-03-15 10:06:43 UTC

Verified on 4.8.0-0.nightly-2021-03-14-134919:
QE can see image registry is using StorageV2 storage service account from Azure console.

Comment 10 errata-xmlrpc 2021-07-27 22:44:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438

Note You need to log in before you can comment on or make changes to this bug.