Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-22651

Ccoctl create Azure Workload Identity resource does not work properly in eastus region because the storage account does not allow Public access.

XMLWordPrintable

    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      Doc text impacts a known issue that is documented with a workaround procedure. See https://github.com/openshift/openshift-docs/pull/67375 for edits needed.

      *Cause*: A recent change to the default security settings for new Azure storage accounts in the eastus region to prohibit public access.
      *Consequence*: Installation of clusters that use Azure AD Workload Identity will fail in the eastus region.
      *Fix*: ccoctl tool sets explicitly the storage accounts to allow public access.
      *Result*: Installation of clusters that use Azure AD Workload Identity will succeed in the eastus region.
      Show
      Doc text impacts a known issue that is documented with a workaround procedure. See https://github.com/openshift/openshift-docs/pull/67375 for edits needed. *Cause*: A recent change to the default security settings for new Azure storage accounts in the eastus region to prohibit public access. *Consequence*: Installation of clusters that use Azure AD Workload Identity will fail in the eastus region. *Fix*: ccoctl tool sets explicitly the storage accounts to allow public access. *Result*: Installation of clusters that use Azure AD Workload Identity will succeed in the eastus region.
    • Bug Fix

      This is a clone of issue OCPBUGS-22369. The following is the description of the original issue:

      Description of problem:

      Default security settings for new Azure Storage accounts be updated. Using ccoctl to create Azure Workload Identity resources in region eastus is not work.
      
      I found several commonly used regions and did the test. The test results are as follows.
      
      List of regions not working properly: eastus
      
      $ az storage account list -g mihuangtt0947-rg-oidc --query "[].[name,allowBlobPublicAccess]" -o tsv
      mihuangtt0947rgoidc False
      
      
       List of regions working properly: westus, australiacentral, australiaeast, centralus, australiasoutheast, southindia…
      
      $ az storage account list -g mihuangdispri0929-rg-oidc --query "[].[name,allowBlobPublicAccess]" -o tsv
      mihuangdispri0929rgoidc	True

      Version-Release number of selected component (if applicable):

      4.14/4.15

      How reproducible:

      Always

      Steps to Reproduce:

      1.Running ccoctl azure create-all command to create azure workload identity resources in region eastus.
      
      [huangmingxia@fedora CCO-bugs]$ ./ccoctl azure create-all  --name 'mihuangp1' --region 'eastus' --subscription-id  {SUBSCRIPTION-ID} --tenant-id {TENANNT-ID} --credentials-requests-dir=./credrequests --dnszone-resource-group-name 'os4-common' --storage-account-name='mihuangp1oidc' --output-dir test
      

      Actual results:

      [huangmingxia@fedora CCO-bugs]$  ./ccoctl azure create-all  --name 'mihuangp1' --region 'eastus' --subscription-id  {SUBSCRIPTION-ID} --tenant-id {TENANNT-ID} --credentials-requests-dir=./credrequests --dnszone-resource-group-name 'os4-common' --storage-account-name='mihuangp1oidc' --output-dir test
      2023/10/25 11:14:36 Using existing RSA keypair found at test/serviceaccount-signer.private
      2023/10/25 11:14:36 Copying signing key for use by installer
      2023/10/25 11:14:36 No --oidc-resource-group-name provided, defaulting OIDC resource group name to mihuangp1-oidc
      2023/10/25 11:14:36 No --installation-resource-group-name provided, defaulting installation resource group name to mihuangp1
      2023/10/25 11:14:36 No --blob-container-name provided, defaulting blob container name to mihuangp1
      2023/10/25 11:14:39 Created resource group /subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/mihuangp1-oidc
      2023/10/25 11:15:01 Created storage account /subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/mihuangp1-oidc/providers/Microsoft.Storage/storageAccounts/mihuangp1oidc
      2023/10/25 11:15:03 failed to create blob container: PUT https://management.azure.com/subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/mihuangp1-oidc/providers/Microsoft.Storage/storageAccounts/mihuangp1oidc/blobServices/default/containers/mihuangp1--------------------------------------------------------------------------------RESPONSE 409: 409 ConflictERROR CODE: PublicAccessNotPermitted--------------------------------------------------------------------------------{  "error": {    "code": "PublicAccessNotPermitted",    "message": "Public access is not permitted on this storage account.\nRequestId:415c51f1-c01e-0017-7ef1-06ec0c000000\nTime:
      2023-10-25T03:15:02.7928767Z"  }}--------------------------------------------------------------------------------
      
      $ az storage account list -g mihuangtt0947-rg-oidc --query "[].[name,allowBlobPublicAccess]" -o tsvmihuangtt0947rgoidc False

      Expected results:

      Resources created successfully.
      
      $ az storage account list -g mihuangtt0947-rg-oidc --query "[].[name,allowBlobPublicAccess]" -o tsv
      mihuangtt0947rgoidc True

      Additional info:

      Google email: Important notice: Default security settings for new Azure Storage accounts will be updated

              jstuever@redhat.com Jeremiah Stuever
              openshift-crt-jira-prow OpenShift Prow Bot
              Mingxia Huang Mingxia Huang
              Jeana Routh Jeana Routh
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: