Bug 1929654 - Registry for Azure uses legacy V1 StorageAccount
Summary: Registry for Azure uses legacy V1 StorageAccount
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image Registry
Version: 4.6
Hardware: All
OS: All
high
high
Target Milestone: ---
: 4.8.0
Assignee: Ricardo Maraschini
QA Contact: Wenjing Zheng
URL:
Whiteboard:
Depends On:
Blocks: 1984979
TreeView+ depends on / blocked
 
Reported: 2021-02-17 11:35 UTC by Mangirdas Judeikis
Modified: 2021-07-27 22:45 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Azure is recommending users to leverage Storage Accounts v2 instead of v1. Consequence: Under certain security profiles administrators can force Azure to not accept Storage Accounts v1 creation. As registry depends on v1 storage accounts a cluster install would fail in such environments. Fix: During cluster bootstrap the Operator now attempts to create and use V2 Storage Accounts. Clusters running on v1 will remain using V1. Result: Installation succeeds and Image Registry now reports Available.
Clone Of:
Environment:
Last Closed: 2021-07-27 22:44:46 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-image-registry-operator pull 665 0 None open Bug 1929654: Creating StorageAccount V2 instead of V1 2021-02-24 10:02:40 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:45:22 UTC

Description Mangirdas Judeikis 2021-02-17 11:35:03 UTC
Description of problem:

Currently registry is using V1 StorageAccounts for Azure registry storage.
V1 is considered legacy and is being blocked by some customers with azure policy.

ARO started to notice failed clusters installs due to existence of this policy. 


Version-Release number of selected component (if applicable):

master


How reproducible:

1. Enable Azure policy to prevent v1 storage account usage
2. Install cluster
3. Fail


1. Code change required to start using V2 for new installs:

storage.AccountCreateParameters{
   Kind:     storage.StorageV2,

2. Existing accounts needs to be upgraded to v2 by image registry operator 
(https://docs.microsoft.com/en-us/azure/storage/common/storage-account-upgrade?tabs=azure-cli) 

This will require backport to 4.6

Comment 6 Wenjing Zheng 2021-03-15 10:06:43 UTC
Verified on 4.8.0-0.nightly-2021-03-14-134919:
QE can see image registry is using StorageV2 storage service account from Azure console.

Comment 10 errata-xmlrpc 2021-07-27 22:44:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438


Note You need to log in before you can comment on or make changes to this bug.