Uploaded image for project: 'OpenShift Image Registry'
  1. OpenShift Image Registry
  2. IR-302

Phase 1&2: Support Azure storage accounts with public network access disabled

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Critical Critical
    • openshift-4.15
    • None
    • None
    • None
    • Private Azure storage account
    • False
    • None
    • False
    • Not Selected
    • To Do
    • OCPSTRAT-996 - Allow internal registry operator to configure a private storage endpoint on Azure
    • OCPSTRAT-996 Allow internal registry operator to configure a private storage endpoint on Azure
    • 100
    • 100% 100%

      Epic Goal

      • Enable customers to create an OpenShift IPI deployment on Azure that does not violate Microsoft Azure Security recommendations

      Why is this important?

      • In the current implementation the OpenShift internal registry operator creates a storage account for the backing image blob store of the registry that has a public endpoint
      • the public endpoint is considered insecure by Azure's Security advisor and prevents customers from completing security-relevant certifications
      • while manual remediation is possible it is not acceptable for customers who want to leverage OpenShift IPI capabilities to deploy many clusters as automated and with as little post-install infrastructure customisation as possible

      Scenarios

      1. The openshift-installer allows the user to specify VNet and Subnet names to be used for a private endpoint of the storage account, this setting requires the user to specify that they want to create private storage account instead of a public one
      2. If the user configured to creation of a private storage account, the integrated registry operators uses the user-specified VNet and Subnet names as input and creates a private storage account in Azure using a private endpoint with the supplied VNet and Subnet
      3. The current implementation of creating a storage account with a public endpoint remains the default if nothing else is configured

      Acceptance Criteria

      • A user can enable the creation of a private storage account in Azure for the internal registry via the openshift installer
      • A user must supply a VNet and Subnet name if they opted into private storage accounts
      • The internal registry creates an Azure storage account with a private endpoint if the user opted into private storage accounts using the supplied VNet and Subnet names
      • Private storage accounts are not the default
      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.

      Dependencies (internal and external)

      1. Installer allows to specify VNet and Subnet names for a private storage account on Azure

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

            fmissi Flavian Missi
            obulatov@redhat.com Oleg Bulatov
            Wen Wang Wen Wang
            Votes:
            2 Vote for this issue
            Watchers:
            12 Start watching this issue

              Created:
              Updated:
              Resolved: