OCPBUGS-57603: Disallow cross subscription encryption sets

[rna-afk]

Since CAPZ does not support using encryption sets in a subscription not in the current subscription, adding a validation to return error if the subscriptions don't match.

[openshift-ci-robot]

@rna-afk: This pull request references Jira Issue OCPBUGS-57603, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Since CAPZ does not support using encryption sets in a subscription not in the current subscription, adding a validation to return error if the subscriptions don't match.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rna-afk]

/jira refresh

[openshift-ci-robot]

@rna-afk: This pull request references Jira Issue OCPBUGS-57603, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jinyunma

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jinyunma]

pre-merge test passed.

/verified by jima

[openshift-ci-robot]

@jinyunma: This PR has been marked as verified by jima.

Details

In response to this:

pre-merge test passed.

/verified by jima

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[patrickdillon]

Nice work figuring this out!

To summarize what we discussed: cross-subscription Disk Encryption Sets are not supported, but users can use a key vault from another subscription to create the DES.

Can you update the bug to indicate that as the recommended path for the bug reporter? It seems like that should immediately unblock them (although we will probably still need to deal with the managed key used to encrypt bootstrap ignition, but that is a separate bug).

I think there are a few more things we should do to improve the experience surrounding this API:

• I don't think we should deprecate the field (although I could be convinced), but we should generally discourage users from using it. Can you update the field doc text to indicate: "Azure does not support cross-subscription disk-encryption sets. By default, the subscription from the installer credentials will be used. Therefore, setting this field is unnecessary."
• Then we need to follow up on this promise of setting the defaults. We're already doing it in one place (more on that in a moment), but not in the machine manifests. Can you follow this pattern so that the default is set in the install config itself, and will be used everywhere:
  

  installer/pkg/asset/installconfig/installconfig.go

  Line 126 in 435db5e

  func (a *InstallConfig) finishGCP() error {

Basically you just need to create an Azure finish function wherfe if disk encryption is set, and subscription is empty, add the subscription from the creds.

• Finally we can simplify the one code instance where the default is set, because it will be redundant:

installer/pkg/asset/manifests/clustercsidriver.go

Lines 75 to 82 in 435db5e

	subscriptionID := platform.OSDisk.DiskEncryptionSet.SubscriptionID
	if subscriptionID == "" {
	session, err := installConfig.Azure.Session()
	if err != nil {
	return errors.Wrap(err, "could not get azure session")
	}
	subscriptionID = session.Credentials.SubscriptionID
	}

[jinyunma]

but users can use a key vault from another subscription to create the DES.

@patrickdillon I tested with az command, this is also disallowed in Azure.

What I tested:

1. created keyvault/key in subscription A, then created DES using this keyvault/key in subscription B, all of them were in the same region.
   Result: DES was created failed.

% az disk-encryption-set create -n $DISK_ENCRYPTION_SET_NAME -l $LOCATION -g $RESOURCEGROUP --source-vault $KEYVAULT_ID --key-url $KEYVAULT_KEY_URL
(InvalidParameter) The SubscriptionId:"53b8f551-f0fc-4bea-8cba-6d1fefd54c8a" of the request must match the SubscriptionId "8cbff7ff-5103-4cc2-b691-abbee101e1d0" contained in the Key Vault Id.
Code: InvalidParameter
Message: The SubscriptionId:"53b8f551-f0fc-4bea-8cba-6d1fefd54c8a" of the request must match the SubscriptionId "8cbff7ff-5103-4cc2-b691-abbee101e1d0" contained in the Key Vault Id.
Target: diskEncryptionSet.properties.activeKey.sourceVault.id

2. created keyvault/key/DES in subscription A, create VM in subscription B with DES configured.
   Result: VM created failed, same as bug description.

% az vm create --name jima-vm --resource-group jima-test-rg --image RedHat:RHEL:8-lvm-gen2:8.6.2022051814  --size Standard_D8s_v3 --admin-username core --ssh-key-values <key.pub> --os-disk-encryption-set $DES_RESOURCE_ID
{"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/jima-test-rg/providers/Microsoft.Resources/deployments/vm_deploy_Imxll7mR1VkSg8NKFYQxkQ0v8HuEUWxv","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"BadRequest","target":"CRP disk id 9bcbbd01-07b6-4c41-909b-626a2268230b","message":"DiskEncryptionSet '/subscriptions/8cbff7ff-5103-4cc2-b691-abbee101e1d0/resourceGroups/jima-test-rg/providers/Microsoft.Compute/diskEncryptionSets/jima-des' was not found."}]}}

So look like that Azure doc is misleading, that's not TRUE!
"Azure Key Vaults may be used from a different subscription but must be in the same region as your disk encryption set. "
DES, keyvault, VM and disk should be in the same subscription.

[patrickdillon]

@patrickdillon I tested with az command, this is also disallowed in Azure.

@jinyunma thank you for testing this crucial detail!

[jinyunma]

Currently, subscriptionID must be set, otherwise installer exited with error:

$ ./openshift-install create manifests --dir ipi4
INFO ipFamily is not specified in install-config; defaulting to "IPv4" 
ERROR failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: invalid "install-config.yaml" file: [controlPlane.platform.azure.defaultMachinePlatform.osDisk.diskEncryptionSet.subscriptionID: Required value: subscription ID is required, compute[0].platform.azure.defaultMachinePlatform.osDisk.diskEncryptionSet.subscriptionID: Required value: subscription ID is required] 

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bf67ea37-cb5f-415e-92ec-c1958ad816fc

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Azure DiskEncryptionSet subscriptionId fields are now optional in the schema; InstallConfig defaulting fills missing Azure OSDisk subscription IDs from the Azure session; GetDiskEncryptionSet enforces same-subscription; validation gained region-aware DiskEncryptionSet checks; tests added for wrong-region DES cases.

Changes

Cohort / File(s)	Summary
CRD Schema Updates data/data/install.openshift.io_installconfigs.yaml	Removed subscriptionId from required lists and added descriptive text that the subscription must match the installer's resource-group subscription across Azure osDisk and securityProfile blocks.
Disk Encryption Type Definition pkg/types/azure/disk.go	Added +optional annotation and clarifying comment to DiskEncryptionSet.SubscriptionID indicating it must match the installer's subscription; no field type or JSON-tag changes.
Subscription Validation pkg/types/azure/validation/disk.go	Removed explicit non-empty check for diskEncryptionSet.SubscriptionID; validation now relies on the subscription-ID regex (empty values fail format validation).
Azure Client pkg/asset/installconfig/azure/client.go	GetDiskEncryptionSet now verifies that the requested subscriptionID matches the session subscription and returns an error for cross-subscription requests before fetching the resource.
InstallConfig Defaulting pkg/asset/installconfig/installconfig.go	Added unexported finishAzure() to populate missing Azure OSDisk.SubscriptionID values from the Azure session; finish() calls finishAzure() when Azure config is present.
Azure Validation Logic pkg/asset/installconfig/azure/validation.go	Added cluster-region-aware validation for DiskEncryptionSets, changed error reporting to use field paths, and extended validateConfidentialDiskEncryptionSet signature to accept clusterRegion (call sites updated).
Unit Tests pkg/asset/installconfig/azure/validation_test.go	Added tests and fixtures exercising wrong-region DiskEncryptionSet and ConfidentialVM DES scenarios for default machine pool, control plane, and computes; mocks updated to simulate region-mismatch returns.
Miscellaneous go.mod	Module deps updated (test-related changes referenced in tests).

Sequence Diagram(s)

sequenceDiagram
    participant InstallConfig
    participant finishAzure
    participant AzureSession
    participant AzureClient
    participant Validator
    InstallConfig->>finishAzure: call finishAzure()
    finishAzure->>AzureSession: request session.subscriptionID
    AzureSession-->>finishAzure: return session.subscriptionID
    finishAzure->>InstallConfig: populate missing OSDisk.SubscriptionID fields
    InstallConfig->>AzureClient: GetDiskEncryptionSet(requestedSubscriptionID)
    AzureClient->>AzureSession: compare requestedSubscriptionID vs session.subscriptionID
    alt mismatch
        AzureClient-->>InstallConfig: error (cross-subscription not supported)
    else match
        AzureClient-->>InstallConfig: return DiskEncryptionSet resource
        InstallConfig->>Validator: validateConfidentialDiskEncryptionSet(DES, clusterRegion)
        Validator-->>InstallConfig: error if DES.location != clusterRegion
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: preventing cross-subscription disk encryption sets in Azure.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	No Ginkgo test files or test code containing dynamic test names were modified in this PR.
Test Structure And Quality	✅ Passed	No Ginkgo test code found in PR; review not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[rna-afk]

@patrickdillon this looks weird... should we just remove it? and maybe make it optional in the backports?

[patrickdillon]

Agreed it looks weird. Unfortunately we can't just remove it, particularly with strict unmarshaling being reintroduced because previously valid install configs would stop working. We could deprecate it and then remove it in a future release (perhaps even 5.0)...

[openshift-ci-robot]

@rna-afk: This pull request references Jira Issue OCPBUGS-57603, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jinyunma

Details

In response to this:

Since CAPZ does not support using encryption sets in a subscription not in the current subscription, adding a validation to return error if the subscriptions don't match.

Summary by CodeRabbit

• New Features

• Azure disk encryption now automatically defaults the subscription ID when not explicitly provided.

• Documentation

• Added clearer descriptions of subscription ID requirements for Azure disk encryption configuration.

• Changes

• Subscription ID validation for Azure disk encryption sets now enforces format validation only, allowing optional submission.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/asset/installconfig/azure/client.go`:
- Around line 321-323: The check in the Azure DES validation incorrectly treats
an empty subscriptionID as a mismatch; update the condition in the block that
compares c.ssn.Credentials.SubscriptionID with subscriptionID (used by
GetDiskEncryptionSet/ValidateDiskEncryptionSet) to only perform the comparison
if subscriptionID is non-empty (e.g., if subscriptionID != "" &&
c.ssn.Credentials.SubscriptionID != subscriptionID) so validation is skipped
when subscriptionID is omitted (as noted in finishAzure/DefaultMachinePlatform
behavior).

In `@pkg/asset/installconfig/installconfig.go`:
- Around line 168-178: finishAzure() dereferences nested fields without nil
checks; update it to first guard that a.Config.Azure and
a.Config.Azure.DefaultMachinePlatform are non-nil and that OSDisk and its
embedded DiskEncryptionSet pointer exist before accessing SubscriptionID, and
apply the same logic to the control plane and each compute pool
(a.Config.Azure.ControlPlane and range over a.Config.Azure.Compute) so any
OSDisk.DiskEncryptionSet with an empty SubscriptionID is filled from a single
session (session, err := a.Azure.Session()) and return errors as before;
reference symbols: finishAzure, a.Config.Azure.DefaultMachinePlatform, OSDisk,
DiskEncryptionSet, a.Config.Azure.ControlPlane, and a.Config.Azure.Compute.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4c77b80e-3384-41cd-89d2-776d0942a22e

📥 Commits

Reviewing files that changed from the base of the PR and between 4006847 and f1fe0d6.

📒 Files selected for processing (5)

• data/data/install.openshift.io_installconfigs.yaml
• pkg/asset/installconfig/azure/client.go
• pkg/asset/installconfig/installconfig.go
• pkg/types/azure/disk.go
• pkg/types/azure/validation/disk.go

💤 Files with no reviewable changes (1)

• pkg/types/azure/validation/disk.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/asset/installconfig/azure/client.go`:
- Around line 321-323: The current raw string comparison between
c.ssn.Credentials.SubscriptionID and subscriptionID rejects identical UUIDs with
different hex casing; update the check in the function containing that logic to
perform a case-insensitive comparison using strings.EqualFold (replace the !=
comparison between c.ssn.Credentials.SubscriptionID and subscriptionID with
strings.EqualFold to determine inequality), ensuring you import the strings
package if not already imported and preserve the existing error message when the
comparison fails.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 60892231-fe72-4a9e-a547-269a2d97fdd1

📥 Commits

Reviewing files that changed from the base of the PR and between f1fe0d6 and e349614.

📒 Files selected for processing (5)

• data/data/install.openshift.io_installconfigs.yaml
• pkg/asset/installconfig/azure/client.go
• pkg/asset/installconfig/installconfig.go
• pkg/types/azure/disk.go
• pkg/types/azure/validation/disk.go

💤 Files with no reviewable changes (1)

• pkg/types/azure/validation/disk.go

🚧 Files skipped from review as they are similar to previous changes (1)

• data/data/install.openshift.io_installconfigs.yaml

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

data/data/install.openshift.io_installconfigs.yaml (1)

477-482: ⚠️ Potential issue | 🟡 Minor

Document the new defaulting behavior for optional subscriptionId.

These descriptions explain the same-subscription constraint, but not the fact that subscriptionId is now optional. Since the installer defaults an omitted value from the current Azure subscription, the schema/docs should say that explicitly; otherwise this still reads like a field users are expected to populate manually.

Suggested wording

 SubscriptionID defines the Azure subscription the disk encryption
 set is in.
-Must be the same subscription ID as the resource group of the installer.
+If omitted, the installer uses the subscription ID of the installer's resource group.
+If set, it must match the subscription ID of the installer's resource group.

Also applies to: 521-526, 2038-2043, 2083-2088, 3537-3542, 3581-3586, 5504-5509, 5548-5553

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@data/data/install.openshift.io_installconfigs.yaml` around lines 477 - 482,
Update the subscriptionId schema descriptions to state that the field is
optional and, if omitted, the installer will default it to the current Azure
subscription ID; specifically change the description for the subscriptionId
property (the YAML key "subscriptionId" in the installconfigs schema) to mention
that it is optional and will be populated from the installer’s current Azure
subscription and that it must match the resource group's subscription when
provided; apply the same wording change to the other subscriptionId occurrences
referenced in the comment (the repeated subscriptionId schema entries).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/asset/installconfig/installconfig.go`:
- Around line 169-193: finishAzure currently calls a.Azure.Session()
unconditionally which can surface Azure auth errors even when no
DiskEncryptionSet SubscriptionID needs defaulting; modify finishAzure to first
scan a.Config (check a.Config.Azure.DefaultMachinePlatform.OSDisk,
a.Config.ControlPlane.Platform.Azure.OSDisk, and each
compute.Platform.Azure.OSDisk) to detect any DiskEncryptionSet != nil with empty
SubscriptionID and only then call a.Azure.Session(); if no such target exists,
skip opening the session and return nil; when using session, set SubscriptionID
on the matching places exactly as done today.

---

Outside diff comments:
In `@data/data/install.openshift.io_installconfigs.yaml`:
- Around line 477-482: Update the subscriptionId schema descriptions to state
that the field is optional and, if omitted, the installer will default it to the
current Azure subscription ID; specifically change the description for the
subscriptionId property (the YAML key "subscriptionId" in the installconfigs
schema) to mention that it is optional and will be populated from the
installer’s current Azure subscription and that it must match the resource
group's subscription when provided; apply the same wording change to the other
subscriptionId occurrences referenced in the comment (the repeated
subscriptionId schema entries).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2af10a4f-88bf-4db5-a254-cfc40d1fb652

📥 Commits

Reviewing files that changed from the base of the PR and between e349614 and da76179.

📒 Files selected for processing (5)

• data/data/install.openshift.io_installconfigs.yaml
• pkg/asset/installconfig/azure/client.go
• pkg/asset/installconfig/installconfig.go
• pkg/types/azure/disk.go
• pkg/types/azure/validation/disk.go

💤 Files with no reviewable changes (1)

• pkg/types/azure/validation/disk.go

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/asset/installconfig/azure/client.go
• pkg/types/azure/disk.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Defer Azure session creation until a DES subscription actually needs defaulting.

a.Azure.Session() is now called unconditionally on Line 171, but finish() invokes this helper before validation.ValidateInstallConfig() runs. That means an Azure auth/session failure can mask normal install-config validation errors even when no DES SubscriptionID needs to be filled. Please compute whether any target OSDisk has DiskEncryptionSet != nil && SubscriptionID == "" first, and only then open the session once.

Proposed fix

 func (a *InstallConfig) finishAzure() error {
 	defaultConfig := a.Config.Azure.DefaultMachinePlatform
-	session, err := a.Azure.Session()
-	if err != nil {
-		return err
-	}
+	needsSession := defaultConfig != nil &&
+		defaultConfig.OSDisk.DiskEncryptionSet != nil &&
+		defaultConfig.OSDisk.SubscriptionID == ""
+
+	needsSession = needsSession || (a.Config.ControlPlane != nil &&
+		a.Config.ControlPlane.Platform.Azure != nil &&
+		a.Config.ControlPlane.Platform.Azure.OSDisk.DiskEncryptionSet != nil &&
+		a.Config.ControlPlane.Platform.Azure.OSDisk.SubscriptionID == "")
+
+	for _, compute := range a.Config.Compute {
+		needsSession = needsSession || (compute.Platform.Azure != nil &&
+			compute.Platform.Azure.OSDisk.DiskEncryptionSet != nil &&
+			compute.Platform.Azure.OSDisk.SubscriptionID == "")
+	}
+
+	if !needsSession {
+		return nil
+	}
+
+	session, err := a.Azure.Session()
+	if err != nil {
+		return err
+	}
 	if defaultConfig != nil && defaultConfig.OSDisk.DiskEncryptionSet != nil &&
 		defaultConfig.OSDisk.DiskEncryptionSet.SubscriptionID == "" {
 		a.Config.Azure.DefaultMachinePlatform.OSDisk.SubscriptionID = session.Credentials.SubscriptionID
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/asset/installconfig/installconfig.go` around lines 169 - 193, finishAzure
currently calls a.Azure.Session() unconditionally which can surface Azure auth
errors even when no DiskEncryptionSet SubscriptionID needs defaulting; modify
finishAzure to first scan a.Config (check
a.Config.Azure.DefaultMachinePlatform.OSDisk,
a.Config.ControlPlane.Platform.Azure.OSDisk, and each
compute.Platform.Azure.OSDisk) to detect any DiskEncryptionSet != nil with empty
SubscriptionID and only then call a.Azure.Session(); if no such target exists,
skip opening the session and return nil; when using session, set SubscriptionID
on the matching places exactly as done today.

[jinyunma]

typo? should be !strings.EqualFold() to check for mismatch?

[rna-afk]

ugh yeah thanks! Fixed

[jinyunma]

@rna-afk I did pre-merge test with the latest commit, all look good now except following issue.
When creating disk encryption set and cluster resource group in different region, installation failed with error:

INFO Waiting up to 20m0s (until 8:14AM UTC) for machines [jima13a-vgdm7-bootstrap jima13a-vgdm7-master-0 jima13a-vgdm7-master-1 jima13a-vgdm7-master-2] to provision... 
INFO Gathering conditions for apiVersion=infrastructure.cluster.x-k8s.io/v1beta1, kind=AzureMachine, namespace=openshift-cluster-api-guests, name=jima13a-vgdm7-bootstrap 
INFO Checking conditions for apiVersion=infrastructure.cluster.x-k8s.io/v1beta1, kind=AzureMachine, namespace=openshift-cluster-api-guests, name=jima13a-vgdm7-bootstrap 
WARNING Condition Ready has status: "False", reason: "Failed", message: "virtualmachine failed to create or update. err: failed to create or update resource jima13a-vgdm7-rg/jima13a-vgdm7-bootstrap (service: virtualmachine): PUT https://management.azure.com/subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/jima13a-vgdm7-rg/providers/Microsoft.Compute/virtualMachines/jima13a-vgdm7-bootstrap\n--------------------------------------------------------------------------------\nRESPONSE 400: 400 Bad Request\nERROR CODE: BadRequest\n--------------------------------------------------------------------------------\n{\n  \"error\": {\n    \"code\": \"BadRequest\",\n    \"message\": \"DiskEncryptionSet '/subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/jima-test-rg/providers/Microsoft.Compute/diskEncryptionSets/jima-des' was not found.\",\n    \"target\": \"/subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/jima13a-vgdm7-rg/providers/Microsoft.Compute/disks/jima13a-vgdm7-bootstrap_OSDisk\"\n  }\n}\n--------------------------------------------------------------------------------\n" 

So DES and cluster should be in same region (also described in Azure doc), it's better to have validation for this case, wdyt?

[openshift-ci-robot]

@rna-afk: This pull request references Jira Issue OCPBUGS-57603, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jinyunma

Details

In response to this:

Since CAPZ does not support using encryption sets in a subscription not in the current subscription, adding a validation to return error if the subscriptions don't match.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

pkg/asset/installconfig/installconfig.go (1)

169-174: Consider deferring session creation until actually needed.

The Azure session is created unconditionally, but it's only needed when a DiskEncryptionSet exists with an empty SubscriptionID. Creating the session eagerly could surface Azure auth errors even when no DES needs defaulting.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/asset/installconfig/installconfig.go` around lines 169 - 174, In
finishAzure, avoid creating the Azure session unconditionally; only call
a.Azure.Session() when you actually need it while defaulting DiskEncryptionSet
subscription IDs. Move the session creation (a.Azure.Session()) into the branch
where you detect a non-nil DiskEncryptionSet with an empty SubscriptionID
(inspect a.Config.Azure.DefaultMachinePlatform and its DiskEncryptionSet
entries), create the session there, and use it to look up the subscription ID;
ensure proper error handling and that session is not referenced elsewhere before
it's initialized.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/asset/installconfig/installconfig.go`:
- Around line 175-178: The code is assigning the subscription ID to
a.Config.Azure.DefaultMachinePlatform.OSDisk.SubscriptionID while the condition
and validation expect defaultConfig.OSDisk.DiskEncryptionSet.SubscriptionID;
update the assignment so it sets
a.Config.Azure.DefaultMachinePlatform.OSDisk.DiskEncryptionSet.SubscriptionID =
session.Credentials.SubscriptionID (i.e., assign into the
DiskEncryptionSet.SubscriptionID field of the default machine platform OSDisk
rather than the OSDisk.SubscriptionID field) so the populated value is used by
validation.
- Around line 180-185: The code is incorrectly assigning SubscriptionID to
a.Config.ControlPlane.Platform.Azure.OSDisk.SubscriptionID instead of to the
disk encryption set; change the assignment so that when
a.Config.ControlPlane.Platform.Azure.OSDisk.DiskEncryptionSet != nil you set
a.Config.ControlPlane.Platform.Azure.OSDisk.DiskEncryptionSet.SubscriptionID =
session.Credentials.SubscriptionID (keeping the existing nil checks and only
assigning when the DiskEncryptionSet.SubscriptionID is empty).
- Around line 187-192: The loop over a.Config.Compute mistakenly assigns
session.Credentials.SubscriptionID to
compute.Platform.Azure.OSDisk.SubscriptionID when DiskEncryptionSet is present;
instead, update compute.Platform.Azure.OSDisk.DiskEncryptionSet.SubscriptionID.
In the loop that checks compute.Platform.Azure.OSDisk.DiskEncryptionSet != nil,
change the condition and assignment to verify DiskEncryptionSet.SubscriptionID
== "" and set DiskEncryptionSet.SubscriptionID =
session.Credentials.SubscriptionID (keeping the existing null checks for
compute.Platform.Azure and OSDisk intact) so the encryption set gets the
subscription ID rather than the OSDisk.

---

Nitpick comments:
In `@pkg/asset/installconfig/installconfig.go`:
- Around line 169-174: In finishAzure, avoid creating the Azure session
unconditionally; only call a.Azure.Session() when you actually need it while
defaulting DiskEncryptionSet subscription IDs. Move the session creation
(a.Azure.Session()) into the branch where you detect a non-nil DiskEncryptionSet
with an empty SubscriptionID (inspect a.Config.Azure.DefaultMachinePlatform and
its DiskEncryptionSet entries), create the session there, and use it to look up
the subscription ID; ensure proper error handling and that session is not
referenced elsewhere before it's initialized.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3a241dc7-687f-47f6-853f-b9d02879ed58

📥 Commits

Reviewing files that changed from the base of the PR and between 0a37f49 and 1c17342.

📒 Files selected for processing (7)

• data/data/install.openshift.io_installconfigs.yaml
• pkg/asset/installconfig/azure/client.go
• pkg/asset/installconfig/azure/validation.go
• pkg/asset/installconfig/azure/validation_test.go
• pkg/asset/installconfig/installconfig.go
• pkg/types/azure/disk.go
• pkg/types/azure/validation/disk.go

💤 Files with no reviewable changes (1)

• pkg/types/azure/validation/disk.go

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/types/azure/disk.go
• pkg/asset/installconfig/azure/client.go
• data/data/install.openshift.io_installconfigs.yaml

[patrickdillon]

/approve
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [patrickdillon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jinyunma]

/verified by jima

[openshift-ci-robot]

@jinyunma: This PR has been marked as verified by jima.

Details

In response to this:

/verified by jima

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@rna-afk: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azurestack	ac4e89b	link	false	/test e2e-azurestack
ci/prow/e2e-azure-ovn-shared-vpc	ac4e89b	link	false	/test e2e-azure-ovn-shared-vpc

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@rna-afk: Jira Issue Verification Checks: Jira Issue OCPBUGS-57603
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-57603 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Since CAPZ does not support using encryption sets in a subscription not in the current subscription, adding a validation to return error if the subscriptions don't match.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-robot]

Fix included in accepted release 4.22.0-0.nightly-2026-03-19-202824