azure: enhance storage account security in podvm-image-handler

Add security hardening to Azure storage account creation in the VHD upload process:
- Enforce minimum TLS version 1.2
- Disable cross-tenant object replication
- Disable public network access
- Enforce HTTPS-only connections
- Disable public blob access

These changes ensure the temporary storage accounts used for VHD uploads comply with Azure security best practices and organizational security policies.

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
Signed-off-by: Pradipta Banerjee <[email protected]>

Author: bpradipt

config/peerpods/podvm/azure-podvm-image-handler.sh

@@ -530,13 +530,24 @@ function upload_vhd_image() {
     [[ -z "${vhd_path}" ]] && error_exit "VHD path is empty"
 
     # Create a storage account if it doesn't exist
+    # Storage account is created with security best practices:
+    # - Minimum TLS version 1.2
+    # - Cross-tenant replication disabled
+    # - Public network access disabled
+    # - HTTPS-only enforced
+    # - Public blob access disabled
     STORAGE_ACCOUNT_NAME="podvmartifacts$(date +%s)"
     az storage account create \
         --name "${STORAGE_ACCOUNT_NAME}" \
         --resource-group "${AZURE_RESOURCE_GROUP}" \
         --location "${AZURE_REGION}" \
         --sku Standard_LRS \
-        --encryption-services blob ||
+        --encryption-services blob \
+        --min-tls-version TLS1_2 \
+        --allow-cross-tenant-replication false \
+        --public-network-access Disabled \
+        --allow-blob-public-access false \
+        --https-only true ||
         error_exit "Failed to create the storage account"
 
     # Get storage account key