OCPBUGS-86552: azure: Add field in installconfig to disallow shared access key

[rna-afk]

Since this needs to be backported to earlier versions, adding a
field to disallow shared access key if necessary.

Made the field negative type field to have the default be enabled for
shared key access for earlier versions.

[openshift-ci-robot]

@rna-afk: This pull request references Jira Issue OCPBUGS-86552, which is invalid:

• expected dependent Jira Issue OCPBUGS-82068 to target a version in 4.21.0, 4.21.z, but it targets "4.21" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Since this needs to be backported to earlier versions, adding a
field to disallow shared access key if necessary.

Made the field negative type field to have the default be enabled for
shared key access for earlier versions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f15c3d63-4663-4933-b1a9-3c8ddc12c6e5

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[rna-afk]

/jira refresh

[openshift-ci-robot]

@rna-afk: This pull request references Jira Issue OCPBUGS-86552, which is invalid:

• expected dependent Jira Issue OCPBUGS-82068 to target a version in 4.21.0, 4.21.z, but it targets "4.21" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rna-afk]

/jira refresh

[openshift-ci-robot]

@rna-afk: This pull request references Jira Issue OCPBUGS-86552, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.20.z) matches configured target version for branch (4.20.z)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-82068 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-82068 targets the "4.21.z" version, which is one of the valid target versions: 4.21.0, 4.21.z
• bug has dependents

Requesting review from QA contact:
/cc @jinyunma

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@openshift-ci-robot: GitHub didn't allow me to request PR reviews from the following users: jinyunma.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

@rna-afk: This pull request references Jira Issue OCPBUGS-86552, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.20.z) matches configured target version for branch (4.20.z)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-82068 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-82068 targets the "4.21.z" version, which is one of the valid target versions: 4.21.0, 4.21.z
• bug has dependents

Requesting review from QA contact:
/cc @jinyunma

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rna-afk]

/cherry-pick release-4.19

[openshift-cherrypick-robot]

@rna-afk: once the present PR merges, I will cherry-pick it on top of release-4.19 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-4.19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[patrickdillon]

/approve
/label backport-risk-assessed

This LGTM, but I don't think we can verify this from existing CI testing and I haven't tested locally. I would like to try to add this to the main job and a step in ci to output resources. Will follow up.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [patrickdillon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rna-afk]

/verified by me locally. Seems to work

[openshift-ci-robot]

@rna-afk: This PR has been marked as verified by me locally. Seems to work.

Details

In response to this:

/verified by me locally. Seems to work

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sadasu]

I have a few comments inline. I understand that this is a backport and the current version of the fix exists in 5.0, 4.22 and 4.21.

[openshift-ci]

@rna-afk: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azurestack	f5d6c80	link	false	/test e2e-azurestack
ci/prow/e2e-azure-default-config	f5d6c80	link	false	/test e2e-azure-default-config
ci/prow/e2e-azure-ovn-shared-vpc	f5d6c80	link	false	/test e2e-azure-ovn-shared-vpc
ci/prow/azure-private	f5d6c80	link	false	/test azure-private

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[sadasu]

/lgtm

Thanks for addressing my comments.

[rna-afk]

/verified by me

[openshift-ci-robot]

@rna-afk: This PR has been marked as verified by me.

Details

In response to this:

/verified by me

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@rna-afk: Jira Issue Verification Checks: Jira Issue OCPBUGS-86552
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-86552 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Since this needs to be backported to earlier versions, adding a
field to disallow shared access key if necessary.

Made the field negative type field to have the default be enabled for
shared key access for earlier versions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-cherrypick-robot]

@rna-afk: new pull request created: #10653

Details

In response to this:

/cherry-pick release-4.19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-robot]

Fix included in release 4.20.0-0.nightly-2026-06-24-204339