Feature Request: Support for Public Access Control and Minimum TLS Version in EventHub Namespace

[jedi0606]

Feature Description
Currently, the Azure Service Operator (ASO) does not support configuring public network access and minimum TLS version for EventHub Namespace resources. These settings are critical for security and compliance, and their absence requires additional workarounds.

Use Case
Security Compliance: Many organizations require disabling public access and enforcing TLS 1.2 or higher to meet security policies.
Automation & IaC: Users should be able to manage these settings declaratively using ASO, rather than relying on external scripts post-deployment.
Consistency: Azure supports these configurations via ARM templates, Terraform, and Azure CLI, but ASO currently lacks them.
Current Behavior & Workaround
Attempting to set publicNetworkAccess and minimumTlsVersion in ASO’s Namespace CRD results in warnings that these fields are unknown:

spec:
  publicNetworkAccess: Disabled
  minimumTlsVersion: "1.2"

Warning: unknown field "spec.minimumTlsVersion"
Warning: unknown field "spec.publicNetworkAccess"

As a workaround, users must execute an az eventhubs namespace update command after ASO has deployed the EventHub resource:

az eventhubs namespace update \
  --resource-group <RESOURCE_GROUP> \
  --name <EVENT_HUB_NAMESPACE> \
  --set publicNetworkAccess=Disabled minimumTlsVersion="1.2"

This additional step defeats the purpose of ASO managing the resource entirely.

Proposed Solution
Modify the EventHub Namespace CRD (namespace.eventhub.azure.com/v1api20211101) to support:

spec:
publicNetworkAccess: Disabled # Allowed values: Enabled, Disabled
minimumTlsVersion: "1.2" # Allowed values: "1.0", "1.2"

ARM Documentation Reference
EventHub Namespace (Microsoft.EventHub/namespaces) ARM Template Docs
publicNetworkAccess
minimumTlsVersion

Additional Information
ASO Version: 2.7.0
Kubernetes Version: 1.29.9

Current Workaround: Running az eventhubs namespace update manually after ASO deploys the EventHub.
Would it be possible to include this feature in an upcoming ASO release? Let me know if you need additional details!

[theunrepentantgeek]

Availability of resource features is controlled by the API version - in the current release of ASO, all EventHub resources are at version 2021-11-01.

Fortunately, we've already completed work for the next release of ASO to bring in EventHub resources at version 2024-01-01 - and a review of the documentation shows that both minimumTlsVersion and publicNetworkAccess are supported.

When this is released, you'll need to update the version for your resources from v1api20211101 to v1api20240101.

If you want to try this out prior to the official release, we have the experimental release available for dev/test use.

[jedi0606]

@theunrepentantgeek Thank you for your reply. In this case, I will use a workaround for now (scripts), and then upgrade the ASO version when it is released.