CORS-4352: aws: validations to ensure install-config is valid for dualstack install

[tthvo]

This PR added validations to ensure the install-config fields are valid in order to install a dualstack cluster. The following validations are performed when ipFamily is dualstack:

Scope	Details	Notes
Instance type	The type must now be Nitro-based in order to support IPv6 HTTP IMDS Endpoint and IPv6 Route53 resolver. Most modern instance types are Nitro-based anyway
BYO subnets	Existing subnets must have an associated IPv6 CIDR and it must be contained in one of the networking.machineNetwork	This means the users must provide either a VPC or all provided subnet IPv6 CIDRs in the machineNetwork field
Edge compute pool	Edge compute pool supports BYO subnets in Local zones only. That means the installer cannot auto-provision dualstack edge subnets and Wavelength zone, according to AWS, does not support IPv6 at the moment	The user can provision a secondary IPv6 CIDR to the VPC in the local zone network border and create dualstack local-zone subnets

For local zones, the following zones support IPv6, according to AWS docs:

The following Local Zones support IPv6: us-east-1-atl-2a, us-east-1-chi-2a, us-east-1-dfw-2a, us-east-1-iah-2a, us-east-1-mia-2a, us-east-1-nyc-2a, us-west-2-lax-1a, us-west-2-lax-1b, and us-west-2-phx-2a.

/label platform/aws

Summary by CodeRabbit

• New Features

  • Enhanced IPv6 dual-stack networking with automatic IPv6 CIDR detection and validation.
  • Instance type metadata now exposes hypervisor information.

• Bug Fixes

  • Strengthened dual-stack validation, including edge/wavelength constraints and subnet containment checks.
  • Enforced IPv6 and Nitro-related instance type requirements and improved subnet IPv6 CIDR handling.

[openshift-ci-robot]

@tthvo: This pull request references CORS-4352 which is a valid jira issue.

Details

In response to this:

This PR added validations to ensure the install-config fields are valid in order to install a dualstack cluster. The following validations are performed when ipFamily is dualstack:

Scope	Details	Notes
Instance type	The type must now be Nitro-based in order to support IPv6 HTTP IMDS Endpoint and IPv6 Route53 resolver. Most modern instance types are Nitro-based anyway
BYO subnets	Existing subnets must have an associated IPv6 CIDR and it must be contained in one of the networking.machineNetwork	This means the users must provide either a VPC or all provided subnet IPv6 CIDRs in the machineNetwork field
Edge compute pool	Edge compute pool supports BYO subnets in Local zones only. That means the installer cannot auto-provision dualstack edge subnets and Wavelength zone, according to AWS, does not support IPv6 at the moment	The user can provision a secondary IPv6 CIDR to the VPC in the local zone network border and create dualstack local-zone subnets

/label platform/aws

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Adds Hypervisor to InstanceType and IPv6CIDR to Subnet; refactors AWS subnet and dual‑stack validation to use subnetType constants and combined IPv4/IPv6 CIDR checks; enforces IPv6/Nitro constraints for compute and edge pools; expands tests for dual‑stack and hypervisor scenarios.

Changes

Cohort / File(s)	Summary
Data Structure Enhancements pkg/asset/installconfig/aws/instancetypes.go, pkg/asset/installconfig/aws/subnet.go	Added exported field Hypervisor string to InstanceType and IPv6CIDR string to Subnet; populate Hypervisor from SDK type info and IPv6CIDR from subnet IPv6 CIDR association.
Validation Refactor & Dual‑Stack Logic pkg/asset/installconfig/aws/validation.go	Introduced subnetType constants; replaced per‑subnet IPv4 checks with combined IPv4/IPv6 CIDR validation (validateSubnetCIDRs); added CIDR containment helper; added dual‑stack awareness and Nitro/IPv6 requirements for compute and edge pool validations.
Tests & Test Helpers pkg/asset/installconfig/aws/validation_test.go	Extended test vectors to include Hypervisor values; added validDualstackSubnets and withDualStackMachineNetworks helpers; added tests for dual‑stack, Nitro vs non‑Nitro instance types, and edge/wavelength subnet constraints.
Manifest / Dependencies go.mod	Updated module dependencies referenced by the changes and tests.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 46.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding validations to ensure install-config is valid for dual-stack installations on AWS, which matches the primary objective across all modified files.
Stable And Deterministic Test Names	✅ Passed	Test file maintains stable and deterministic test names with static descriptive strings and no dynamic content like timestamps, UUIDs, or fmt.Sprintf formatting.
Test Structure And Quality	✅ Passed	The validation_test.go file uses standard Go table-driven testing, not Ginkgo, so Ginkgo quality requirements do not apply.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign patrickdillon for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/asset/installconfig/aws/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tthvo]

/cc @sadasu

[openshift-ci-robot]

@tthvo: This pull request references CORS-4352 which is a valid jira issue.

Details

In response to this:

This PR added validations to ensure the install-config fields are valid in order to install a dualstack cluster. The following validations are performed when ipFamily is dualstack:

Scope	Details	Notes
Instance type	The type must now be Nitro-based in order to support IPv6 HTTP IMDS Endpoint and IPv6 Route53 resolver. Most modern instance types are Nitro-based anyway
BYO subnets	Existing subnets must have an associated IPv6 CIDR and it must be contained in one of the networking.machineNetwork	This means the users must provide either a VPC or all provided subnet IPv6 CIDRs in the machineNetwork field
Edge compute pool	Edge compute pool supports BYO subnets in Local zones only. That means the installer cannot auto-provision dualstack edge subnets and Wavelength zone, according to AWS, does not support IPv6 at the moment	The user can provision a secondary IPv6 CIDR to the VPC in the local zone network border and create dualstack local-zone subnets

/label platform/aws

Summary by CodeRabbit

• New Features

• Enhanced IPv6 dual-stack networking support with automatic CIDR block detection and validation.

• Improved instance type metadata to include hypervisor information.

• Bug Fixes

• Strengthened validation for dual-stack configurations with edge deployments and instance type compatibility checks.

• Enhanced subnet configuration validation with IPv6 CIDR block support.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

🧹 Nitpick comments (1)

pkg/asset/installconfig/aws/validation_test.go (1)

2322-2328: Consider adding Hypervisor field to m6a.xlarge for consistency.

The m6a.xlarge instance type is missing the Hypervisor field, while all other instance types now include it. Although m6a.xlarge is currently only used for SEV-SNP tests and not dual-stack tests, adding the field maintains consistency and prevents potential issues if this type is used in future dual-stack test scenarios.

Proposed fix

 		"m6a.xlarge": {
 			DefaultVCpus: 4,
 			MemInMiB:     16384,
 			Arches:       []string{string(ec2types.ArchitectureTypeX8664)},
+			Hypervisor:   string(ec2types.InstanceTypeHypervisorNitro),
 			Features:     []string{"amd-sev-snp"},
 		},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/asset/installconfig/aws/validation_test.go` around lines 2322 - 2328, Add
the missing Hypervisor field to the m6a.xlarge instance map entry so it matches
other entries; edit the map entry for "m6a.xlarge" in
pkg/asset/installconfig/aws/validation_test.go and add a Hypervisor key with the
same value used by other AMD/SEV-SNP instance entries (for example "nitro") to
maintain consistency and prevent future dual-stack/test issues.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/asset/installconfig/aws/validation_test.go`:
- Around line 2322-2328: Add the missing Hypervisor field to the m6a.xlarge
instance map entry so it matches other entries; edit the map entry for
"m6a.xlarge" in pkg/asset/installconfig/aws/validation_test.go and add a
Hypervisor key with the same value used by other AMD/SEV-SNP instance entries
(for example "nitro") to maintain consistency and prevent future dual-stack/test
issues.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 948a71d4-64e3-43a2-9387-9232f7eaca31

📥 Commits

Reviewing files that changed from the base of the PR and between dea68b7 and 97f73bf.

📒 Files selected for processing (4)

• pkg/asset/installconfig/aws/instancetypes.go
• pkg/asset/installconfig/aws/subnet.go
• pkg/asset/installconfig/aws/validation.go
• pkg/asset/installconfig/aws/validation_test.go

[openshift-ci-robot]

@tthvo: This pull request references CORS-4352 which is a valid jira issue.

Details

In response to this:

This PR added validations to ensure the install-config fields are valid in order to install a dualstack cluster. The following validations are performed when ipFamily is dualstack:

Scope	Details	Notes
Instance type	The type must now be Nitro-based in order to support IPv6 HTTP IMDS Endpoint and IPv6 Route53 resolver. Most modern instance types are Nitro-based anyway
BYO subnets	Existing subnets must have an associated IPv6 CIDR and it must be contained in one of the networking.machineNetwork	This means the users must provide either a VPC or all provided subnet IPv6 CIDRs in the machineNetwork field
Edge compute pool	Edge compute pool supports BYO subnets in Local zones only. That means the installer cannot auto-provision dualstack edge subnets and Wavelength zone, according to AWS, does not support IPv6 at the moment	The user can provision a secondary IPv6 CIDR to the VPC in the local zone network border and create dualstack local-zone subnets

For local zones, the following zones support IPv6, according to AWS docs:

The following Local Zones support IPv6: us-east-1-atl-2a, us-east-1-chi-2a, us-east-1-dfw-2a, us-east-1-iah-2a, us-east-1-mia-2a, us-east-1-nyc-2a, us-west-2-lax-1a, us-west-2-lax-1b, and us-west-2-phx-2a.

/label platform/aws

Summary by CodeRabbit

• New Features

• Enhanced IPv6 dual-stack networking support with automatic CIDR block detection and validation.

• Improved instance type metadata to include hypervisor information.

• Bug Fixes

• Strengthened validation for dual-stack configurations with edge deployments and instance type compatibility checks.

• Enhanced subnet configuration validation with IPv6 CIDR block support.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@tthvo: This pull request references CORS-4352 which is a valid jira issue.

Details

In response to this:

This PR added validations to ensure the install-config fields are valid in order to install a dualstack cluster. The following validations are performed when ipFamily is dualstack:

Scope	Details	Notes
Instance type	The type must now be Nitro-based in order to support IPv6 HTTP IMDS Endpoint and IPv6 Route53 resolver. Most modern instance types are Nitro-based anyway
BYO subnets	Existing subnets must have an associated IPv6 CIDR and it must be contained in one of the networking.machineNetwork	This means the users must provide either a VPC or all provided subnet IPv6 CIDRs in the machineNetwork field
Edge compute pool	Edge compute pool supports BYO subnets in Local zones only. That means the installer cannot auto-provision dualstack edge subnets and Wavelength zone, according to AWS, does not support IPv6 at the moment	The user can provision a secondary IPv6 CIDR to the VPC in the local zone network border and create dualstack local-zone subnets

For local zones, the following zones support IPv6, according to AWS docs:

The following Local Zones support IPv6: us-east-1-atl-2a, us-east-1-chi-2a, us-east-1-dfw-2a, us-east-1-iah-2a, us-east-1-mia-2a, us-east-1-nyc-2a, us-west-2-lax-1a, us-west-2-lax-1b, and us-west-2-phx-2a.

/label platform/aws

Summary by CodeRabbit

• New Features

• Enhanced IPv6 dual-stack networking with automatic IPv6 CIDR detection and validation.

• Instance type metadata now exposes hypervisor information.

• Bug Fixes

• Strengthened dual-stack validation, including edge/wavelength constraints and subnet containment checks.

• Enforced IPv6 and Nitro-related instance type requirements and improved subnet IPv6 CIDR handling.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

🧹 Nitpick comments (1)

pkg/asset/installconfig/aws/validation_test.go (1)

418-458: Add one IPv6-primary containment failure case.

Line 2609 adds an IPv6-primary branch by reversing MachineNetwork, but every new BYO dual-stack subnet case here still uses withDualStackMachineNetworks(network.DualStackIPv4Primary) and only exercises the “missing IPv6 CIDR” path. That leaves the IPv6-primary ordering and the “subnet IPv6 CIDR is outside networking.machineNetwork” validation untested. A single negative case with network.DualStackIPv6Primary and one out-of-range subnet IPv6CIDR would close both gaps.

Also applies to: 500-556, 2609-2620

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/asset/installconfig/aws/validation_test.go` around lines 418 - 458, Add a
new negative test case beside the existing dual-stack BYO subnet tests that
switches the machine network ordering to IPv6-primary by calling
icBuild.withDualStackMachineNetworks(network.DualStackIPv6Primary) (and keep
withIPFamily(network.DualStackIPv4Primary) or appropriate IPFamily), and supply
a BYO subnet in SubnetGroups (use mergeSubnets like the other cases) whose IPv6
CIDR is intentionally outside the configured networking.machineNetwork; set
withVPCSubnetIDs to include that subnet ID and assert expectErr matches the
containment-failure message for IPv6 CIDR being outside
networking.machineNetwork (the same style as the existing expectErr regex for
missing IPv6 CIDR) so the validation for DualStackIPv6Primary and out-of-range
IPv6 CIDR is exercised.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/asset/installconfig/aws/validation_test.go`:
- Around line 418-458: Add a new negative test case beside the existing
dual-stack BYO subnet tests that switches the machine network ordering to
IPv6-primary by calling
icBuild.withDualStackMachineNetworks(network.DualStackIPv6Primary) (and keep
withIPFamily(network.DualStackIPv4Primary) or appropriate IPFamily), and supply
a BYO subnet in SubnetGroups (use mergeSubnets like the other cases) whose IPv6
CIDR is intentionally outside the configured networking.machineNetwork; set
withVPCSubnetIDs to include that subnet ID and assert expectErr matches the
containment-failure message for IPv6 CIDR being outside
networking.machineNetwork (the same style as the existing expectErr regex for
missing IPv6 CIDR) so the validation for DualStackIPv6Primary and out-of-range
IPv6 CIDR is exercised.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2469be9e-555e-4554-ba58-f30c615f5b6b

📥 Commits

Reviewing files that changed from the base of the PR and between 97f73bf and 262ce8d.

📒 Files selected for processing (1)

• pkg/asset/installconfig/aws/validation_test.go

[tthvo]

/retest-required

[openshift-ci]

@tthvo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-edge-zones	262ce8d	link	false	/test e2e-aws-ovn-edge-zones
ci/prow/e2e-aws-ovn-shared-vpc-edge-zones	262ce8d	link	false	/test e2e-aws-ovn-shared-vpc-edge-zones
ci/prow/e2e-aws-ovn-rhcos10-devpreview	262ce8d	link	false	/test e2e-aws-ovn-rhcos10-devpreview
ci/prow/e2e-aws-ovn-fips	262ce8d	link	false	/test e2e-aws-ovn-fips
ci/prow/e2e-aws-ovn-heterogeneous	262ce8d	link	false	/test e2e-aws-ovn-heterogeneous

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[tthvo]

/testwith openshift/installer/main/e2e-aws-ovn-dualstack-ipv6-primary-techpreview #10353

/testwith openshift/installer/main/e2e-aws-ovn-dualstack-ipv4-primary-techpreview #10353