RFE: Request support for Infrastructure Encryption on Azure Storage Containers

[redhatstuart]

Introduction

Currently two storage accounts are created for each ARO cluster deployment. With recent updates to the RP, support now exists for TLS1.2, restricting account access to specific virtual networks, allowing clients to use an Azure Disk Encryption Set to specify their own encryption keys and disabling blob public access.

Problem

With the introduction of "Infrastructure Encryption" on storage accounts, this will allow clients to effectively "double-encrypt" data saved in ARO storage accounts. https://docs.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable

Request

Enable Infrastructure Encryption for the two ARO storage accounts that are created during cluster build. This appears to be a simple flag that can be added into an ARM template as "requireInfrastructureEncryption": true

Client Expectations

Our clients expect to utilize all features available on Azure to encrypt data in their subscriptions. With the introduction of Infrastructure Encryption, and given the ability to enable it can only be done during the creation of the storage accounts, clients are already asking for this feature to be natively available in the ARO-RP.