[release-4.22] OCPBUGS-92656: e2e/ccm-aws-ote: support to dual-stack IPv6 primary

[redhat-chai-bot]

Summary

Backport of PR #466 to release-4.22 — adds dual-stack IPFamilyPolicy support and upstream test skips to the OTE (OpenShift Tests Extension) for AWS CCM.

Changes

Ported to the 4.22 OTE structure under cmd/cloud-controller-manager-aws-tests-ext/:

• e2e/helper.go — Added GetCloudConfig(), isConfigPresentCloudConfig(), and IsDualStack() helpers for dual-stack detection via cloud-config ConfigMap
• e2e/loadbalancer.go — In createServiceNLB(), reads cloud-config and sets IPFamilyPolicy: RequireDualStack when the cluster is dual-stack
• main.go — Detects dual-stack IPv6-primary and conditionally excludes [cloud-provider-aws-e2e] loadbalancer upstream specs

Testing

Local: go build, go test, go vet, gofmt all pass.
CI: periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-installer-dualstack-ipv6-primary-techpreview

Fixes: https://redhat.atlassian.net/browse/OCPBUGS-92656
Backport of: #466

[openshift-ci-robot]

@redhat-chai-bot: This pull request references Jira Issue OCPBUGS-92656, which is invalid:

• expected Jira Issue OCPBUGS-92656 to depend on a bug targeting a version in 5.0.0 and in one of the following states: MODIFIED, ON_QA, VERIFIED, but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

Backport of PR #466 to release-4.22 — adds dual-stack IPFamilyPolicy support and upstream test skips to the OTE (OpenShift Tests Extension) for AWS CCM.

Changes

Ported to the 4.22 OTE structure under cmd/cloud-controller-manager-aws-tests-ext/:

• e2e/helper.go — Added GetCloudConfig(), isConfigPresentCloudConfig(), and IsDualStack() helpers for dual-stack detection via cloud-config ConfigMap
• e2e/loadbalancer.go — In createServiceNLB(), reads cloud-config and sets IPFamilyPolicy: RequireDualStack when the cluster is dual-stack
• main.go — Detects dual-stack IPv6-primary and conditionally excludes [cloud-provider-aws-e2e] loadbalancer upstream specs

Testing

Local: go build, go test, go vet, gofmt all pass.
CI: periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-installer-dualstack-ipv6-primary-techpreview

Fixes: https://redhat.atlassian.net/browse/OCPBUGS-92656
Backport of: #466

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: adf54856-daea-4852-843d-5fbe3a5de33a

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[tthvo]

/retitle [release-4.22] OCPBUGS-92656: e2e/ccm-aws-ote: support to dual-stack IPv6 primary

[tthvo]

/jira refresh

[openshift-ci-robot]

@tthvo: This pull request references Jira Issue OCPBUGS-92656, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
• release note type set to "Release Note Not Required"
• dependent bug Jira Issue OCPBUGS-86299 is in the state Verified, which is one of the valid states (MODIFIED, ON_QA, VERIFIED)
• dependent Jira Issue OCPBUGS-86299 targets the "5.0.0" version, which is one of the valid target versions: 5.0.0
• bug has dependents

Requesting review from QA contact:
/cc @tthvo

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[redhat-chai-bot]

/payload-job periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-installer-dualstack-ipv4-primary-techpreview

[redhat-chai-bot]

/payload-job periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-installer-dualstack-ipv6-primary-techpreview

[openshift-ci]

@redhat-chai-bot: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-installer-dualstack-ipv4-primary-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/b21259f0-70d8-11f1-9c11-0f826c26e1cd-0

[openshift-ci]

@redhat-chai-bot: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-installer-dualstack-ipv6-primary-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/b22322d0-70d8-11f1-9362-7796f69c0964-0

[mtulio]

/assign

[redhat-chai-bot]

CI Test Analysis — [cloud-provider-aws-e2e Tests Summary

🔑 Dualstack IPv6-Primary Payload Job (results)

All 8 [cloud-provider-aws-e2e tests PASSED ✅ — the backport is working correctly in dualstack IPv6-primary:

Test	Result
[cloud-provider-aws-e2e] nodes should label nodes with topology network info if instance is supported	✅ Passed
[cloud-provider-aws-e2e] nodes should set zone-id topology label	✅ Passed
[cloud-provider-aws-e2e-openshift] loadbalancer NLB ... should create NLB service with security group attached	✅ Passed
[cloud-provider-aws-e2e-openshift] loadbalancer NLB ... should cleanup security groups when service is deleted	✅ Passed
[cloud-provider-aws-e2e-openshift] loadbalancer NLB ... should have correct security group rules for service ports	✅ Passed
[cloud-provider-aws-e2e-openshift] loadbalancer NLB ... should have NLBSecurityGroupMode with 'Managed' value in cloud-config	✅ Passed
[cloud-provider-aws-e2e-openshift] loadbalancer NLB ... should have security groups attached to default ingress controller NLB	✅ Passed
[cloud-provider-aws-e2e-openshift] loadbalancer NLB ... should update security group rules when service is updated	✅ Passed

Upstream loadbalancer tests were correctly excluded in the dualstack IPv6-primary environment (CLB/NLB default, target-node-labels, hairpinning) — this validates the skip logic from this backport.

Job overall status: failure — but the failures are unrelated to the CCCMO backport:

• [sig-network][Feature:EgressFirewall] — egress firewall test (sig-network)
• [sig-network][OCPFeatureGate:DNSNameResolver][Feature:EgressFirewall] — wildcard DNS egress firewall (sig-network)
• [sig-apps] poddisruptionbudgets ... AlwaysAllow/IfHealthyBudget — PDB tests (sig-apps)
• [Feature:NetworkSegmentation] ... UDN service — (informing/non-blocking)

📋 Regular e2e-aws-ovn Presubmit (results)

All 13 [cloud-provider-aws-e2e tests accounted for — 12 passed, 1 correctly skipped:

• ✅ [cloud-provider-aws-e2e] loadbalancer NLB should be reachable with default configurations — Passed
• ✅ [cloud-provider-aws-e2e] loadbalancer NLB should be reachable with target-node-labels — Passed
• ✅ [cloud-provider-aws-e2e] loadbalancer NLB internal should be reachable with hairpinning traffic — Passed
• ✅ [cloud-provider-aws-e2e] loadbalancer CLB should be reachable with default configurations — Passed
• ✅ [cloud-provider-aws-e2e] loadbalancer CLB internal should be reachable with hairpinning traffic — Passed
• ✅ [cloud-provider-aws-e2e] nodes should label nodes with topology network info — Passed
• ✅ [cloud-provider-aws-e2e] nodes should set zone-id topology label — Passed
• ✅ 5x [cloud-provider-aws-e2e-openshift] loadbalancer NLB ... security group tests — Passed
• ⏭️ [cloud-provider-aws-e2e-openshift] ... should have security groups attached to default ingress controller NLB — Skipped (default ingress uses CLB, not NLB — expected)

✅ Conclusion

The backport is functioning as designed:

1. Dualstack IPv6-primary: Upstream [cloud-provider-aws-e2e] loadbalancer specs are correctly excluded; all openshift-specific downstream tests pass with IPFamilyPolicy: RequireDualStack.
2. Regular e2e-aws-ovn: All upstream and downstream loadbalancer tests run and pass (no regression).
3. All job failures in the dualstack run are unrelated to this PR (sig-network egress firewall, sig-apps PDB tests).

---

Analysis generated by Chai Bot from this Slack thread.

[redhat-chai-bot]

Addendum: Dualstack IPv4-Primary Payload Job Results

📋 Dualstack IPv4-Primary (results)

All 13 [cloud-provider-aws-e2e tests PASSED ✅ — including all upstream loadbalancer tests:

Category	Tests	Result
Upstream NLB	NLB should be reachable with default configurations, NLB should be reachable with target-node-labels, NLB internal should be reachable with hairpinning traffic	✅ All Passed
Upstream CLB	CLB should be reachable with default configurations, CLB internal should be reachable with hairpinning traffic	✅ All Passed
Upstream Node topology	nodes should label nodes with topology network info, nodes should set zone-id topology label	✅ All Passed
Openshift NLB Security Groups	should create NLB service with security group attached, should cleanup security groups when service is deleted, should have correct security group rules for service ports, should have NLBSecurityGroupMode with 'Managed' value, should update security group rules when service is updated, should have security groups attached to default ingress controller NLB	✅ All Passed

Key observation: Unlike the IPv6-primary job (where upstream LB tests were correctly excluded), the IPv4-primary job ran all upstream loadbalancer tests and they all passed. This is the expected behavior — the skip logic only activates for dualstack IPv6-primary environments.

Job overall status: failure — but the failures are identical to the IPv6-primary job and unrelated to the CCCMO backport:

• [sig-network][Feature:EgressFirewall] — egress firewall test (sig-network)
• [sig-network][OCPFeatureGate:DNSNameResolver][Feature:EgressFirewall] — wildcard DNS egress firewall (sig-network)
• [Feature:NetworkSegmentation] ... UDN service — (informing/non-blocking)

✅ Updated Cross-Job Summary

Job	CCM Tests	Upstream LB Tests	Job Failures
Dualstack IPv6-primary	8/8 passed ✅	Correctly excluded (skip logic works)	Unrelated (egress firewall, PDB)
Dualstack IPv4-primary	13/13 passed ✅	All ran and passed (IPFamilyPolicy: RequireDualStack works)	Unrelated (egress firewall, UDN)
Regular e2e-aws-ovn	12/12 passed, 1 expected skip ✅	All ran and passed (no regression)	N/A (passed)

The backport is validated across all three environments. No regressions detected.

---

Analysis generated by Chai Bot from this Slack thread.

[openshift-ci]

@tthvo: This PR was included in a payload test run from openshift/origin#31337
trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-installer-dualstack-ipv6-primary-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/c57fbe80-7103-11f1-98bb-8108ddbaad73-0

[openshift-ci]

@tthvo: This PR was included in a payload test run from openshift/origin#31337
trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-installer-dualstack-ipv4-primary-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/d832e250-7103-11f1-912f-104aeb182365-0

[sadasu]

/lgtm

[sadasu]

/label backport-risk-assessed

[sadasu]

/verified by CI

See https://pr-payload-tests.ci.openshift.org/runs/ci/d832e250-7103-11f1-912f-104aeb182365-0

[openshift-ci-robot]

@sadasu: This PR has been marked as verified by CI.

Details

In response to this:

/verified by CI

See https://pr-payload-tests.ci.openshift.org/runs/ci/d832e250-7103-11f1-912f-104aeb182365-0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@sadasu: The label(s) backport-risk-assessed cannot be applied or removed, because you are not in one of the allowed teams and are not an allowed user. Must be a member of one of these teams: openshift-patch-managers, openshift-release-oversight, openshift-staff-engineers, openshift-sustaining-engineers, openshift-team-cloud

Details

In response to this:

/label backport-risk-assessed

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[mtulio]

Still checking other jobs impacted by this change, plan to finish EOD.

/hold

@sadasu: The label(s) backport-risk-assessed cannot be applied or removed, because you are not in one of the allowed teams and are not an allowed user. Must be a member of one of these teams: openshift-patch-managers, openshift-release-oversight, openshift-staff-engineers, openshift-sustaining-engineers, openshift-team-cloud

Nolan/Dam, would you mind applying the label backport-risk-assessed here, please?

/assign @nrb @damdo

[mtulio]

/verified by CI by CCM-AWS OTE-provided tests (prefix [cloud-provider-aws-e2e) passing:

Dual-stack jobs:

• Primary IPv6: [release-4.22] OCPBUGS-92656: e2e/ccm-aws-ote: support to dual-stack IPv6 primary #480 (comment): ✅
• Primary IPv4 running regular: [release-4.22] OCPBUGS-92656: e2e/ccm-aws-ote: support to dual-stack IPv6 primary #480 (comment) : ✅

Regular AWS jobs must run tests regularly:

• e2e-aws-ovn: ✅

/lgtm
/approve

[openshift-ci-robot]

@mtulio: This PR has been marked as verified by CI by CCM-AWS OTE-provided tests (prefix [cloud-provider-aws-e2e) passing:.

Details

In response to this:

/verified by CI by CCM-AWS OTE-provided tests (prefix [cloud-provider-aws-e2e) passing:

Dual-stack jobs:

• Primary IPv6: [release-4.22] OCPBUGS-92656: e2e/ccm-aws-ote: support to dual-stack IPv6 primary #480 (comment): ✅
• Primary IPv4 running regular: [release-4.22] OCPBUGS-92656: e2e/ccm-aws-ote: support to dual-stack IPv6 primary #480 (comment) : ✅

Regular AWS jobs must run tests regularly:

• e2e-aws-ovn: ✅

/lgtm
/approve

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mtulio]

/hold cancel

[mtulio]

OWNERs file for OTE is not updated in 4.22 branch. Asking in cloud team's channel for approvals.

[nrb]

/approve
/label backport-risk-assessed

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mtulio, nrb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [nrb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@redhat-chai-bot: Jira Issue Verification Checks: Jira Issue OCPBUGS-92656
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-92656 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Summary

Backport of PR #466 to release-4.22 — adds dual-stack IPFamilyPolicy support and upstream test skips to the OTE (OpenShift Tests Extension) for AWS CCM.

Changes

Ported to the 4.22 OTE structure under cmd/cloud-controller-manager-aws-tests-ext/:

• e2e/helper.go — Added GetCloudConfig(), isConfigPresentCloudConfig(), and IsDualStack() helpers for dual-stack detection via cloud-config ConfigMap
• e2e/loadbalancer.go — In createServiceNLB(), reads cloud-config and sets IPFamilyPolicy: RequireDualStack when the cluster is dual-stack
• main.go — Detects dual-stack IPv6-primary and conditionally excludes [cloud-provider-aws-e2e] loadbalancer upstream specs

Testing

Local: go build, go test, go vet, gofmt all pass.
CI: periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-installer-dualstack-ipv6-primary-techpreview

Fixes: https://redhat.atlassian.net/browse/OCPBUGS-92656
Backport of: #466

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.