Bug: Passing multiple values to "bypass" parameter is not working for NetworkRuleSet while creation of storage account

Question

Bug: Passing multiple values to "bypass" parameter is not working for NetworkRuleSet while creation of storage account

Closed this issue 3 months ago · 8 comments

Version of Azure Service Operator
mcr.microsoft.com/k8s/azureserviceoperator:v2.8.0

Describe the bug
While configuring NetworkRuleSet of StorageAccount, we are trying to pass multiple values to "bypass" parameter. The behaviour we are observing is that only the first value gets applied and rest of the values are ignored. The documentation says that multiple values can be passed separated by comma but it's not working as expected.

To Reproduce
Steps to reproduce the behavior:

apiVersion: resources.azure.com/v1api20200601
kind: ResourceGroup
metadata:
  name: test-rg
spec:
  azureName: test-rg
  location: eastus2
---
apiVersion: storage.azure.com/v1api20230101
kind: StorageAccount
metadata:
  name: test-stg-account
spec:
  kind: Storage
  allowBlobPublicAccess: false
  allowCrossTenantReplication: false
  azureName: teststgaccont
  location: eastus2
  sku:
    name: Standard_LRS
    tier: Standard
  supportsHttpsTrafficOnly: true
  owner:
    name: test-rg
  networkAcls:
    bypass: "Logging,Metrics,AzureServices"    # Only first value gets applied and rest two are ignored
    defaultAction: Deny

Expected behavior

We should be able to pass multiple values to bypass parameter.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

Answer 1 · 2024-09-08T23:58:09.000Z

Does bypass work as documented when you configure the resource via an ARM Template or via the Azure Portal?

[I'm trying to establish whether this is an ASO bug (that we're not passing the value through correctly) or a problem with the ARM Resource Provider for Storage.]

Answer 2 · 2024-09-09T23:32:52.000Z

If you get the same behaviour through the Azure Portal (or an ARM Template), then you should log a support request directly with the Storage Team. If it works through the portal, we'll investigate what ASO is doing.

Answer 3 · 2024-09-11T05:50:56.000Z

Checked from below az cli command. It appears to be working.

az storage account create --name testsact --resource-group testrg --location eastus2 --sku Standard_RAGRS --kind StorageV2 --bypass AzureServices Logging  --default-action deny --allow-blob-public-access false

I think , https://github.com/Azure/azure-service-operator/blob/main/pkg/resourcemanager/storages/storageaccount/storageaccount.go#L37-L47 is allowing only a single value to set.

Answer 4 · 2024-09-11T16:28:58.000Z

/label needs-triage

Answer 5 · 2024-09-16T23:39:55.000Z

It looks like we need to try this out ourselves and see if we can reproduce the problem

Answer 6 · 2024-09-17T21:46:08.000Z

I tested this out with exactly the YAML you shared and got this when I tried to apply the YAML:

$ k apply -f test.yaml 
The StorageAccount "matthchr-test-stg" is invalid: spec.networkAcls.bypass: Unsupported value: "Logging,Metrics,AzureServices": supported values: "AzureServices", "Logging", "Metrics", "None"

The issue here is that storage documents their field as an enum, but then accepts values that aren't in that set.

We can fix this in ASO. I've pulled this into 2.10.

Can you confirm that you're seeing the same behavior though? Your kubectl apply should be being rejected, not accepted and having the value ignored.

Answer 7 · 2024-09-18T11:54:11.000Z

Yes, I am experiencing the same behaviour and the same error message.

Answer 8 · 2024-10-09T23:58:05.000Z

This will be fixed in the upcoming 2.10 release.