ARO-4373 update mgmtstorage sdk to 2019-06-01 for disabling allowShar…

…edKeyAccess
Azure · Jun 21, 2024 · fc80e4d · fc80e4d
1 parent 67ba8c2
commit fc80e4d
Show file tree

Hide file tree

Showing 46 changed files with 4,297 additions and 1,042 deletions.
diff --git a/pkg/cluster/deploybaseresources_additional.go b/pkg/cluster/deploybaseresources_additional.go
@@ -9,7 +9,7 @@ import (
 
 	mgmtnetwork "github.com/Azure/azure-sdk-for-go/services/network/mgmt/2020-08-01/network"
 	mgmtauthorization "github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2018-09-01-preview/authorization"
-	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage"
+	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2021-09-01/storage"
 	"github.com/Azure/go-autorest/autorest/to"
 
 	"github.com/Azure/ARO-RP/pkg/api"
@@ -88,19 +88,19 @@ func (m *manager) storageAccount(name, region string, ocpSubnets []string, encry
 	virtualNetworkRules := []mgmtstorage.VirtualNetworkRule{
 		{
 			VirtualNetworkResourceID: to.StringPtr("/subscriptions/" + m.env.SubscriptionID() + "/resourceGroups/" + m.env.ResourceGroup() + "/providers/Microsoft.Network/virtualNetworks/rp-pe-vnet-001/subnets/rp-pe-subnet"),
-			Action:                   mgmtstorage.Allow,
+			Action:                   mgmtstorage.ActionAllow,
 		},
 		{
 			VirtualNetworkResourceID: to.StringPtr("/subscriptions/" + m.env.SubscriptionID() + "/resourceGroups/" + m.env.ResourceGroup() + "/providers/Microsoft.Network/virtualNetworks/rp-vnet/subnets/rp-subnet"),
-			Action:                   mgmtstorage.Allow,
+			Action:                   mgmtstorage.ActionAllow,
 		},
 	}
 
 	// add OCP subnets which have Microsoft.Storage service endpoint enabled
 	for _, subnet := range ocpSubnets {
 		virtualNetworkRules = append(virtualNetworkRules, mgmtstorage.VirtualNetworkRule{
 			VirtualNetworkResourceID: to.StringPtr(subnet),
-			Action:                   mgmtstorage.Allow,
+			Action:                   mgmtstorage.ActionAllow,
 		})
 	}
 
@@ -110,7 +110,7 @@ func (m *manager) storageAccount(name, region string, ocpSubnets []string, encry
 	if m.installViaHive && strings.Index(name, "cluster") == 0 {
 		virtualNetworkRules = append(virtualNetworkRules, mgmtstorage.VirtualNetworkRule{
 			VirtualNetworkResourceID: to.StringPtr(fmt.Sprintf("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Network/virtualNetworks/aks-net/subnets/PodSubnet-%03d", m.env.SubscriptionID(), m.env.ResourceGroup(), hiveShard)),
-			Action:                   mgmtstorage.Allow,
+			Action:                   mgmtstorage.ActionAllow,
 		})
 	}
 
@@ -120,21 +120,21 @@ func (m *manager) storageAccount(name, region string, ocpSubnets []string, encry
 	if !m.env.IsLocalDevelopmentMode() {
 		virtualNetworkRules = append(virtualNetworkRules, mgmtstorage.VirtualNetworkRule{
 			VirtualNetworkResourceID: to.StringPtr("/subscriptions/" + m.env.SubscriptionID() + "/resourceGroups/" + m.env.GatewayResourceGroup() + "/providers/Microsoft.Network/virtualNetworks/gateway-vnet/subnets/gateway-subnet"),
-			Action:                   mgmtstorage.Allow,
+			Action:                   mgmtstorage.ActionAllow,
 		})
 	}
 
 	sa := &mgmtstorage.Account{
-		Kind: mgmtstorage.StorageV2,
+		Kind: mgmtstorage.KindStorageV2,
 		Sku: &mgmtstorage.Sku{
 			Name: "Standard_LRS",
 		},
 		AccountProperties: &mgmtstorage.AccountProperties{
 			AllowBlobPublicAccess:  to.BoolPtr(false),
 			EnableHTTPSTrafficOnly: to.BoolPtr(true),
-			MinimumTLSVersion:      mgmtstorage.TLS12,
+			MinimumTLSVersion:      mgmtstorage.MinimumTLSVersionTLS12,
 			NetworkRuleSet: &mgmtstorage.NetworkRuleSet{
-				Bypass:              mgmtstorage.AzureServices,
+				Bypass:              mgmtstorage.BypassAzureServices,
 				VirtualNetworkRules: &virtualNetworkRules,
 				DefaultAction:       "Deny",
 			},

diff --git a/pkg/cluster/graph/manager.go b/pkg/cluster/graph/manager.go
@@ -9,7 +9,7 @@ import (
 	"io"
 	"strings"
 
-	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage"
+	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2021-09-01/storage"
 	"github.com/sirupsen/logrus"
 
 	"github.com/Azure/ARO-RP/pkg/env"

diff --git a/pkg/cluster/removebootstrap.go b/pkg/cluster/removebootstrap.go
@@ -6,7 +6,7 @@ package cluster
 import (
 	"context"
 
-	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage"
+	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2021-09-01/storage"
 	azstorage "github.com/Azure/azure-sdk-for-go/storage"
 
 	"github.com/Azure/ARO-RP/pkg/util/stringutils"

diff --git a/pkg/deploy/assets/rp-oic.json b/pkg/deploy/assets/rp-oic.json
@@ -18,16 +18,17 @@
             "properties": {
                 "accessTier": "Hot",
                 "supportsHttpsTrafficOnly": true,
-                "allowBlobPublicAccess": true,
-                "minimumTlsVersion": "TLS1_2"
+                "allowBlobPublicAccess": false,
+                "minimumTlsVersion": "TLS1_2",
+                "allowSharedKeyAccess": false
             },
             "tags": {
                 "Az.Sec.AnonymousBlobAccessEnforcement::Skip": "PublicRelease"
             },
             "location": "[resourceGroup().location]",
             "name": "[concat(take(substring(parameters('storageAccountDomain'), 0, indexOf(parameters('storageAccountDomain'), '.')), 21), 'oic')]",
             "type": "Microsoft.Storage/storageAccounts",
-            "apiVersion": "2019-06-01"
+            "apiVersion": "2021-09-01"
         },
         {
             "name": "[concat(concat(take(substring(parameters('storageAccountDomain'), 0, indexOf(parameters('storageAccountDomain'), '.')), 21), 'oic'), '/Microsoft.Authorization/', guid(resourceId('Microsoft.Storage/storageAccounts', concat(take(substring(parameters('storageAccountDomain'), 0, indexOf(parameters('storageAccountDomain'), '.')), 21), 'oic'))))]",

diff --git a/pkg/deploy/assets/rp-production-global.json b/pkg/deploy/assets/rp-production-global.json
@@ -110,7 +110,7 @@
             "location": "[resourceGroup().location]",
             "name": "[parameters('rpVersionStorageAccountName')]",
             "type": "Microsoft.Storage/storageAccounts",
-            "apiVersion": "2019-06-01"
+            "apiVersion": "2021-09-01"
         },
         {
             "properties": {
@@ -119,7 +119,7 @@
             },
             "name": "[concat(parameters('rpVersionStorageAccountName'), '/default/rpversion')]",
             "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
-            "apiVersion": "2019-06-01",
+            "apiVersion": "2021-09-01",
             "dependsOn": [
                 "[resourceId('Microsoft.Storage/storageAccounts', parameters('rpVersionStorageAccountName'))]"
             ]
@@ -131,7 +131,7 @@
             },
             "name": "[concat(parameters('rpVersionStorageAccountName'), '/default/ocpversions')]",
             "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
-            "apiVersion": "2019-06-01",
+            "apiVersion": "2021-09-01",
             "dependsOn": [
                 "[resourceId('Microsoft.Storage/storageAccounts', parameters('rpVersionStorageAccountName'))]"
             ]

diff --git a/pkg/deploy/generator/resources.go b/pkg/deploy/generator/resources.go
@@ -8,7 +8,7 @@ import (
 	mgmtkeyvault "github.com/Azure/azure-sdk-for-go/services/keyvault/mgmt/2019-09-01/keyvault"
 	mgmtnetwork "github.com/Azure/azure-sdk-for-go/services/network/mgmt/2020-08-01/network"
 	mgmtinsights "github.com/Azure/azure-sdk-for-go/services/preview/monitor/mgmt/2018-03-01/insights"
-	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage"
+	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2021-09-01/storage"
 	"github.com/Azure/go-autorest/autorest/to"
 
 	"github.com/Azure/ARO-RP/pkg/util/arm"

diff --git a/pkg/deploy/generator/resources_oic.go b/pkg/deploy/generator/resources_oic.go
@@ -6,7 +6,7 @@ package generator
 import (
 	"fmt"
 
-	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage"
+	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2021-09-01/storage"
 	"github.com/Azure/go-autorest/autorest/to"
 
 	"github.com/Azure/ARO-RP/pkg/util/arm"
@@ -23,15 +23,17 @@ var (
 
 func (g *generator) oicStorageAccount() *arm.Resource {
 	storageAccount := &mgmtstorage.Account{
-		Kind: mgmtstorage.StorageV2,
+		Kind: mgmtstorage.KindStorageV2,
 		Sku: &mgmtstorage.Sku{
 			Name: "Standard_LRS",
 		},
 		AccountProperties: &mgmtstorage.AccountProperties{
-			AllowBlobPublicAccess:  to.BoolPtr(true),
+			AllowBlobPublicAccess:  to.BoolPtr(false),
 			EnableHTTPSTrafficOnly: to.BoolPtr(true),
-			MinimumTLSVersion:      mgmtstorage.TLS12,
-			AccessTier:             mgmtstorage.Hot,
+			MinimumTLSVersion:      mgmtstorage.MinimumTLSVersionTLS12,
+			AccessTier:             mgmtstorage.AccessTierHot,
+			AllowSharedKeyAccess:   to.BoolPtr(false),
+			// Production has Public Network Access Disabled as OIDC Storage Account will be accessed via Azure Front Door
 		},
 		Name:     to.StringPtr(fmt.Sprintf("[%s]", storageAccountName)),
 		Location: to.StringPtr("[resourceGroup().location]"),

diff --git a/pkg/deploy/generator/resources_rp.go b/pkg/deploy/generator/resources_rp.go
@@ -16,7 +16,7 @@ import (
 	mgmtauthorization "github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2018-09-01-preview/authorization"
 	mgmtcontainerregistry "github.com/Azure/azure-sdk-for-go/services/preview/containerregistry/mgmt/2020-11-01-preview/containerregistry"
 	mgmtinsights "github.com/Azure/azure-sdk-for-go/services/preview/monitor/mgmt/2018-03-01/insights"
-	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage"
+	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2021-09-01/storage"
 	"github.com/Azure/go-autorest/autorest/to"
 
 	"github.com/Azure/ARO-RP/pkg/env"

diff --git a/pkg/deploy/saveversion.go b/pkg/deploy/saveversion.go
@@ -9,7 +9,7 @@ import (
 	"net/url"
 	"time"
 
-	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage"
+	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2021-09-01/storage"
 	azstorage "github.com/Azure/azure-sdk-for-go/storage"
 	"github.com/Azure/go-autorest/autorest/date"
 )
@@ -20,10 +20,10 @@ func (d *deployer) SaveVersion(ctx context.Context) error {
 	t := time.Now().UTC().Truncate(time.Second)
 	res, err := d.globalaccounts.ListAccountSAS(
 		ctx, *d.config.Configuration.GlobalResourceGroupName, *d.config.Configuration.RPVersionStorageAccountName, mgmtstorage.AccountSasParameters{
-			Services:               mgmtstorage.B,
+			Services:               mgmtstorage.ServicesB,
 			ResourceTypes:          mgmtstorage.SignedResourceTypesO,
 			Permissions:            "cw", // create and write
-			Protocols:              mgmtstorage.HTTPS,
+			Protocols:              mgmtstorage.HTTPProtocolHTTPS,
 			SharedAccessStartTime:  &date.Time{Time: t},
 			SharedAccessExpiryTime: &date.Time{Time: t.Add(24 * time.Hour)},
 		})

diff --git a/pkg/frontend/adminactions/vmserialconsole.go b/pkg/frontend/adminactions/vmserialconsole.go
@@ -13,7 +13,7 @@ import (
 	"time"
 
 	mgmtcompute "github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2020-06-01/compute"
-	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage"
+	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2021-09-01/storage"
 	azstorage "github.com/Azure/azure-sdk-for-go/storage"
 	"github.com/Azure/go-autorest/autorest/date"
 	"github.com/sirupsen/logrus"
@@ -46,10 +46,10 @@ func (a *azureActions) VMSerialConsole(ctx context.Context, w http.ResponseWrite
 	t := time.Now().UTC().Truncate(time.Second)
 	res, err := a.storageAccounts.ListAccountSAS(
 		ctx, clusterRGName, "cluster"+a.oc.Properties.StorageSuffix, mgmtstorage.AccountSasParameters{
-			Services:               mgmtstorage.B,
+			Services:               mgmtstorage.ServicesB,
 			ResourceTypes:          mgmtstorage.SignedResourceTypesO,
-			Permissions:            mgmtstorage.R,
-			Protocols:              mgmtstorage.HTTPS,
+			Permissions:            mgmtstorage.PermissionsR,
+			Protocols:              mgmtstorage.HTTPProtocolHTTPS,
 			SharedAccessStartTime:  &date.Time{Time: t},
 			SharedAccessExpiryTime: &date.Time{Time: t.Add(24 * time.Hour)},
 		})

diff --git a/pkg/operator/controllers/storageaccounts/storageaccounts.go b/pkg/operator/controllers/storageaccounts/storageaccounts.go
@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"strings"
 
-	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage"
+	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2021-09-01/storage"
 	"github.com/Azure/go-autorest/autorest/to"
 	imageregistryv1 "github.com/openshift/api/imageregistry/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -102,7 +102,7 @@ func (r *reconcileManager) reconcileAccounts(ctx context.Context) error {
 			if !found {
 				*account.AccountProperties.NetworkRuleSet.VirtualNetworkRules = append(*account.AccountProperties.NetworkRuleSet.VirtualNetworkRules, mgmtstorage.VirtualNetworkRule{
 					VirtualNetworkResourceID: to.StringPtr(subnet),
-					Action:                   mgmtstorage.Allow,
+					Action:                   mgmtstorage.ActionAllow,
 				})
 				changed = true
 			}

diff --git a/pkg/operator/controllers/storageaccounts/storageaccounts_test.go b/pkg/operator/controllers/storageaccounts/storageaccounts_test.go
@@ -10,7 +10,7 @@ import (
 	"testing"
 
 	mgmtnetwork "github.com/Azure/azure-sdk-for-go/services/network/mgmt/2020-08-01/network"
-	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage"
+	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2021-09-01/storage"
 	"github.com/Azure/go-autorest/autorest"
 	"github.com/Azure/go-autorest/autorest/to"
 	"github.com/golang/mock/gomock"
@@ -74,7 +74,7 @@ func getValidAccount(virtualNetworkResourceIDs []string) *mgmtstorage.Account {
 	for _, rule := range virtualNetworkResourceIDs {
 		*account.AccountProperties.NetworkRuleSet.VirtualNetworkRules = append(*account.AccountProperties.NetworkRuleSet.VirtualNetworkRules, mgmtstorage.VirtualNetworkRule{
 			VirtualNetworkResourceID: to.StringPtr(rule),
-			Action:                   mgmtstorage.Allow,
+			Action:                   mgmtstorage.ActionAllow,
 		})
 	}
 	return account

diff --git a/pkg/util/azureclient/apiversions.go b/pkg/util/azureclient/apiversions.go
@@ -27,7 +27,7 @@ var apiVersions = map[string]string{
 	"microsoft.network":                        "2020-08-01",
 	"microsoft.network/dnszones":               "2018-05-01",
 	"microsoft.network/privatednszones":        "2018-09-01",
-	"microsoft.storage":                        "2019-06-01",
+	"microsoft.storage":                        "2021-09-01",
 }
 
 // APIVersion gets the APIVersion from a full resource type

diff --git a/pkg/util/azureclient/mgmt/storage/accounts.go b/pkg/util/azureclient/mgmt/storage/accounts.go
@@ -6,7 +6,7 @@ package storage
 import (
 	"context"
 
-	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage"
+	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2021-09-01/storage"
 	"github.com/Azure/go-autorest/autorest"
 
 	"github.com/Azure/ARO-RP/pkg/util/azureclient"

diff --git a/pkg/util/mocks/azureclient/mgmt/storage/storage.go b/pkg/util/mocks/azureclient/mgmt/storage/storage.go
diff --git a/pkg/util/mocks/storage/storage.go b/pkg/util/mocks/storage/storage.go
diff --git a/pkg/util/storage/manager.go b/pkg/util/storage/manager.go
@@ -9,7 +9,7 @@ import (
 	"net/url"
 	"time"
 
-	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage"
+	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2021-09-01/storage"
 	azstorage "github.com/Azure/azure-sdk-for-go/storage"
 	"github.com/Azure/go-autorest/autorest"
 	"github.com/Azure/go-autorest/autorest/date"
@@ -62,10 +62,10 @@ func getCorrectErrWhenTooManyRequests(err error) error {
 func (m *manager) BlobService(ctx context.Context, resourceGroup, account string, p mgmtstorage.Permissions, r mgmtstorage.SignedResourceTypes) (*azstorage.BlobStorageClient, error) {
 	t := time.Now().UTC().Truncate(time.Second)
 	res, err := m.storageAccounts.ListAccountSAS(ctx, resourceGroup, account, mgmtstorage.AccountSasParameters{
-		Services:               mgmtstorage.B,
+		Services:               mgmtstorage.ServicesB,
 		ResourceTypes:          r,
 		Permissions:            p,
-		Protocols:              mgmtstorage.HTTPS,
+		Protocols:              mgmtstorage.HTTPProtocolHTTPS,
 		SharedAccessStartTime:  &date.Time{Time: t},
 		SharedAccessExpiryTime: &date.Time{Time: t.Add(24 * time.Hour)},
 	})

diff --git a/test/e2e/cluster.go b/test/e2e/cluster.go
@@ -12,7 +12,7 @@ import (
 	. "github.com/onsi/gomega"
 
 	mgmtnetwork "github.com/Azure/azure-sdk-for-go/services/network/mgmt/2020-08-01/network"
-	"github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage"
+	"github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2021-09-01/storage"
 	"github.com/Azure/go-autorest/autorest/azure"
 	"github.com/Azure/go-autorest/autorest/to"
 	appsv1 "k8s.io/api/apps/v1"
@@ -156,7 +156,7 @@ var _ = Describe("Cluster", Serial, func() {
 				g.Expect(account.NetworkRuleSet.VirtualNetworkRules).NotTo(BeNil())
 
 				for _, rule := range *account.NetworkRuleSet.VirtualNetworkRules {
-					if rule.Action == storage.Allow && rule.VirtualNetworkResourceID != nil {
+					if rule.Action == storage.ActionAllow && rule.VirtualNetworkResourceID != nil {
 						nAclSubnets = append(nAclSubnets, strings.ToLower(*rule.VirtualNetworkResourceID))
 					}
 				}