Merge pull request openshift#8736 from sadasu/CORS-3299

CORS-3299: Azure: Use Customer Managed Key to enable Storage Account Encryption

Author: openshift-merge-bot[bot]

go.mod

@@ -14,6 +14,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3 v3.0.0-beta.2
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v4 v4.2.1
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.4.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi v1.2.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.0.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2 v2.2.1

go.sum

@@ -74,6 +74,8 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal v1.1.2 h1:mLY+pNL
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal v1.1.2/go.mod h1:FbdwsQ2EzwvXxOPcMFYO8ogEc9uMMIj3YkmCdXdAFmk=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v2 v2.0.0 h1:PTFGRSlMKCQelWwxUyYVEUqseBJVemLyqWJjvMyt0do=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v2 v2.0.0/go.mod h1:LRr2FzBTQlONPPa5HREE5+RjSCTXl7BwOvYOaWTqCaI=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.4.0 h1:HlZMUZW8S4P9oob1nCHxCCKrytxyLc+24nUJGssoEto=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.4.0/go.mod h1:StGsLbuJh06Bd8IBfnAlIFV3fLb+gkczONWf15hpX2E=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/managementgroups/armmanagementgroups v1.0.0 h1:pPvTJ1dY0sA35JOeFq6TsY2xj6Z85Yo23Pj4wCCvu4o=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/managementgroups/armmanagementgroups v1.0.0/go.mod h1:mLfWfj8v3jfWKsL9G4eoBoXVcsqcIUTapmdKy7uGOp0=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi v1.2.0 h1:z4YeiSXxnUI+PqB46Yj6MZA3nwb1CcJIkEMDrzUd8Cs=

pkg/infrastructure/azure/azure.go

@@ -307,7 +307,7 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 
 	imageLength := headResponse.ContentLength
 	if imageLength%512 != 0 {
-		return fmt.Errorf("image length is not alisnged on a 512 byte boundary")
+		return fmt.Errorf("image length is not aligned on a 512 byte boundary")
 	}
 
 	userTags := platform.UserTags
@@ -329,6 +329,7 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 		CloudName:          platform.CloudName,
 		Region:             platform.Region,
 		Tags:               tags,
+		CustomerManagedKey: platform.CustomerManagedKey,
 		TokenCredential:    tokenCredential,
 		CloudConfiguration: cloudConfiguration,
 	})
@@ -343,11 +344,16 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 	logrus.Debugf("StorageAccount.ID=%s", *storageAccount.ID)
 
 	// Create blob storage container
+	publicAccess := armstorage.PublicAccessContainer
+	if platform.CustomerManagedKey != nil {
+		publicAccess = armstorage.PublicAccessNone
+	}
 	createBlobContainerOutput, err := CreateBlobContainer(ctx, &CreateBlobContainerInput{
 		SubscriptionID:       subscriptionID,
 		ResourceGroupName:    resourceGroupName,
 		StorageAccountName:   storageAccountName,
 		ContainerName:        containerName,
+		PublicAccess:         to.Ptr(publicAccess),
 		StorageClientFactory: storageClientFactory,
 	})
 	if err != nil {
@@ -760,13 +766,17 @@ func (p Provider) Ignition(ctx context.Context, in clusterapi.IgnitionInput) ([]
 	ignitionContainerName := "ignition"
 	blobName := "bootstrap.ign"
 	blobURL := fmt.Sprintf("%s/%s/%s", p.StorageURL, ignitionContainerName, blobName)
-
+	publicAccess := armstorage.PublicAccessContainer
+	if in.InstallConfig.Config.Azure.CustomerManagedKey != nil {
+		publicAccess = armstorage.PublicAccessNone
+	}
 	// Create ignition blob storage container
 	createBlobContainerOutput, err := CreateBlobContainer(ctx, &CreateBlobContainerInput{
 		ContainerName:        ignitionContainerName,
 		SubscriptionID:       subscriptionID,
 		ResourceGroupName:    p.ResourceGroupName,
 		StorageAccountName:   p.StorageAccountName,
+		PublicAccess:         to.Ptr(publicAccess),
 		StorageClientFactory: p.StorageClientFactory,
 	})
 	if err != nil {
@@ -776,16 +786,41 @@ func (p Provider) Ignition(ctx context.Context, in clusterapi.IgnitionInput) ([]
 	blobIgnitionContainer := createBlobContainerOutput.BlobContainer
 	logrus.Debugf("BlobIgnitionContainer.ID=%s", *blobIgnitionContainer.ID)
 
-	sasURL, err := CreateBlockBlob(ctx, &CreateBlockBlobInput{
-		StorageURL:         p.StorageURL,
-		BlobURL:            blobURL,
-		StorageAccountName: p.StorageAccountName,
-		StorageAccountKeys: p.StorageAccountKeys,
-		CloudConfiguration: cloudConfiguration,
-		BootstrapIgnData:   bootstrapIgnData,
-	})
-	if err != nil {
-		return nil, err
+	sasURL := ""
+
+	if in.InstallConfig.Config.Azure.CustomerManagedKey == nil {
+		logrus.Debugf("Creating a Block Blob for ignition shim")
+		sasURL, err = CreateBlockBlob(ctx, &CreateBlockBlobInput{
+			StorageURL:         p.StorageURL,
+			BlobURL:            blobURL,
+			StorageAccountName: p.StorageAccountName,
+			StorageAccountKeys: p.StorageAccountKeys,
+			CloudConfiguration: cloudConfiguration,
+			BootstrapIgnData:   bootstrapIgnData,
+		})
+		if err != nil {
+			return nil, fmt.Errorf("failed to create BlockBlob for ignition shim: %w", err)
+		}
+	} else {
+		logrus.Debugf("Creating a Page Blob for ignition shim because Customer Managed Key is provided")
+		lengthBootstrapFile := int64(len(bootstrapIgnData))
+		if lengthBootstrapFile%512 != 0 {
+			lengthBootstrapFile = (((lengthBootstrapFile / 512) + 1) * 512)
+		}
+
+		sasURL, err = CreatePageBlob(ctx, &CreatePageBlobInput{
+			StorageURL:         p.StorageURL,
+			BlobURL:            blobURL,
+			ImageURL:           "",
+			StorageAccountName: p.StorageAccountName,
+			BootstrapIgnData:   bootstrapIgnData,
+			ImageLength:        lengthBootstrapFile,
+			StorageAccountKeys: p.StorageAccountKeys,
+			CloudConfiguration: cloudConfiguration,
+		})
+		if err != nil {
+			return nil, fmt.Errorf("failed to create PageBlob for ignition shim: %w", err)
+		}
 	}
 	ignShim, err := bootstrap.GenerateIgnitionShimWithCertBundleAndProxy(sasURL, in.InstallConfig.Config.AdditionalTrustBundle, in.InstallConfig.Config.Proxy)
 	if err != nil {