Object storage access blocked on imports if remote host resolves a private IP address
As mentioned in gitlab-org/charts/gitlab#3262, Azure Blob Storage has a mode where something.blob.core.windows.net
can resolve to a private IP block (https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints).
!80700 (merged) assumed that if endpoint
were not provided as a object store config, then the address would always be external. But this is not the case.
We may need to deal with this. Some possible ways:
- Document the behavior (as done in gitlab-org/charts/gitlab!2528 (merged)).
- Resolve the hostname for the object storage provider and add it to the allow list.
- Allow
allow_local_network
for the import case?
/cc: @dskim_gitlab