pkg/storage/azure: support private storage accounts

* abstract azure private endpoint creation
* allow private endpoint configuration via operator config
* add e2e coverage for private storage account life cycle

Author: flavianmissi

pkg/storage/azure/azure.go

@@ -35,6 +35,7 @@ import (
 	regopclient "github.com/openshift/cluster-image-registry-operator/pkg/client"
 	"github.com/openshift/cluster-image-registry-operator/pkg/defaults"
 	"github.com/openshift/cluster-image-registry-operator/pkg/envvar"
+	"github.com/openshift/cluster-image-registry-operator/pkg/storage/azure/azureclient"
 	"github.com/openshift/cluster-image-registry-operator/pkg/storage/util"
 )
 
@@ -173,6 +174,10 @@ func (d *driver) createStorageAccount(storageAccountsClient storage.AccountsClie
 	klog.Infof("attempt to create azure storage account %s (resourceGroup=%q, location=%q)...", accountName, resourceGroupName, location)
 
 	kind := storage.StorageV2
+	// NOTE: looks like this legacy version of the storage library does not support
+	// disabling public network access at all... either we update the storage
+	// account after creation using the new sdk, or we use the new sdk to create it
+	// outside of azure stack hub, and the old sdk for azure stack hub.
 	params := &storage.AccountPropertiesCreateParameters{
 		EnableHTTPSTrafficOnly: to.BoolPtr(true),
 		AllowBlobPublicAccess:  to.BoolPtr(false),
@@ -540,10 +545,89 @@ func (d *driver) StorageChanged(cr *imageregistryv1.Config) bool {
 	return !reflect.DeepEqual(cr.Status.Storage.Azure, cr.Spec.Storage.Azure)
 }
 
+func (d *driver) assurePrivateAccount(cfg *Azure, infra *configv1.Infrastructure, tagset map[string]*string, accountName string) (string, error) {
+	if d.Config.NetworkAccess == nil || d.Config.NetworkAccess.Type == imageregistryv1.AzureNetworkAccessTypeExternal {
+		// user did not request private storage account setup - skip.
+		return "", nil
+	}
+	if d.Config.NetworkAccess.Internal.VNetName == "" || d.Config.NetworkAccess.Internal.SubnetName == "" {
+		return "", fmt.Errorf("both vnetName and subnetName are required to setup a private storage account")
+	}
+
+	var privateEndpointName string
+	if d.Config.NetworkAccess.Internal != nil && d.Config.NetworkAccess.Internal.PrivateEndpointName != "" {
+		privateEndpointName = d.Config.NetworkAccess.Internal.PrivateEndpointName
+	} else {
+		privateEndpointName = generateAccountName(infra.Status.InfrastructureName)
+	}
+
+	environment, err := getEnvironmentByName(d.Config.CloudName)
+	if err != nil {
+		return "", err
+	}
+
+	azclient, err := azureclient.New(&azureclient.Options{
+		Environment:        environment,
+		TenantID:           cfg.TenantID,
+		ClientID:           cfg.ClientID,
+		ClientSecret:       cfg.ClientSecret,
+		FederatedTokenFile: cfg.FederatedTokenFile,
+		SubscriptionID:     cfg.SubscriptionID,
+		ResourceGroupName:  cfg.ResourceGroup,
+		TagSet:             tagset,
+	})
+	if err != nil {
+		return "", err
+	}
+
+	// the last step in this function is to disable public network for the
+	// storage account - if we already did that, then none of the steps
+	// below need to be executed.
+	if azclient.IsStorageAccountPrivate(d.Context, accountName) {
+		return privateEndpointName, nil
+	}
+
+	klog.V(3).Infof("configuring private endpoint %q for storage account...", privateEndpointName)
+	pe, err := azclient.CreatePrivateEndpoint(
+		d.Context,
+		&azureclient.PrivateEndpointCreateOptions{
+			Location:            cfg.Region,
+			VNetName:            d.Config.NetworkAccess.Internal.VNetName,
+			SubnetName:          d.Config.NetworkAccess.Internal.SubnetName,
+			PrivateEndpointName: privateEndpointName,
+			StorageAccountName:  accountName,
+		},
+	)
+	if err != nil {
+		return "", err
+	}
+	klog.V(3).Info("private endpoint configured")
+
+	klog.V(3).Info("configuring private DNS...")
+	if err := azclient.ConfigurePrivateDNS(
+		d.Context, pe, d.Config.NetworkAccess.Internal.VNetName, accountName,
+	); err != nil {
+		return privateEndpointName, err
+	}
+	klog.V(3).Info("private DNS configured")
+
+	klog.V(3).Infof("disabling public network access for storage account %q...", accountName)
+	if err := azclient.UpdateStorageAccountNetworkAccess(d.Context, accountName, false); err != nil {
+		return privateEndpointName, err
+	}
+
+	klog.Infof(
+		"storage account %q is now served by private endpoint %q. public network access is disabled",
+		accountName, privateEndpointName,
+	)
+
+	return privateEndpointName, nil
+}
+
 // assureStorageAccount makes sure there is a storage account in place and apply any provided tags.
 // If no storage account name is provided it attempts to generate one. Returns the account name
 // (either the one provided or the one generated), if the account was created or was already there and an error.
-func (d *driver) assureStorageAccount(cfg *Azure, infra *configv1.Infrastructure) (string, bool, error) {
+func (d *driver) assureStorageAccount(cfg *Azure, infra *configv1.Infrastructure, tagset map[string]*string) (string, bool, error) {
 	environment, err := getEnvironmentByName(d.Config.CloudName)
 	if err != nil {
 		return "", false, err
@@ -571,26 +655,6 @@ func (d *driver) assureStorageAccount(cfg *Azure, infra *configv1.Infrastructure
 		return "", false, fmt.Errorf("create storage account failed, name not available")
 	}
 
-	// Tag the storage account with the openshiftClusterID
-	// along with any user defined tags from the cluster configuration
-	klog.V(2).Info("setting azure storage account tags")
-
-	tagset := map[string]*string{
-		fmt.Sprintf("kubernetes.io_cluster.%s", infra.Status.InfrastructureName): to.StringPtr("owned"),
-	}
-
-	// at this stage we are not keeping user tags in sync. as per enhancement proposal
-	// we only set user provided tags when we created the bucket.
-	hasAzureStatus := infra.Status.PlatformStatus != nil && infra.Status.PlatformStatus.Azure != nil && infra.Status.PlatformStatus.Azure.ResourceTags != nil
-	if hasAzureStatus {
-		klog.V(5).Infof("user has provided %d tags", len(infra.Status.PlatformStatus.Azure.ResourceTags))
-		for _, tag := range infra.Status.PlatformStatus.Azure.ResourceTags {
-			klog.V(5).Infof("user has provided storage account tag: %s: %s", tag.Key, tag.Value)
-			tagset[tag.Key] = to.StringPtr(tag.Value)
-		}
-	}
-	klog.V(5).Infof("tagging storage account with tags: %+v", tagset)
-
 	// regardless if the storage account name was provided by the user or we generated it,
 	// if it is available, we do attempt to create it.
 	var storageAccountCreated bool
@@ -743,7 +807,26 @@ func (d *driver) CreateStorage(cr *imageregistryv1.Config) error {
 		}
 	}
 
-	storageAccountName, storageAccountCreated, err := d.assureStorageAccount(cfg, infra)
+	// Tag the storage account with the openshiftClusterID
+	// along with any user defined tags from the cluster configuration
+	klog.V(2).Info("setting azure storage account tags")
+	tagset := map[string]*string{
+		fmt.Sprintf("kubernetes.io_cluster.%s", infra.Status.InfrastructureName): to.StringPtr("owned"),
+	}
+
+	// at this stage we are not keeping user tags in sync. as per enhancement proposal
+	// we only set user provided tags when we created the bucket.
+	hasAzureStatus := infra.Status.PlatformStatus != nil && infra.Status.PlatformStatus.Azure != nil && infra.Status.PlatformStatus.Azure.ResourceTags != nil
+	if hasAzureStatus {
+		klog.V(5).Infof("user has provided %d tags", len(infra.Status.PlatformStatus.Azure.ResourceTags))
+		for _, tag := range infra.Status.PlatformStatus.Azure.ResourceTags {
+			klog.V(5).Infof("user has provided storage account tag: %s: %s", tag.Key, tag.Value)
+			tagset[tag.Key] = to.StringPtr(tag.Value)
+		}
+	}
+	klog.V(5).Infof("tagging storage account with tags: %+v", tagset)
+
+	storageAccountName, storageAccountCreated, err := d.assureStorageAccount(cfg, infra, tagset)
 	if err != nil {
 		util.UpdateCondition(
 			cr,
@@ -769,6 +852,26 @@ func (d *driver) CreateStorage(cr *imageregistryv1.Config) error {
 	}
 	d.Config.Container = containerName
 
+	privateEndpointName, err := d.assurePrivateAccount(cfg, infra, tagset, storageAccountName)
+	if err != nil {
+		util.UpdateCondition(
+			cr,
+			defaults.StorageExists,
+			operatorapiv1.ConditionUnknown,
+			storageExistsReasonAzureError,
+			fmt.Sprintf("Unable to process private endpoint: %s", err),
+		)
+		return err
+	}
+	if privateEndpointName != "" {
+		// in most cases, a call to d.assurePrivateAccount will not result
+		// in the creation of a private endpoint. this will only happen
+		// when users explicitly request so by setting
+		// VNetName and SubnetName
+		// in the registry config. only then we set the private endpoint name.
+		d.Config.NetworkAccess.Internal.PrivateEndpointName = privateEndpointName
+	}
+
 	// We only set the storage management if it is not already set.
 	if cr.Spec.Storage.ManagementState == "" {
 		if storageAccountCreated || containerCreated {
@@ -821,6 +924,56 @@ func (d *driver) RemoveStorage(cr *imageregistryv1.Config) (retry bool, err erro
 		return false, err
 	}
 
+	if d.Config.NetworkAccess != nil && d.Config.NetworkAccess.Internal != nil && d.Config.NetworkAccess.Internal.PrivateEndpointName != "" {
+		azclient, err := azureclient.New(&azureclient.Options{
+			Environment:        environment,
+			TenantID:           cfg.TenantID,
+			ClientID:           cfg.ClientID,
+			ClientSecret:       cfg.ClientSecret,
+			FederatedTokenFile: cfg.FederatedTokenFile,
+			SubscriptionID:     cfg.SubscriptionID,
+			ResourceGroupName:  cfg.ResourceGroup,
+		})
+		if err != nil {
+			util.UpdateCondition(
+				cr,
+				defaults.StorageExists,
+				operatorapiv1.ConditionUnknown,
+				storageExistsReasonAzureError,
+				fmt.Sprintf("Unable to get azure client: %s", err),
+			)
+			return false, err
+		}
+		if err := azclient.DestroyPrivateDNS(
+			d.Context,
+			d.Config.NetworkAccess.Internal.PrivateEndpointName,
+			d.Config.NetworkAccess.Internal.VNetName,
+			d.Config.AccountName,
+		); err != nil {
+			util.UpdateCondition(
+				cr,
+				defaults.StorageExists,
+				operatorapiv1.ConditionUnknown,
+				storageExistsReasonAzureError,
+				fmt.Sprintf("Unable to destroy private dns: %q", err),
+			)
+			return false, err
+		}
+		if err := azclient.DeletePrivateEndpoint(
+			d.Context, d.Config.NetworkAccess.Internal.PrivateEndpointName,
+		); err != nil {
+			util.UpdateCondition(
+				cr,
+				defaults.StorageExists,
+				operatorapiv1.ConditionUnknown,
+				storageExistsReasonAzureError,
+				fmt.Sprintf("Unable to delete private endpoint: %q", err),
+			)
+			return false, err
+		}
+		d.Config.NetworkAccess = nil
+	}
+
 	if d.Config.Container != "" {
 		key, err := d.getAccountPrimaryKey(storageAccountsClient, cfg.ResourceGroup, d.Config.AccountName)
 		if _, ok := err.(*errDoesNotExist); ok {

pkg/storage/azure/azure_test.go

@@ -16,6 +16,7 @@ import (
 	"github.com/Azure/azure-pipeline-go/pipeline"
 	"github.com/Azure/go-autorest/autorest"
 	"github.com/Azure/go-autorest/autorest/mocks"
+	"github.com/Azure/go-autorest/autorest/to"
 	"github.com/google/go-cmp/cmp"
 
 	configlisters "github.com/openshift/client-go/config/listers/config/v1"
@@ -484,16 +485,16 @@ func TestUserProvidedTags(t *testing.T) {
 	for _, tt := range []struct {
 		name         string
 		userTags     []configv1.AzureResourceTag
-		expectedTags map[string]string
+		expectedTags map[string]*string
 		infraName    string
 		responseBody string
 	}{
 		{
 			name:      "no-user-tags",
 			infraName: "some-infra",
 			// only default tags
-			expectedTags: map[string]string{
-				"kubernetes.io_cluster.some-infra": "owned",
+			expectedTags: map[string]*string{
+				"kubernetes.io_cluster.some-infra": to.StringPtr("owned"),
 			},
 			responseBody: `{"nameAvailable":true}`,
 		},
@@ -511,10 +512,10 @@ func TestUserProvidedTags(t *testing.T) {
 				},
 			},
 			// default tags and user tags
-			expectedTags: map[string]string{
-				"kubernetes.io_cluster.test-infra": "owned",
-				"tag1":                             "value1",
-				"tag2":                             "value2",
+			expectedTags: map[string]*string{
+				"kubernetes.io_cluster.test-infra": to.StringPtr("owned"),
+				"tag1":                             to.StringPtr("value1"),
+				"tag2":                             to.StringPtr("value2"),
 			},
 			responseBody: `{"nameAvailable":true}`,
 		},
@@ -547,6 +548,7 @@ func TestUserProvidedTags(t *testing.T) {
 						},
 					},
 				},
+				tt.expectedTags,
 			)
 			if err != nil {
 				t.Errorf("unexpected error %q", err)
@@ -572,9 +574,9 @@ func TestUserProvidedTags(t *testing.T) {
 							t.Fatal("unable to type assert tags field")
 						}
 						// convert into correct type
-						receivedTags := make(map[string]string)
+						receivedTags := make(map[string]*string)
 						for k, v := range tags {
-							receivedTags[k] = fmt.Sprintf("%+v", v)
+							receivedTags[k] = to.StringPtr(fmt.Sprintf("%+v", v))
 						}
 
 						// compare the tags
@@ -683,6 +685,7 @@ func Test_assureStorageAccount(t *testing.T) {
 					ResourceGroup:  "resource_group",
 				},
 				&configv1.Infrastructure{},
+				map[string]*string{},
 			)
 
 			if err != nil {