SPLAT-2588: Promoting AWSServiceLBNetworkSecurityGroup on hypershift

[mtulio]

Promotes the AWSServiceLBNetworkSecurityGroup feature gate to Default on Hypershift cluster profiles.

This feature was already GA on SelfManaged (enabled in Default) and was gated behind TechPreviewNoUpgrade on Hypershift.
Hypershift implementation: hypershift/pull/7460

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@mtulio: This pull request references SPLAT-2588 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Hello @mtulio! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[mtulio]

/test ?

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The PR enables the AWSServiceLBNetworkSecurityGroup feature for Hypershift Default and OKD. Features/features.go consolidates the feature's enable condition into a single call covering default, OKD, and both tech/dev preview no-upgrade profiles. The Hypershift Default and OKD FeatureGate manifests remove the gate from disabled lists and add it to enabled lists. The features.md documentation table reorders rows and marks AWSServiceLBNetworkSecurityGroup as Enabled for both Hypershift variants.

Suggested reviewers

• JoelSpeed
• everettraven

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	No pull request description was provided by the author, making it impossible to assess whether the description relates to the changeset.	Add a description that explains the purpose of promoting AWSServiceLBNetworkSecurityGroup on Hypershift and the rationale behind this change.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly references the main change: promoting AWSServiceLBNetworkSecurityGroup on Hypershift, which directly matches the feature gate modifications across multiple files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies feature gate configuration and documentation files (features.md, features/features.go, and payload-manifests YAML). No Ginkgo test files or test names are added or modified.
Test Structure And Quality	✅ Passed	Ginkgo tests properly implement single responsibility, use BeforeEach/AfterEach for setup/cleanup of resources and CRDs, include appropriate timeouts on Eventually calls, provide meaningful asserti...
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. Changes are feature gate configuration and documentation updates only, making the MicroShift test compatibility check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It only modifies feature gate configuration files and documentation, making the SNO test compatibility check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies feature gate configuration (features.md, features.go, FeatureGate CRDs). No deployment manifests, operator code, controllers, or scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR contains only configuration and documentation changes to feature gates; no process-level code with stdout writes (main, init, TestMain, BeforeSuite, AfterSuite) was added.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. Changes are limited to feature gate configuration and documentation, making the IPv6/disconnected network compatibility check inapplicable.
No-Weak-Crypto	✅ Passed	PR makes no cryptographic changes; only promotes AWSServiceLBNetworkSecurityGroup feature gate via configuration updates and documentation changes.
Container-Privileges	✅ Passed	PR modifies only feature gate configurations, documentation, and Go code—no Kubernetes container manifests with security contexts are present or modified.
No-Sensitive-Data-In-Logs	✅ Passed	PR contains no logging statements or sensitive data (passwords, tokens, keys, PII) in code changes. All modifications are configuration/documentation updates for feature gate promotion.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci-robot]

@mtulio: No Jira issue is referenced in the title of this pull request.
To reference a jira issue, add 'XYZ-NNN:' to the title of this pull request and request another refresh with /jira refresh.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mtulio]

/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance

[mtulio]

/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance

[mtulio]

/test e2e-aws-ovn-hypershift-conformance

[mtulio]

/test e2e-aws-ovn-hypershift

[mtulio]

/test all

[mtulio]

/test all

[mtulio]

/test e2e-aws-ovn-hypershift-conformance

[mtulio]

/test e2e-aws-ovn-hypershift-conformance

[mtulio]

/test verify-feature-promotion

[openshift-ci-robot]

@mtulio: This pull request references SPLAT-2588 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mtulio]

PR rebased after hypershift check fix #2899
Awaiting CI to validate it.

[mtulio]

/test all

[mtulio]

Checking why local check[1] diverges from CI[2]:

[1] local check

$ make verify-feature-promotion 
....
Query sippy for all test run results for feature gate "AWSServiceLBNetworkSecurityGroup" on clusterProfile ["Hypershift"]
Query sippy for all test run results for pattern "FeatureGate:AWSServiceLBNetworkSecurityGroup]" on variant main.JobVariant{Cloud:"aws", Architecture:"amd64", Topology:"external", NetworkStack:"", OS:"", JobTiers:"", Optional:false}
Querying sippy release 5.0 for test run results
INSUFFICIENT CI testing for "AWSServiceLBNetworkSecurityGroup".
F0623 18:00:45.580118 2892508 root.go:64] Error running codegen: error: only 0 tests found, need at least 5 for "AWSServiceLBNetworkSecurityGroup" on {aws amd64 external    false}

[2] CI https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_api/2838/pull-ci-openshift-api-master-verify-feature-promotion/2069450320194310144

[mtulio]

/test verify-feature-promotion

[mtulio]

Checking why local check[1] diverges from CI[2]:

[1] local check

$ make verify-feature-promotion 

This was resolved today 🤷🏽‍♂️

I also took two actions targeting to increase test counters:

1. updated run frequency: SPLAT-2588: hypershift: update interval to promote AWSServiceLBNetworkSecurityGroup release#80944
2. triggered periodic with gagway, not sure if it will be valid for promotion, just want to check if sippy is updated as expected with job verify-feature-promotion. Checking, previously it has:

error: "[cloud-provider-aws-e2e-openshift] loadbalancer NLB [OCPFeatureGate:AWSServiceLBNetworkSecurityGroup] should create NLB service with security group attached [Suite:openshift/conformance/parallel]" only has 12 runs, need at least 14 runs for "AWSServiceLBNetworkSecurityGroup" on {aws amd64 external    false}
error: "[cloud-provider-aws-e2e-openshift] loadbalancer NLB [OCPFeatureGate:AWSServiceLBNetworkSecurityGroup] should have NLBSecurityGroupMode with 'Managed value in cloud-config [Suite:openshift/conformance/parallel]" only has 12 runs, need at least 14 runs for "AWSServiceLBNetworkSecurityGroup" on {aws amd64 external    false}
error: "[cloud-provider-aws-e2e-openshift] loadbalancer NLB [OCPFeatureGate:AWSServiceLBNetworkSecurityGroup] should have correct security group rules for service ports [Suite:openshift/conformance/parallel]" only has 12 runs, need at least 14 runs for "AWSServiceLBNetworkSecurityGroup" on {aws amd64 external    false}
error: "[cloud-provider-aws-e2e-openshift] loadbalancer NLB [OCPFeatureGate:AWSServiceLBNetworkSecurityGroup] should update security group rules when service is updated [Suite:openshift/conformance/parallel]" only has 12 runs, need at least 14 runs for "AWSServiceLBNetworkSecurityGroup" on {aws amd64 external    false}
make: *** [Makefile:95: verify-feature-promotion] Error 255

Locally is still reporting 12 runs. I will trigger CI job again:

/test verify-feature-promotion

[mtulio]

Local tests are reporting now sufficient tests

Sufficient CI testing for "AWSServiceLBNetworkSecurityGroup".

/test verify-feature-promotion

[mtulio]

/test ?

[mtulio]

/test e2e-aws-ovn-hypershift-conformance

[openshift-ci]

@mtulio: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.