CORS-4180: Allow AWS and Azure as platforms that support dual-stack on Day-0

[sadasu]

1. Added AWS and Azure as platforms that support DualStack on Day-0
2. Added AWS, Azure and OpenStack as platforms that do not support conversion to DualStack on Day-2.
3. Updated tests to reflect the newly supported platforms and when they support DualStack.
4. Currently DualStack for AWS and Azure are behind featuregates. Updated to check that these featuregates are enabled before DualStack support is extended to these platforms.

[openshift-ci-robot]

@sadasu: This pull request references CORS-4180 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

1. Added AWS and Azure as platforms that support DualStack on Day-0
2. Added AWS, Azure and OpenStack as platforms that do not support conversion to DualStack on Day-2.
3. Updated tests to reflect the newly supported platforms and when they support DualStack.

Developed with Cursor.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@sadasu: This pull request references CORS-4180 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

1. Added AWS and Azure as platforms that support DualStack on Day-0
2. Added AWS, Azure and OpenStack as platforms that do not support conversion to DualStack on Day-2.
3. Updated tests to reflect the newly supported platforms and when they support DualStack.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sadasu]

/retest-required

[patrickdillon]

This looks good to me. AWS tests are failing to find a lease... i think we're hitting ci infra problems.

[sadasu]

/retest-required

[openshift-ci-robot]

@sadasu: This pull request references CORS-4180 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

1. Added AWS and Azure as platforms that support DualStack on Day-0
2. Added AWS, Azure and OpenStack as platforms that do not support conversion to DualStack on Day-2.
3. Updated tests to reflect the newly supported platforms and when they support DualStack.
4. Currently DualStack for AWS and Azure are behind featuregates. Updated to check that these featuregates are enabled before DualStack support is extended to these platforms.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sadasu]

/jira-refresh

[sadasu]

/retest-required

[jhixson74]

/cc

[jhixson74]

/retest-required

[jhixson74]

/retest-required

[tthvo]

/retest

[jhixson74]

/lgtm

[tthvo]

Should we move the function to earlier in the func Render so that any rendering, if any later on, can always pick up the most up-to-date list of supported dualstack platform?

[tthvo]

question: Previously, only OpenStack is rejected. Just wondering if we confirmed this is OK?

[tthvo]

The code comments seem to indicate so, but I have 0 clue 😞

[sadasu]

This is the "allow" list so it contains the list of platforms that allow conversion to DualStack on Day-2. The code earlier was looking at OpenStack platform as the reject list. It could be implemented either ways.

[tthvo]

Oh sounds good! I was just unsure if there are any other platforms that allow dualstack, which is not yet accounted for here...

[tthvo]

Maybe another rebase?

[tthvo]

/lgtm

[tthvo]

@sadasu this is added in the Render function is, I believe, is called when rendering manifests for bootstrap.

This means when the cluster-network-operator is running in the cluster, such function is not called, right? And the list is not modified at all?

[tthvo]

/lgtm cancel

Pending question above 👀

[tthvo]

I think we should have the function isSupportedDualStackPlatform keeps the list of supported platforms (i.e. both static and feature-gated items), instead of having a global variable and modifying them at runtime.

WDYT?

[tthvo]

Whoops, nvmind... It is also called during reconcilation 😓 so its fine. Please ignore it :D

[kyrtapz]

Thanks @sadasu!
There are a few changes we need to make and I think we should be good.

[kyrtapz]

I don't like the fact that we are modifying the global variable through this function. My proposal is to set the supported platforms as part of the bootstrap.InfraStatus and read it from there. Same applies to conversionToDualStackPlatforms.

[sadasu]

@kyrtapz happy to make that change but I am not sure how future proof that is. As long as the dualStackPlatforms is in place, we run the risk of someone using that global instead of the InfraStatus.

[kyrtapz]

With the change I proposed we should get rid of the global dualStackPlatforms variable.

[sadasu]

@kyrtapz and @tthvo I have added a WIP commit that gets rid of the global dualStackPlatforms but doesn't use InfraStatus. With InfraStatus, I found the blast radius to be too large for what we want to achieve here. PTAL and provide feedback.

[tthvo]

Thanks @sadasu!

The new approach makes sense to me and it worked when testing with openshift/installer#9930. Though obviously I am not the expert here, maybe @kyrtapz can have the final thought 🙏

[kyrtapz]

Calling it here would mean adding elements to dualStackPlatforms every time Render is called, we cannot do that.

Edit: this isn't a problem since we use a set. I still don't like the fact that it tries to modify the global variable so often.

[kyrtapz]

I know you didn't introduce this but we can simplify the code and ditch the else if since the if returns.
something like this:

if !isSupportedDualStackPlatform(infraRes.PlatformType) {
    return ...
}
if !isConversionSupportedDualStackPlatform(infraRes.PlatformType) {
    return ...
}

[coderabbitai]

Walkthrough

Go module versions were bumped. Feature-gate support for dual-stack was added and propagated through controllers, validation, rendering, and tests by threading a featureGates parameter and replacing static dual-stack platform checks with feature-gate-aware logic.

Changes

Cohort / File(s)	Summary
Dependency updates go.mod	Bumped multiple Go modules and OpenShift-related module versions (golang.org/x/, github.com/openshift/). No new direct dependencies or removals beyond version bumps.
Controller: clusterconfig pkg/controller/clusterconfig/clusterconfig_controller.go	Add and newReconciler accept featureGates; ReconcileClusterConfig struct gains featureGates field; validation calls pass feature gates.
Controller: operconfig pkg/controller/operconfig/cluster.go	Calls to ValidateClusterConfig updated to pass r.featureGates.
Network validation core pkg/network/cluster_config.go	ValidateClusterConfig and validateClusterConfig signatures updated to accept featureGates; dual-stack platform check now uses feature-gate-aware helper; removed unused strings import.
Network validation tests pkg/network/cluster_config_test.go	Tests updated to construct and pass featureGates; added helpers like getFeatureGatesWithDualStack() and getFeatureGatesWithIncompleteDualStack(); adjusted expected error messages.
Rendering logic pkg/network/render.go	Replaced static dual-stack platform set with feature-gate-aware isSupportedDualStackPlatform(platformType, featureGates) and added isConversionToDualStackSupported(platformType) for migration checks; updated related logic and messages.
Rendering tests pkg/network/render_test.go	Added getDefaultFeatureGatesWithDualStack() helper; renamed a test to TestAllowMigrationOnlyForSupportedTypes; removed unused strings import and updated error expectations to match new messages.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Inspect pkg/network/render.go changes closely: ensure the distinction between conversion support (isConversionToDualStackSupported) and installation/support (isSupportedDualStackPlatform) is correct.
• Verify feature-gate propagation consistency across clusterconfig, operconfig, and network call sites.
• Confirm test adjustments reflect new messages and feature-gate behavior without losing diagnostic clarity.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 05d6f46 and 2dffbc8.

⛔ Files ignored due to path filters (179)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/api/.golangci.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/Makefile is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/OWNERS is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_operator.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_version.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/console/v1/types_console_cli_download.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/console/v1/types_console_link.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/console/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/features.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/features/features.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/features/legacyfeaturegates.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/imageregistry/v1/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/imageregistry/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/legacyconfig/v1/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/legacyconfig/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machine/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/types_machinehealthcheck.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/types_machineosbuild.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/types_machineosconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/register.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/types_machineosbuild.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/types_machineosconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/types_ingress.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-TechPreviewNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/azureplatformstatus.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagerconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/audit.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/containerresource.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/metricsserverconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/irreconcilablechangediff.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodespec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodespecconfigimage.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodestatus.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1/machineconfignodestatusconfigimage.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1alpha1/buildinputs.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1alpha1/buildoutputs.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1alpha1/imagesecretobjectreference.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1alpha1/machineconfigpoolreference.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1alpha1/machineosbuild.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1alpha1/machineosbuilderreference.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1alpha1/machineosbuildspec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1alpha1/machineosbuildstatus.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1alpha1/machineosconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1alpha1/machineosconfigreference.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1alpha1/machineosconfigspec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1alpha1/machineosconfigstatus.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1alpha1/machineoscontainerfile.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1alpha1/machineosimagebuilder.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1alpha1/objectreference.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/machineconfiguration/v1alpha1/renderedmachineconfigreference.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/clientset/versioned/typed/machineconfiguration/v1alpha1/generated_expansion.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/clientset/versioned/typed/machineconfiguration/v1alpha1/machineconfiguration_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/clientset/versioned/typed/machineconfiguration/v1alpha1/machineosbuild.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/clientset/versioned/typed/machineconfiguration/v1alpha1/machineosconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/informers/externalversions/generic.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/informers/externalversions/machineconfiguration/v1alpha1/interface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/informers/externalversions/machineconfiguration/v1alpha1/machineosbuild.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/informers/externalversions/machineconfiguration/v1alpha1/machineosconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/listers/machineconfiguration/v1alpha1/expansion_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/listers/machineconfiguration/v1alpha1/machineosbuild.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/listers/machineconfiguration/v1alpha1/machineosconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/bootimageskewenforcementconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/bootimageskewenforcementstatus.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/clusterbootimageautomatic.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/clusterbootimagemanual.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/irreconcilablevalidationoverrides.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/machineconfigurationspec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/machineconfigurationstatus.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/utils.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/annotations.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/storage.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/resource/resourceread/networking.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/status/status_controller.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/status/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/v1helpers/informers.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/http2.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/plan9/pwd_go15_plan9.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/plan9/pwd_plan9.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/affinity_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/syscall_darwin.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/syscall_solaris.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_386.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_386.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_arm.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_loong64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mips.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/windows/registry/zsyscall_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/windows/types_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/term/term_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/term/terminal.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/tools/go/ast/astutil/enclosing.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/tools/go/packages/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/tools/internal/imports/source_modindex.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/tools/internal/modindex/directories.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/tools/internal/modindex/index.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/tools/internal/modindex/modindex.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/tools/internal/modindex/symbols.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/tools/internal/modindex/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (7)

• go.mod (3 hunks)
• pkg/controller/clusterconfig/clusterconfig_controller.go (3 hunks)
• pkg/controller/operconfig/cluster.go (1 hunks)
• pkg/network/cluster_config.go (3 hunks)
• pkg/network/cluster_config_test.go (9 hunks)
• pkg/network/render.go (2 hunks)
• pkg/network/render_test.go (5 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/controller/clusterconfig/clusterconfig_controller.go
• pkg/controller/operconfig/cluster.go
• pkg/network/cluster_config_test.go
• pkg/network/cluster_config.go
• pkg/network/render.go
• pkg/network/render_test.go
• go.mod

🔇 Additional comments (2)

go.mod (1)

22-22: Security verification complete; manually verify openshift package feature gate support.

The golang.org/x package updates (net v0.43.0, crypto v0.42.0, sys v0.36.0) are secure with no active CVE advisories. All known vulnerabilities in these packages have been fixed in earlier patches.

However, verify that the openshift packages (api, client-go, library-go) actually include the DualStack feature gate support referenced in the PR by checking their changelogs or repository commits. Cross-package version compatibility within the openshift ecosystem should also be confirmed.

pkg/controller/clusterconfig/clusterconfig_controller.go (1)

29-37: Feature-gate plumbing looks solid.

Passing the featureGates handle from controller setup through the reconciler down into ValidateClusterConfig keeps validation aligned with the operator’s gate state. Thanks for keeping the wiring tight.

Also applies to: 60-64, 96-96

[sadasu]

@kyrtapz please note here that I am only checking if the conversion to DualStack is possible. I removed the check !isSupportedDualStackPlatform() because the method isNetworkChangeSafe() is checking for Day-2 changes.

[tthvo]

I guess this is fine under the assumption: if a platform supports converting to dual-stack, it really should support dual-stack, right 😁?

The difference here is just error message :D

[sadasu]

Do you want me to add Platform: External to this list? It is treated identical to Platform:None in other places.

[sadasu]

Ditto:Do you want me to add Platform: External to this list? It is treated identical to Platform:None in the Installer.

[tthvo]

This approach looks better to me 👍!

I tested with openshift/installer#9930 and custom release image quay.io/thvo/origin-release:v4.21.0-preview-1. The install completed and resulted in an AWS dualstack cluster (i.e. CNI is happy).

I have a few suggestion along with CodeRabbit 👀

[tthvo]

We should probably update this comment too (or remove it) since Vsphere also support dualstack conversion.

[tthvo]

Should we also have test cases that validate if there is no error when a platform:

• Support dualstack out of the box.
• Support dualstack with Feature gate.

[sadasu]

Should we also have test cases that validate if there is no error when a platform:

• Support dualstack out of the box.

This already exists

• Support dualstack with Feature gate.

Added a test for that.

[tthvo]

I guess this is fine under the assumption: if a platform supports converting to dual-stack, it really should support dual-stack, right 😁?

The difference here is just error message :D

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pkg/network/render_test.go (1)

356-368: Consider deduplicating feature gate helper.

This helper getDefaultFeatureGatesWithDualStack() appears to be duplicated in pkg/network/cluster_config_test.go (lines 41-53). Consider extracting it to a shared test utility file to avoid duplication.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 2dffbc8 and e012af9.

📒 Files selected for processing (6)

• pkg/controller/clusterconfig/clusterconfig_controller.go (3 hunks)
• pkg/controller/operconfig/cluster.go (1 hunks)
• pkg/network/cluster_config.go (3 hunks)
• pkg/network/cluster_config_test.go (10 hunks)
• pkg/network/render.go (2 hunks)
• pkg/network/render_test.go (5 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/controller/clusterconfig/clusterconfig_controller.go
• pkg/controller/operconfig/cluster.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/network/cluster_config_test.go
• pkg/network/render.go
• pkg/network/render_test.go
• pkg/network/cluster_config.go

🔇 Additional comments (13)

pkg/network/render.go (3)

1001-1008: LGTM!

The Day-2 conversion logic correctly restricts dual-stack conversion to platforms that support it, excluding AWS, Azure, and OpenStack as intended.

---

396-401: LGTM!

The simplified Day-2 dual-stack conversion check correctly validates platform support using the new helper function and provides a clear error message.

---

987-999: ****

The review comment is based on an incorrect premise. ExternalPlatformType does not exist in this codebase—a search for it produces no results. The function isSupportedDualStackPlatform correctly includes the platforms that support dual-stack without feature gates (BareMetal, None, VSphere, OpenStack) and gates AWS and Azure behind their respective feature flags. No changes are needed.

Likely an incorrect or invalid review comment.

pkg/network/render_test.go (2)

237-259: LGTM!

The test correctly validates that only BareMetal, None, and VSphere platforms support Day-2 dual-stack conversion, using GCP as the negative test case. The error message validation is precise.

---

421-423: LGTM!

The test correctly constructs and passes feature gates to the Render function, exercising the new feature gate integration.

pkg/network/cluster_config_test.go (5)

79-83: LGTM!

The haveError helper correctly uses the cfg parameter passed to it (line 81), addressing the previous review concern. The feature gates are appropriately captured from the outer scope.

---

323-336: LGTM!

The helper clearly simulates a scenario where Azure dual-stack feature gate is disabled, enabling testing of validation failures when required feature gates are missing.

---

407-423: LGTM!

The test correctly validates that GCP platform rejects dual-stack configuration with an appropriate error message.

---

424-440: LGTM!

The test correctly validates that AWS platform allows dual-stack when the AWS dual-stack feature gate is enabled.

---

441-457: LGTM!

The test correctly validates that Azure platform rejects dual-stack when the Azure dual-stack feature gate is disabled, providing comprehensive coverage for feature-gated platform validation. This addresses the previous review comment requesting test cases for feature-gated platforms.

pkg/network/cluster_config.go (3)

35-42: LGTM!

The signature update correctly adds feature gate support to the public validation API and properly threads it through to the internal validation function.

---

44-44: LGTM!

The internal validation function signature correctly accepts feature gates for use in platform-specific validation.

---

120-124: LGTM!

The dual-stack platform validation correctly uses the feature-gate-aware helper function and provides a clear error message when the platform doesn't support dual-stack.

[tthvo]

/lgtm

Based on #2804 (review), looks good and worked for me!

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jhixson74, sadasu, tthvo
Once this PR has been reviewed and has the lgtm label, please assign jacobtanenbaum for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tthvo]

/verified by @tthvo

[openshift-ci-robot]

@tthvo: This PR has been marked as verified by @tthvo.

In response to this:

/verified by @tthvo

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tthvo]

/retest

[openshift-ci]

@sadasu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.20-upgrade-from-stable-4.19-e2e-azure-ovn-upgrade	9fbf4db	link	false	/test 4.20-upgrade-from-stable-4.19-e2e-azure-ovn-upgrade
ci/prow/4.20-upgrade-from-stable-4.19-e2e-aws-ovn-upgrade	9fbf4db	link	false	/test 4.20-upgrade-from-stable-4.19-e2e-aws-ovn-upgrade
ci/prow/e2e-aws-hypershift-ovn-kubevirt	9fbf4db	link	false	/test e2e-aws-hypershift-ovn-kubevirt
ci/prow/security	e012af9	link	false	/test security
ci/prow/4.21-upgrade-from-stable-4.20-e2e-gcp-ovn-upgrade	e012af9	link	false	/test 4.21-upgrade-from-stable-4.20-e2e-gcp-ovn-upgrade
ci/prow/4.21-upgrade-from-stable-4.20-e2e-aws-ovn-upgrade	e012af9	link	false	/test 4.21-upgrade-from-stable-4.20-e2e-aws-ovn-upgrade
ci/prow/4.21-upgrade-from-stable-4.20-e2e-azure-ovn-upgrade	e012af9	link	false	/test 4.21-upgrade-from-stable-4.20-e2e-azure-ovn-upgrade

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.