Feature Overview (aka. Goal Summary)

Support ARO and customers aspiring to follow Microsoft Azure security recommendations by allowing the Azure storage account hosting the object storage bucket for the integrated registry to be configured as "private" vs. the default public.

Goals (aka. expected user outcomes)

OpenShift installations and specifically ARO by default, do not trigger warnings in Azure's Security Advisor anymore with regard to the use of a public endpoint for the Azure storage account created by the integrated registry operator.

Requirements (aka. Acceptance Criteria):

Installer-driven configuration of the Integrated Registry operator to leverage a private storage account

Background

Several users noticed warnings in Azure Security advisor reporting the potentially dangerous exposure of the storage endpoint used by the integrated registry configured by its operator. There is no real security threat here because despite the endpoint being public, access to it is strictly locked down to a single set of credentials used by the internal registry only.

Still customers need to be able to deploy cluster that out of the box do not violate Microsoft security recommendations.

This also aligns with OCPSTRAT-716 which introduces installer-level tunables that set the Ingress and API server to a private network. As part of this effort we will also introduce an appropriate tunable for the integrated registry for the installer.

Documentation Considerations

We need documentation for the installer on how to trigger the creation of a private endpoint for the storage account leveraged by the OpenShift integrated registry.

Interoperability Considerations

ARO should transition to configure the installer to create a private endpoint for the OpenShift integrated registry's storage account.