Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-22651

Ccoctl create Azure Workload Identity resource does not work properly in eastus region because the storage account does not allow Public access.

XMLWordPrintable

    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      Doc text impacts a known issue that is documented with a workaround procedure. See https://github.com/openshift/openshift-docs/pull/67375 for edits needed.

      *Cause*: A recent change to the default security settings for new Azure storage accounts in the eastus region to prohibit public access.
      *Consequence*: Installation of clusters that use Azure AD Workload Identity will fail in the eastus region.
      *Fix*: ccoctl tool sets explicitly the storage accounts to allow public access.
      *Result*: Installation of clusters that use Azure AD Workload Identity will succeed in the eastus region.
      Show
      Doc text impacts a known issue that is documented with a workaround procedure. See https://github.com/openshift/openshift-docs/pull/67375 for edits needed. *Cause*: A recent change to the default security settings for new Azure storage accounts in the eastus region to prohibit public access. *Consequence*: Installation of clusters that use Azure AD Workload Identity will fail in the eastus region. *Fix*: ccoctl tool sets explicitly the storage accounts to allow public access. *Result*: Installation of clusters that use Azure AD Workload Identity will succeed in the eastus region.
    • Bug Fix

      This is a clone of issue OCPBUGS-22369. The following is the description of the original issue:

      Description of problem:

      Default security settings for new Azure Storage accounts be updated. Using ccoctl to create Azure Workload Identity resources in region eastus is not work.

I found several commonly used regions and did the test. The test results are as follows.

List of regions not working properly: eastus

$ az storage account list -g mihuangtt0947-rg-oidc --query "[].[name,allowBlobPublicAccess]" -o tsv
mihuangtt0947rgoidc False


 List of regions working properly: westus, australiacentral, australiaeast, centralus, australiasoutheast, southindia…

$ az storage account list -g mihuangdispri0929-rg-oidc --query "[].[name,allowBlobPublicAccess]" -o tsv
mihuangdispri0929rgoidc	True

      Version-Release number of selected component (if applicable):

      4.14/4.15

      How reproducible:

      Always

      Steps to Reproduce:

      1.Running ccoctl azure create-all command to create azure workload identity resources in region eastus.

[huangmingxia@fedora CCO-bugs]$ ./ccoctl azure create-all  --name 'mihuangp1' --region 'eastus' --subscription-id  {SUBSCRIPTION-ID} --tenant-id {TENANNT-ID} --credentials-requests-dir=./credrequests --dnszone-resource-group-name 'os4-common' --storage-account-name='mihuangp1oidc' --output-dir test

      Actual results:

      [huangmingxia@fedora CCO-bugs]$  ./ccoctl azure create-all  --name 'mihuangp1' --region 'eastus' --subscription-id  {SUBSCRIPTION-ID} --tenant-id {TENANNT-ID} --credentials-requests-dir=./credrequests --dnszone-resource-group-name 'os4-common' --storage-account-name='mihuangp1oidc' --output-dir test
2023/10/25 11:14:36 Using existing RSA keypair found at test/serviceaccount-signer.private
2023/10/25 11:14:36 Copying signing key for use by installer
2023/10/25 11:14:36 No --oidc-resource-group-name provided, defaulting OIDC resource group name to mihuangp1-oidc
2023/10/25 11:14:36 No --installation-resource-group-name provided, defaulting installation resource group name to mihuangp1
2023/10/25 11:14:36 No --blob-container-name provided, defaulting blob container name to mihuangp1
2023/10/25 11:14:39 Created resource group /subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/mihuangp1-oidc
2023/10/25 11:15:01 Created storage account /subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/mihuangp1-oidc/providers/Microsoft.Storage/storageAccounts/mihuangp1oidc
2023/10/25 11:15:03 failed to create blob container: PUT https://management.azure.com/subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/mihuangp1-oidc/providers/Microsoft.Storage/storageAccounts/mihuangp1oidc/blobServices/default/containers/mihuangp1--------------------------------------------------------------------------------RESPONSE 409: 409 ConflictERROR CODE: PublicAccessNotPermitted--------------------------------------------------------------------------------{  "error": {    "code": "PublicAccessNotPermitted",    "message": "Public access is not permitted on this storage account.\nRequestId:415c51f1-c01e-0017-7ef1-06ec0c000000\nTime:
2023-10-25T03:15:02.7928767Z"  }}--------------------------------------------------------------------------------

$ az storage account list -g mihuangtt0947-rg-oidc --query "[].[name,allowBlobPublicAccess]" -o tsvmihuangtt0947rgoidc False

      Expected results:

      Resources created successfully.

$ az storage account list -g mihuangtt0947-rg-oidc --query "[].[name,allowBlobPublicAccess]" -o tsv
mihuangtt0947rgoidc True

      Additional info:

      Google email: Important notice: Default security settings for new Azure Storage accounts will be updated

            jstuever@redhat.com Jeremiah Stuever
            openshift-crt-jira-prow OpenShift Prow Bot
            Mingxia Huang Mingxia Huang
            Jeana Routh Jeana Routh
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: