ARO-4373 Enable Web Endpoint for the OIDC Storage Account

docs/feature-flags.md

@@ -45,4 +45,6 @@ feature flags defined in pkg/env/env.go.  At the time of writing these include:
 * EnableOCMEndpoints: Register the OCM endpoints in the frontend. Otherwise the
   endpoints are not available at all.
 
-* EnablePublicOIDCBlobAccess: Allow the Public access to the OIDC blob in case the environment needs a decoupling from an AFD endpoint. Production will always use AFD endpoint so no public access for the production.
+* RequireOIDCStorageWebEndpoint: Since Azure Front Door is only present for INT and PROD, there is a need to determine the web endpoint of the OIDC Storage Account after its creation.
+Format of web endpoint(It uses Azure DNS Zone endpoint):- **https://[storage-account].z[00-99].web.storage.azure.net** .
+Used in development only.

docs/prepare-a-shared-rp-development-environment.md

@@ -400,7 +400,7 @@ az ad app credential reset \
    PARENT_DOMAIN_RESOURCEGROUP='$PARENT_DOMAIN_RESOURCEGROUP'
    export DOMAIN_NAME="\$LOCATION.\$PARENT_DOMAIN_NAME"
    export AZURE_ENVIRONMENT='AzurePublicCloud'
-   export STORAGE_ACCOUNT_DOMAIN="${RESOURCEGROUP//-}.blob.core.windows.net"
+   export OIDC_STORAGE_ACCOUNT_NAME="${RESOURCEGROUP//-}oic"
    EOF
    ```
 

hack/devtools/deploy-shared-env.sh

@@ -57,7 +57,9 @@ deploy_oic_dev() {
         --template-file pkg/deploy/assets/rp-oic.json \
         --parameters \
             "rpServicePrincipalId=$(az ad sp list --filter "appId eq '$AZURE_RP_CLIENT_ID'" --query '[].id' -o tsv)" \
-            "storageAccountDomain=$(echo $STORAGE_ACCOUNT_DOMAIN)" >/dev/null
+            "oidcStorageAccountName=$(echo $OIDC_STORAGE_ACCOUNT_NAME)" >/dev/null
+    echo "########## Enabling Static Website for OIDC storage account in RG $RESOURCEGROUP ##########"
+    az storage blob service-properties update --static-website true --account-name ${OIDC_STORAGE_ACCOUNT_NAME} --auth-mode login >/dev/null
 }
 
 deploy_aks_dev() {
@@ -90,7 +92,9 @@ deploy_oic_for_dedicated_rp() {
         --template-file pkg/deploy/assets/rp-oic.json \
         --parameters \
             "rpServicePrincipalId=$(az identity show -g $RESOURCEGROUP -n aro-rp-$LOCATION | jq -r '.["principalId"]')" \
-            "storageAccountDomain=$(yq '.rps[].configuration.storageAccountDomain' dev-config.yaml)"
+            "oidcStorageAccountName=$(yq '.rps[].configuration.oidcStorageAccountName' dev-config.yaml)" >/dev/null
+    echo "########## Enabling Static Website for OIDC storage account in RG $RESOURCEGROUP ##########"
+    az storage blob service-properties update --static-website true --account-name ${yq '.rps[].configuration.oidcStorageAccountName' dev-config.yaml} --auth-mode login >/dev/null
 }
 
 deploy_env_dev_override() {

pkg/cluster/delete.go

@@ -12,6 +12,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
 	mgmtnetwork "github.com/Azure/azure-sdk-for-go/services/network/mgmt/2020-08-01/network"
 	mgmtfeatures "github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2019-07-01/features"
 	"github.com/Azure/go-autorest/autorest"
@@ -25,6 +26,7 @@ import (
 	"github.com/Azure/ARO-RP/pkg/util/azureclient"
 	"github.com/Azure/ARO-RP/pkg/util/azureerrors"
 	"github.com/Azure/ARO-RP/pkg/util/dns"
+	"github.com/Azure/ARO-RP/pkg/util/oidcbuilder"
 	"github.com/Azure/ARO-RP/pkg/util/rbac"
 	"github.com/Azure/ARO-RP/pkg/util/stringutils"
 )
@@ -443,7 +445,12 @@ func (m *manager) Delete(ctx context.Context) error {
 
 	if m.doc.OpenShiftCluster.Properties.ServicePrincipalProfile == nil && m.doc.OpenShiftCluster.Properties.PlatformWorkloadIdentityProfile != nil {
 		m.log.Printf("deleting OIDC configuration")
-		err = m.rpBlob.DeleteBlobContainer(ctx, m.env.ResourceGroup(), m.env.OIDCStorageAccountName(), env.OIDCBlobContainerPrefix+m.doc.ID)
+		blobContainerURL := oidcbuilder.GenerateBlobURL(m.env)
+		azBlobClient, err := m.rpBlob.GetAZBlobClient(blobContainerURL, &azblob.ClientOptions{})
+		if err != nil {
+			return err
+		}
+		err = oidcbuilder.DeleteOidcFolder(ctx, env.OIDCBlobDirectoryPrefix+m.doc.ID, azBlobClient)
 		if err != nil {
 			return err
 		}

pkg/cluster/deploybaseresources.go

@@ -12,7 +12,6 @@ import (
 	"strings"
 	"time"
 
-	azstorage "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage"
 	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
 	mgmtnetwork "github.com/Azure/azure-sdk-for-go/services/network/mgmt/2020-08-01/network"
 	mgmtfeatures "github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2019-07-01/features"
@@ -44,29 +43,30 @@ func (m *manager) createOIDC(ctx context.Context) error {
 		return nil
 	}
 
-	blobContainerName := env.OIDCBlobContainerPrefix + m.doc.ID
-
-	publicAccess := azstorage.PublicAccessNone
-	// Public access on OIDC Container needed for development environments because of no AFD availability
-	if m.env.FeatureIsSet(env.FeatureEnablePublicOIDCBlobAccess) {
-		publicAccess = azstorage.PublicAccessBlob
-	}
-	err := m.rpBlob.CreateBlobContainer(ctx, m.env.ResourceGroup(), m.env.OIDCStorageAccountName(), blobContainerName, publicAccess)
-	if err != nil {
-		return err
+	// OIDC Storage Web Endpoint need to be determined for Development environments
+	var oidcEndpoint string
+	if m.env.FeatureIsSet(env.FeatureRequireOIDCStorageWebEndpoint) {
+		properties, err := m.rpBlob.GetContainerProperties(ctx, m.env.ResourceGroup(), m.env.OIDCStorageAccountName(), oidcbuilder.WebContainer)
+		if err != nil {
+			return err
+		}
+		oidcEndpoint = *properties.Properties.PrimaryEndpoints.Web
+	} else {
+		// For Production Azure Front Door Endpoint will be the OIDC Endpoint
+		oidcEndpoint = m.env.OIDCEndpoint()
 	}
 
-	oidcBuilder, err := oidcbuilder.NewOIDCBuilder(m.env.Environment().StorageEndpointSuffix, m.env.OIDCEndpoint(), m.env.OIDCStorageAccountName(), blobContainerName)
+	oidcBuilder, err := oidcbuilder.NewOIDCBuilder(m.env, oidcEndpoint, env.OIDCBlobDirectoryPrefix+m.doc.ID)
 	if err != nil {
 		return err
 	}
 
-	azBlobClient, err := m.rpBlob.GetAZBlobClient(oidcBuilder.GetBlobContainerURL(), &azblob.ClientOptions{})
+	azBlobClient, err := m.rpBlob.GetAZBlobClient(oidcBuilder.GetBlobURL(), &azblob.ClientOptions{})
 	if err != nil {
 		return err
 	}
 
-	err = oidcBuilder.EnsureOIDCDocs(ctx, blobContainerName, azBlobClient)
+	err = oidcBuilder.EnsureOIDCDocs(ctx, azBlobClient)
 	if err != nil {
 		return err
 	}

pkg/cluster/deploybaseresources_test.go

@@ -1407,10 +1407,20 @@ func TestCreateOIDC(t *testing.T) {
 	resourceGroupName := "fakeResourceGroup"
 	oidcStorageAccountName := "eastusoic"
 	afdEndpoint := "fake.oic.aro.test.net"
-	storageEndpointForDev := oidcStorageAccountName + ".blob." + azureclient.PublicCloud.StorageEndpointSuffix
+	storageWebEndpointForDev := oidcStorageAccountName + ".web." + azureclient.PublicCloud.StorageEndpointSuffix
 	resourceID := "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/resourceGroup/providers/Microsoft.RedHatOpenShift/openShiftClusters/resourceName"
-	prodOIDCIssuer := fmt.Sprintf("https://%s/%s%s", afdEndpoint, env.OIDCBlobContainerPrefix, clusterID)
-	devOIDCIssuer := fmt.Sprintf("https://%s/%s%s", storageEndpointForDev, env.OIDCBlobContainerPrefix, clusterID)
+	blobURL := fmt.Sprintf("https://%s.blob.%s/%s", oidcStorageAccountName, azureclient.PublicCloud.StorageEndpointSuffix, oidcbuilder.WebContainer)
+	prodOIDCIssuer := fmt.Sprintf("https://%s/%s%s", afdEndpoint, env.OIDCBlobDirectoryPrefix, clusterID)
+	devOIDCIssuer := fmt.Sprintf("https://%s/%s%s", storageWebEndpointForDev, env.OIDCBlobDirectoryPrefix, clusterID)
+	containerProperties := azstorage.AccountsClientGetPropertiesResponse{
+		Account: azstorage.Account{
+			Properties: &azstorage.AccountProperties{
+				PrimaryEndpoints: &azstorage.Endpoints{
+					Web: to.StringPtr(storageWebEndpointForDev),
+				},
+			},
+		},
+	}
 
 	for _, tt := range []struct {
 		name                              string
@@ -1470,15 +1480,13 @@ func TestCreateOIDC(t *testing.T) {
 				},
 			},
 			mocks: func(blob *mock_azblob.MockManager, menv *mock_env.MockInterface, azblobClient *mock_azblob.MockAZBlobClient) {
-				menv.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName)
-				menv.EXPECT().FeatureIsSet(env.FeatureEnablePublicOIDCBlobAccess).Return(false)
-				menv.EXPECT().ResourceGroup().Return(resourceGroupName)
-				menv.EXPECT().Environment().Return(&azureclient.PublicCloud)
+				menv.EXPECT().FeatureIsSet(env.FeatureRequireOIDCStorageWebEndpoint).Return(false)
 				menv.EXPECT().OIDCEndpoint().Return(afdEndpoint)
-				blob.EXPECT().CreateBlobContainer(gomock.Any(), resourceGroupName, oidcStorageAccountName, gomock.Any(), azstorage.PublicAccessNone).Return(nil)
-				azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.DiscoveryDocumentKey, gomock.Any()).Return(nil)
-				azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.JWKSKey, gomock.Any()).Return(nil)
-				blob.EXPECT().GetAZBlobClient(gomock.Any(), &azblob.ClientOptions{}).Return(azblobClient, nil)
+				menv.EXPECT().OIDCStorageAccountName().Return(oidcStorageAccountName)
+				menv.EXPECT().Environment().Return(&azureclient.PublicCloud)
+				blob.EXPECT().GetAZBlobClient(blobURL, &azblob.ClientOptions{}).Return(azblobClient, nil)
+				azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.DocumentKey(env.OIDCBlobDirectoryPrefix+clusterID, oidcbuilder.DiscoveryDocumentKey), gomock.Any()).Return(nil)
+				azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.DocumentKey(env.OIDCBlobDirectoryPrefix+clusterID, oidcbuilder.JWKSKey), gomock.Any()).Return(nil)
 			},
 			wantedOIDCIssuer:                  pointerutils.ToPtr(api.OIDCIssuer(prodOIDCIssuer)),
 			wantBoundServiceAccountSigningKey: true,
@@ -1498,21 +1506,20 @@ func TestCreateOIDC(t *testing.T) {
 				},
 			},
 			mocks: func(blob *mock_azblob.MockManager, menv *mock_env.MockInterface, azblobClient *mock_azblob.MockAZBlobClient) {
-				menv.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName)
-				menv.EXPECT().FeatureIsSet(env.FeatureEnablePublicOIDCBlobAccess).Return(true)
+				menv.EXPECT().FeatureIsSet(env.FeatureRequireOIDCStorageWebEndpoint).Return(true)
 				menv.EXPECT().ResourceGroup().Return(resourceGroupName)
+				menv.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName)
+				blob.EXPECT().GetContainerProperties(gomock.Any(), resourceGroupName, oidcStorageAccountName, oidcbuilder.WebContainer).Return(containerProperties, nil)
 				menv.EXPECT().Environment().Return(&azureclient.PublicCloud)
-				menv.EXPECT().OIDCEndpoint().Return(storageEndpointForDev)
-				blob.EXPECT().CreateBlobContainer(gomock.Any(), resourceGroupName, oidcStorageAccountName, gomock.Any(), azstorage.PublicAccessBlob).Return(nil)
-				azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.DiscoveryDocumentKey, gomock.Any()).Return(nil)
-				azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.JWKSKey, gomock.Any()).Return(nil)
-				blob.EXPECT().GetAZBlobClient(gomock.Any(), &azblob.ClientOptions{}).Return(azblobClient, nil)
+				blob.EXPECT().GetAZBlobClient(blobURL, &azblob.ClientOptions{}).Return(azblobClient, nil)
+				azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.DocumentKey(env.OIDCBlobDirectoryPrefix+clusterID, oidcbuilder.DiscoveryDocumentKey), gomock.Any()).Return(nil)
+				azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.DocumentKey(env.OIDCBlobDirectoryPrefix+clusterID, oidcbuilder.JWKSKey), gomock.Any()).Return(nil)
 			},
 			wantedOIDCIssuer:                  pointerutils.ToPtr(api.OIDCIssuer(devOIDCIssuer)),
 			wantBoundServiceAccountSigningKey: true,
 		},
 		{
-			name: "Fail - Create Blob Container throws error",
+			name: "Fail - Get Container Properties throws error",
 			oc: &api.OpenShiftClusterDocument{
 				Key: strings.ToLower(resourceID),
 				ID:  clusterID,
@@ -1526,10 +1533,10 @@ func TestCreateOIDC(t *testing.T) {
 				},
 			},
 			mocks: func(blob *mock_azblob.MockManager, menv *mock_env.MockInterface, azblob *mock_azblob.MockAZBlobClient) {
-				menv.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName)
-				menv.EXPECT().FeatureIsSet(env.FeatureEnablePublicOIDCBlobAccess).Return(false)
+				menv.EXPECT().FeatureIsSet(env.FeatureRequireOIDCStorageWebEndpoint).Return(true)
 				menv.EXPECT().ResourceGroup().Return(resourceGroupName)
-				blob.EXPECT().CreateBlobContainer(gomock.Any(), resourceGroupName, oidcStorageAccountName, gomock.Any(), azstorage.PublicAccessNone).Return(errors.New("generic error"))
+				menv.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName)
+				blob.EXPECT().GetContainerProperties(gomock.Any(), resourceGroupName, oidcStorageAccountName, oidcbuilder.WebContainer).Return(containerProperties, errors.New("generic error"))
 			},
 			wantBoundServiceAccountSigningKey: false,
 			wantErr:                           "generic error",
@@ -1549,13 +1556,11 @@ func TestCreateOIDC(t *testing.T) {
 				},
 			},
 			mocks: func(blob *mock_azblob.MockManager, menv *mock_env.MockInterface, azblobClient *mock_azblob.MockAZBlobClient) {
-				menv.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName)
-				menv.EXPECT().FeatureIsSet(env.FeatureEnablePublicOIDCBlobAccess).Return(false)
-				menv.EXPECT().ResourceGroup().Return(resourceGroupName)
-				menv.EXPECT().Environment().Return(&azureclient.PublicCloud)
+				menv.EXPECT().FeatureIsSet(env.FeatureRequireOIDCStorageWebEndpoint).Return(false)
 				menv.EXPECT().OIDCEndpoint().Return(afdEndpoint)
-				blob.EXPECT().CreateBlobContainer(gomock.Any(), resourceGroupName, oidcStorageAccountName, gomock.Any(), azstorage.PublicAccessNone).Return(nil)
-				blob.EXPECT().GetAZBlobClient(gomock.Any(), &azblob.ClientOptions{}).Return(azblobClient, errors.New("generic error"))
+				menv.EXPECT().OIDCStorageAccountName().Return(oidcStorageAccountName)
+				menv.EXPECT().Environment().Return(&azureclient.PublicCloud)
+				blob.EXPECT().GetAZBlobClient(blobURL, &azblob.ClientOptions{}).Return(azblobClient, errors.New("generic error"))
 			},
 			wantBoundServiceAccountSigningKey: false,
 			wantErr:                           "generic error",
@@ -1575,15 +1580,12 @@ func TestCreateOIDC(t *testing.T) {
 				},
 			},
 			mocks: func(blob *mock_azblob.MockManager, menv *mock_env.MockInterface, azblobClient *mock_azblob.MockAZBlobClient) {
-				menv.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName)
-				menv.EXPECT().FeatureIsSet(env.FeatureEnablePublicOIDCBlobAccess).Return(false)
-				menv.EXPECT().ResourceGroup().Return(resourceGroupName)
-				menv.EXPECT().Environment().Return(&azureclient.PublicCloud)
+				menv.EXPECT().FeatureIsSet(env.FeatureRequireOIDCStorageWebEndpoint).Return(false)
 				menv.EXPECT().OIDCEndpoint().Return(afdEndpoint)
-				blob.EXPECT().CreateBlobContainer(gomock.Any(), resourceGroupName, oidcStorageAccountName, gomock.Any(), azstorage.PublicAccessNone).Return(nil)
-				azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.DiscoveryDocumentKey, gomock.Any()).Return(nil)
-				azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.JWKSKey, gomock.Any()).Return(errors.New("generic error"))
-				blob.EXPECT().GetAZBlobClient(gomock.Any(), &azblob.ClientOptions{}).Return(azblobClient, nil)
+				menv.EXPECT().OIDCStorageAccountName().Return(oidcStorageAccountName)
+				menv.EXPECT().Environment().Return(&azureclient.PublicCloud)
+				blob.EXPECT().GetAZBlobClient(blobURL, &azblob.ClientOptions{}).Return(azblobClient, nil)
+				azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.DocumentKey(env.OIDCBlobDirectoryPrefix+clusterID, oidcbuilder.DiscoveryDocumentKey), gomock.Any()).Return(errors.New("generic error"))
 			},
 			wantBoundServiceAccountSigningKey: false,
 			wantErr:                           "generic error",

pkg/deploy/assets/rp-oic.json

@@ -2,10 +2,10 @@
     "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
     "parameters": {
-        "rpServicePrincipalId": {
+        "oidcStorageAccountName": {
             "type": "string"
         },
-        "storageAccountDomain": {
+        "rpServicePrincipalId": {
             "type": "string"
         }
     },
@@ -26,22 +26,22 @@
                 "Az.Sec.AnonymousBlobAccessEnforcement::Skip": "PublicRelease"
             },
             "location": "[resourceGroup().location]",
-            "name": "[concat(take(substring(parameters('storageAccountDomain'), 0, indexOf(parameters('storageAccountDomain'), '.')), 21), 'oic')]",
+            "name": "[parameters('oidcStorageAccountName')]",
             "type": "Microsoft.Storage/storageAccounts",
             "apiVersion": "2021-09-01"
         },
         {
-            "name": "[concat(concat(take(substring(parameters('storageAccountDomain'), 0, indexOf(parameters('storageAccountDomain'), '.')), 21), 'oic'), '/Microsoft.Authorization/', guid(resourceId('Microsoft.Storage/storageAccounts', concat(take(substring(parameters('storageAccountDomain'), 0, indexOf(parameters('storageAccountDomain'), '.')), 21), 'oic'))))]",
+            "name": "[concat(parameters('oidcStorageAccountName'), '/Microsoft.Authorization/', guid(resourceId('Microsoft.Storage/storageAccounts', parameters('oidcStorageAccountName'))))]",
             "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
             "properties": {
-                "scope": "[resourceId('Microsoft.Storage/storageAccounts', concat(take(substring(parameters('storageAccountDomain'), 0, indexOf(parameters('storageAccountDomain'), '.')), 21), 'oic'))]",
+                "scope": "[resourceId('Microsoft.Storage/storageAccounts', parameters('oidcStorageAccountName'))]",
                 "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
                 "principalId": "[parameters('rpServicePrincipalId')]",
                 "principalType": "ServicePrincipal"
             },
             "apiVersion": "2018-09-01-preview",
             "dependsOn": [
-                "[resourceId('Microsoft.Storage/storageAccounts', concat(take(substring(parameters('storageAccountDomain'), 0, indexOf(parameters('storageAccountDomain'), '.')), 21), 'oic'))]"
+                "[resourceId('Microsoft.Storage/storageAccounts', parameters('oidcStorageAccountName'))]"
             ]
         }
     ]

pkg/deploy/config.go

@@ -97,6 +97,7 @@ type Configuration struct {
 	SubscriptionResourceGroupLocation  *string                `json:"subscriptionResourceGroupLocation,omitempty" value:"required"`
 	VMSize                             *string                `json:"vmSize,omitempty" value:"required"`
 	VMSSCleanupEnabled                 *bool                  `json:"vmssCleanupEnabled,omitempty"`
+	OIDCStorageAccountName             *string                `json:"oidcStorageAccountName,omitempty" value:"required"`
 
 	// TODO: Replace with Live Service Configuration in KeyVault
 	InstallViaHive           *string `json:"clustersInstallViaHive,omitempty"`

pkg/deploy/devconfig.go

@@ -87,6 +87,12 @@ func DevConfig(_env env.Core) (*Config, error) {
 		keyvaultPrefix = keyvaultPrefix[:20]
 	}
 
+	oidcStorageAccountName := os.Getenv("USER") + _env.Location()
+	if len(oidcStorageAccountName) >= 21 {
+		oidcStorageAccountName = oidcStorageAccountName[:21]
+	}
+	oidcStorageAccountName = oidcStorageAccountName + "oic"
+
 	return &Config{
 		RPs: []RPConfig{
 			{
@@ -101,6 +107,7 @@ func DevConfig(_env env.Core) (*Config, error) {
 					KeyvaultDNSSuffix:           &_env.Environment().KeyVaultDNSSuffix,
 					KeyvaultPrefix:              &keyvaultPrefix,
 					StorageAccountDomain:        to.StringPtr(os.Getenv("USER") + "aro" + _env.Location() + ".blob." + _env.Environment().StorageEndpointSuffix),
+					OIDCStorageAccountName:      to.StringPtr(oidcStorageAccountName),
 				},
 			},
 		},
@@ -175,7 +182,7 @@ func DevConfig(_env env.Core) (*Config, error) {
 				"RequireD2sV3Workers",
 				"DisableReadinessDelay",
 				"EnableOCMEndpoints",
-				"EnablePublicOIDCBlobAccess",
+				"RequireOIDCStorageWebEndpoint",
 			},
 			// TODO update this to support FF
 			RPImagePrefix:                     to.StringPtr(os.Getenv("USER") + "aro.azurecr.io/aro"),