CORS-4387: Promote AWS DualStack to Default

[sadasu]

Also make it available in OKD.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Hello @sadasu! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: ec9bf4bd-b0e6-4572-86e1-174bf3606d89

📥 Commits

Reviewing files that changed from the base of the PR and between d87d63a and cb81693.

⛔ Files ignored due to path filters (5)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• openapi/openapi.json is excluded by !openapi/**

📒 Files selected for processing (13)

• config/v1/tests/infrastructures.config.openshift.io/AAA_ungated.yaml
• config/v1/tests/infrastructures.config.openshift.io/AWSDualStackInstall.yaml
• features.md
• features/features.go
• machineconfiguration/v1/tests/controllerconfigs.machineconfiguration.openshift.io/AWSDualStackInstall.yaml
• payload-manifests/crds/0000_10_config-operator_01_infrastructures-Default.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_infrastructures-OKD.crd.yaml
• payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml
• payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml

---

📝 Walkthrough

Walkthrough

This pull request introduces AWS dual-stack IP family configuration support. Changes include adding an ipFamily field to AWS platform specifications in multiple CRDs with IPv4, DualStackIPv6Primary, and DualStackIPv4Primary enum values and immutability validation. The AWSDualStackInstall feature gate is enabled across Default and OKD deployment types via updated feature gate manifests and code conditions. Related test YAML files are updated to reflect new expected platform status fields and disabled feature gates, while documentation is updated to reflect the expanded feature gate availability.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[qodo-code-review]

Review Summary by Qodo

Promote AWS DualStack to Default and enable in OKD

✨ Enhancement

Walkthroughs

Description

• Promote AWSDualStackInstall feature gate to default in OCP and OKD
• Enable feature in both Default and OKD product scopes
• Add ipFamily field to AWS platform status with validation
• Remove cloudLoadBalancerConfig from test expectations
• Fix indentation in FeatureGateConfidentialCluster definition

Diagram

flowchart LR
  A["AWSDualStackInstall Feature Gate"] -->|"Enable in Default"| B["Default Product Scope"]
  A -->|"Enable in OKD"| C["OKD Product Scope"]
  B -->|"Add ipFamily field"| D["AWS Platform Status"]
  C -->|"Add ipFamily field"| D
  D -->|"Validation Rules"| E["Immutable, IPv4/DualStack options"]

Loading

File Changes

1. features/features.go ✨ Enhancement +8/-8

Enable AWSDualStackInstall in Default and OKD

features/features.go

---

2. config/v1/tests/infrastructures.config.openshift.io/AAA_ungated.yaml 🧪 Tests +2/-0

Add ipFamily field to AWS platform status

config/v1/tests/infrastructures.config.openshift.io/AAA_ungated.yaml

---

3. config/v1/tests/infrastructures.config.openshift.io/AWSDualStackInstall.yaml 🧪 Tests +1/-8

Update test cases for dual-stack configuration

config/v1/tests/infrastructures.config.openshift.io/AWSDualStackInstall.yaml

---

View more (15)

4. config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml ⚙️ Configuration changes +15/-0

Add ipFamily property to AWS infrastructure CRD

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml

---

5. config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml ⚙️ Configuration changes +15/-0

Add ipFamily property to AWS infrastructure CRD

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml

---

6. features.md 📝 Documentation +1/-1

Update feature gate status documentation

features.md

---

7. machineconfiguration/v1/tests/controllerconfigs.machineconfiguration.openshift.io/AWSDualStackInstall.yaml 🧪 Tests +1/-4

Update controller config test cases

machineconfiguration/v1/tests/controllerconfigs.machineconfiguration.openshift.io/AWSDualStackInstall.yaml

---

8. machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml ⚙️ Configuration changes +15/-0

Add ipFamily property to controller config CRD

machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml

---

9. machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml ⚙️ Configuration changes +15/-0

Add ipFamily property to controller config CRD

machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml

---

10. openapi/openapi.json ✨ Enhancement +245/-1

Add PacemakerCluster v1 API definitions

openapi/openapi.json

---

11. payload-manifests/crds/0000_10_config-operator_01_infrastructures-Default.crd.yaml ⚙️ Configuration changes +15/-0

Add ipFamily property to infrastructure CRD

payload-manifests/crds/0000_10_config-operator_01_infrastructures-Default.crd.yaml

---

12. payload-manifests/crds/0000_10_config-operator_01_infrastructures-OKD.crd.yaml ⚙️ Configuration changes +15/-0

Add ipFamily property to infrastructure CRD

payload-manifests/crds/0000_10_config-operator_01_infrastructures-OKD.crd.yaml

---

13. payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml ⚙️ Configuration changes +15/-0

Add ipFamily property to controller config CRD

payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml

---

14. payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml ⚙️ Configuration changes +15/-0

Add ipFamily property to controller config CRD

payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml

---

15. payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml ⚙️ Configuration changes +3/-3

Move AWSDualStackInstall to enabled features

payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml

---

16. payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml ⚙️ Configuration changes +3/-3

Move AWSDualStackInstall to enabled features

payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml

---

17. payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml ⚙️ Configuration changes +3/-3

Move AWSDualStackInstall to enabled features

payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml

---

18. payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml ⚙️ Configuration changes +3/-3

Move AWSDualStackInstall to enabled features

payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1)   📘 Rule violations (1)   📎 Requirement gaps (0)   🎨 UX Issues (0)

🐞\ ≡ Correctness (1)

📘\ ⚙ Maintainability (1)

1. ipFamily docs omit constraints 📘 ⚙

Description

The new ipFamily schema includes a default, an enum, and an immutability
x-kubernetes-validations rule, but its description does not document the default/allowed values
or the immutability constraint. This violates the requirement that validation marker semantics be
documented in field comments/user-facing docs.

Code

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml[R1188-1202]

+                      ipFamily:
+                        default: IPv4
+                        description: |-
+                          ipFamily specifies the IP protocol family that should be used for AWS
+                          network resources. This controls whether AWS resources are created with
+                          IPv4-only, or dual-stack networking with IPv4 or IPv6 as the primary
+                          protocol family.
+                        enum:
+                        - IPv4
+                        - DualStackIPv6Primary
+                        - DualStackIPv4Primary
+                        type: string
+                        x-kubernetes-validations:
+                        - message: ipFamily is immutable once set
+                          rule: oldSelf == '' || self == oldSelf

Evidence

PR Compliance ID 5 requires that fields with kubebuilder validation markers have comments
documenting the markers’ semantics (default behavior, enum values, and validation rules). The added
ipFamily schema shows default, enum, and an immutability validation rule, but the
description text does not state the default value behavior, enumerate the valid values, or mention
immutability.

AGENTS.md
config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml[1188-1202]
machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml[1480-1494]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The `ipFamily` field’s schema adds `default`, `enum`, and an immutability `XValidation`, but the user-facing field documentation does not describe:
- what happens when the field is omitted (defaulting)
- the allowed enum values (and what each means)
- that the value is immutable once set

## Issue Context
This is surfaced in generated CRD/OpenAPI documentation, so missing details violate the requirement that validation marker semantics be documented.

## Fix Focus Areas
- config/v1/types_infrastructure.go[567-577]
- config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml[1188-1202]
- config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml[1188-1202]
- machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml[1480-1494]
- machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml[1480-1494]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. ipFamily default locks value 🐞 ≡

Description

The Infrastructure AWS status field ipFamily is defaulted to IPv4 and validated as immutable, so any
create/update that omits ipFamily will persist IPv4 and subsequently reject attempts to set
DualStack* values. This creates a write-once/ordering trap: once the default is applied, the API
prevents later correction to a DualStack value.

Code

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml[R1188-1202]

+                      ipFamily:
+                        default: IPv4
+                        description: |-
+                          ipFamily specifies the IP protocol family that should be used for AWS
+                          network resources. This controls whether AWS resources are created with
+                          IPv4-only, or dual-stack networking with IPv4 or IPv6 as the primary
+                          protocol family.
+                        enum:
+                        - IPv4
+                        - DualStackIPv6Primary
+                        - DualStackIPv4Primary
+                        type: string
+                        x-kubernetes-validations:
+                        - message: ipFamily is immutable once set
+                          rule: oldSelf == '' || self == oldSelf

Evidence

The Default Infrastructure CRD adds ipFamily with a server-side default of IPv4 and an immutability
validation rule, so once ipFamily becomes IPv4 (including via defaulting) it cannot be changed. The
AWSDualStackInstall test suite explicitly demonstrates that omitting ipFamily results in it being
defaulted to IPv4 in stored status, confirming that an omission will persist the default and
therefore lock out later DualStack updates.

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml[1184-1202]
config/v1/tests/infrastructures.config.openshift.io/AWSDualStackInstall.yaml[18-66]
config/v1/types_infrastructure.go[567-577]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`status.platformStatus.aws.ipFamily` is both **defaulted** to `IPv4` and marked **immutable once set**. This combination makes the default “sticky”: any object created/updated without explicitly setting `ipFamily` will have `IPv4` persisted, and subsequent updates to a `DualStack*` value will be rejected.

## Issue Context
This field is intended to control AWS networking family selection. With a persisted default and immutability, the system effectively requires that any DualStack install set `ipFamily` correctly on the *very first* write that causes defaulting; otherwise it becomes permanently locked to IPv4.

## How to fix
Choose one of the following (in priority order):
1. **Remove the API default** for `ipFamily` (keep it logically defaulting to IPv4 in consuming components) so omitting the field does not persist a value that later blocks explicit DualStack selection.
2. Or **adjust the immutability rule** to permit transitioning from an implicitly defaulted IPv4 to an explicit DualStack value during an initial configuration window (if such a window exists in your API semantics).

After changing the source markers, regenerate CRD/openapi artifacts.

## Fix Focus Areas
- config/v1/types_infrastructure.go[567-577]
- config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml[1184-1202]
- payload-manifests/crds/0000_10_config-operator_01_infrastructures-Default.crd.yaml[1184-1202]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[qodo-code-review]

1. ipfamily docs omit constraints 📘 Rule violation ⚙ Maintainability

The new ipFamily schema includes a default, an enum, and an immutability
x-kubernetes-validations rule, but its description does not document the default/allowed values
or the immutability constraint. This violates the requirement that validation marker semantics be
documented in field comments/user-facing docs.

Agent Prompt

## Issue description
The `ipFamily` field’s schema adds `default`, `enum`, and an immutability `XValidation`, but the user-facing field documentation does not describe:
- what happens when the field is omitted (defaulting)
- the allowed enum values (and what each means)
- that the value is immutable once set

## Issue Context
This is surfaced in generated CRD/OpenAPI documentation, so missing details violate the requirement that validation marker semantics be documented.

## Fix Focus Areas
- config/v1/types_infrastructure.go[567-577]
- config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml[1188-1202]
- config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml[1188-1202]
- machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml[1480-1494]
- machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml[1480-1494]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[nrb]

This sounds like a legitimate issue to me

[patrickdillon]

Right. I think this is just saying the comment should contain something like:

// Valid values are "IPv4", "DualStackIPv4Primary", and "DualStackIPv6Primary". When omitted, the default value is "IPv4".

It's also outside the scope of this PR, so I would consider it more of a nice to have

[openshift-ci-robot]

@sadasu: This pull request references CORS-4387 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Also make it available in OKD.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sadasu]

/jira refresh

[openshift-ci-robot]

@sadasu: This pull request references CORS-4387 which is a valid jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@sadasu: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify-feature-promotion	cb81693	link	true	/test verify-feature-promotion

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[everettraven]

Checking the promotion verification results, it looks like:

• There is no HyperShift testing - is this feature supported on HyperShift?
• There are two tests that aren't meeting the pass/run criteria:
  • install should succeed: overall - looks like there is a known component readiness regression causing problems in TPNU only here that is probably dropping that just below the 95% threshold. Seems reasonable to override to me.
  • install should succeed: post check - looks like only 4 runs, is this test related to this feature?

I also noticed openshift/release#76769 - this seems like testing that we would want to make sure is in place and has captured sufficient runs prior to promoting?

[patrickdillon]

* There is no HyperShift testing - is this feature supported on HyperShift?

It's not in the plan to support this in hypershift, so no. But it's a good question: hypershift should be able to take advantage of this work. On the other hand I'm sure further work is required to enable it, so we will move forward with no hypershift support.

I also noticed openshift/release#76769 - this seems like testing that we would want to make sure is in place and has captured sufficient runs prior to promoting?

Exactly. This is the only testing that is actually exercising the AWS Dual Stack functionality, so the other test failures/results are mostly noise... We have been running these tests in various forms, analyzing the test failures and fix tech debt in the e2e tests for a while now. openshift/release#76769 should merge today and we can accumulate some results quickly with gangway. Overall the feature is stable, and well tested.