OCPBUGS-77040: Add AWS ISO domains to konnectivity IsCloudAPI

[csrwng]

What this PR does / why we need it:

The konnectivity proxy's IsCloudAPI method was missing AWS ISO (classified) region domains from its cloud API detection list. This prevented the ingress operator from adding these domains to the NO_PROXY list, blocking direct (not proxied) communication with endpoints in those namespaces.

This PR adds three AWS ISO domain suffixes to the IsCloudAPI method:

• .c2s.ic.gov (AWS ISO / C2S)
• .hci.ic.gov (AWS ISO / HCI)
• .sc2s.sgov.gov (AWS ISO-B / SC2S)

Which issue(s) this PR fixes:

Fixes OCPBUGS-77040

Special notes for your reviewer:

The change is minimal and follows the existing pattern of strings.HasSuffix checks in IsCloudAPI. The three new domains are grouped together after the existing .amazonaws.com suffix check.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

🤖 Generated with Claude Code via /jira:solve OCPBUGS-77040

Summary by CodeRabbit

• New Features

  • Added support for AWS ISO-specific cloud API domains: .c2s.ic.gov, .hci.ic.gov, and .sc2s.sgov.gov, enabling connectivity to isolated AWS regions.

• Tests

  • Added test cases validating proper recognition of the new AWS ISO-specific domains as cloud API endpoints.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@csrwng: This pull request references Jira Issue OCPBUGS-77040, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

What this PR does / why we need it:

The konnectivity proxy's IsCloudAPI method was missing AWS ISO (classified) region domains from its cloud API detection list. This prevented the ingress operator from adding these domains to the NO_PROXY list, blocking direct (not proxied) communication with endpoints in those namespaces.

This PR adds three AWS ISO domain suffixes to the IsCloudAPI method:

• .c2s.ic.gov (AWS ISO / C2S)
• .hci.ic.gov (AWS ISO / HCI)
• .sc2s.sgov.gov (AWS ISO-B / SC2S)

Which issue(s) this PR fixes:

Fixes OCPBUGS-77040

Special notes for your reviewer:

The change is minimal and follows the existing pattern of strings.HasSuffix checks in IsCloudAPI. The three new domains are grouped together after the existing .amazonaws.com suffix check.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

🤖 Generated with Claude Code via /jira:solve OCPBUGS-77040

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 6b27d896-8eee-4fc7-a7b7-164b3555b77d

📥 Commits

Reviewing files that changed from the base of the PR and between fdea9a3 and 89081c6.

📒 Files selected for processing (2)

• support/konnectivityproxy/dialer.go
• support/konnectivityproxy/dialer_test.go

---

📝 Walkthrough

Walkthrough

The IsCloudAPI function in support/konnectivityproxy/dialer.go is extended to recognize three additional AWS ISO-specific domain suffixes: .c2s.ic.gov, .hci.ic.gov, and .sc2s.sgov.gov. The function now returns true when a host ends with any of these suffixes, with a comment added referencing the AWS ISO endpoints. Corresponding test cases are added to dialer_test.go to verify that hostnames such as s3.c2s.ic.gov, iam.hci.ic.gov, and s3.sc2s.sgov.gov are correctly identified as cloud API hosts.

🚥 Pre-merge checks | ✅ 9 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding AWS ISO domains to the konnectivity IsCloudAPI method. It is specific, clear, and directly related to the core objective of the PR.
Stable And Deterministic Test Names	✅ Passed	The custom check for stable and deterministic test names is designed for Ginkgo test suites. The modified files use standard Go testing with table-driven tests, so this check is not applicable.
Test Structure And Quality	✅ Passed	Test additions use standard Go testing patterns with table-driven test cases for IsCloudAPI function, following existing code conventions without Ginkgo framework requirements.
Microshift Test Compatibility	✅ Passed	PR adds only standard Go unit tests to verify IsCloudAPI() function correctly identifies AWS ISO-specific domains. No Ginkgo e2e tests or OpenShift API interactions present.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds only standard Go unit tests, not Ginkgo e2e tests. The custom check applies only to new Ginkgo e2e tests, so it is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Pull request modifies only utility domain-matching functions in konnectivity proxy without introducing any scheduling constraints, deployment manifests, or topology-aware configuration changes.
Ote Binary Stdout Contract	✅ Passed	PR changes to IsCloudAPI method and test cases contain no stdout writes and strictly comply with OTE Binary Stdout Contract requirements.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The pull request contains only standard Go unit tests using the testing package, not Ginkgo e2e tests, making this check inapplicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: csrwng

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [csrwng]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 34.65%. Comparing base (fdea9a3) to head (89081c6).
⚠️ Report is 236 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8251   +/-   ##
=======================================
  Coverage   34.65%   34.65%           
=======================================
  Files         767      767           
  Lines       93263    93266    +3     
=======================================
+ Hits        32318    32321    +3     
  Misses      58266    58266           
  Partials     2679     2679           

Files with missing lines	Coverage Δ
support/konnectivityproxy/dialer.go	25.66% <100.00%> (+0.85%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[csrwng]

/jira refresh

[openshift-ci-robot]

@csrwng: This pull request references Jira Issue OCPBUGS-77040, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (yli2@redhat.com), skipping review request.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[muraee]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws

[cwbotbot]

Test Results

e2e-aws

• Status: ❌ FAIL
• Started: 2026-04-20T13:22:01Z
• View Job
• View Job History

e2e-aks

• Status: ✅ PASS
• Started: 2026-04-17T18:19:39Z
• View Job
• View Job History

[hypershift-jira-solve-ci]

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aws | Build: 2045205159499272192 | Cost: $1.6226978499999996 | Failed step: hypershift-aws-run-e2e-nested

View full analysis report

---

_{Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6}

[csrwng]

/retest-required

[hypershift-jira-solve-ci]

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aws | Build: 2046217718377484288 | Cost: $1.6196899999999996 | Failed step: hypershift-aws-run-e2e-nested

View full analysis report

---

_{Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6}

[hypershift-jira-solve-ci]

Now I have all the evidence needed. Let me compile the final report.

Test Failure Analysis Complete

Job Information

• Prow Job: pull-ci-openshift-hypershift-main-e2e-aws
• Build ID: 2046217718377484288
• Target: e2e-aws
• Test: TestCreateClusterRequestServingIsolation
• Duration: ~2h 14m (13:21 – 15:35 UTC, 2026-04-20)
• Result: 467 tests run, 25 skipped, 1 failure

Test Failure Analysis

Error

hypershift_framework.go:501: failed to create cluster, tearing down: failed to create infra:
cannot create VPC S3 endpoint: operation error EC2: CreateVpcEndpoint, exceeded maximum number
of attempts, 11, https response error StatusCode: 503, RequestID: 154de2d6-464f-4ce9-834e-6b378d067028,
api error RequestLimitExceeded: Request limit exceeded. Account 820196288204 has been throttled
on ec2:CreateVpcEndpoint because it exceeded its request rate limit.

Summary

The sole test failure (TestCreateClusterRequestServingIsolation) is an AWS EC2 API rate-limit (throttling) flake — completely unrelated to the PR under test (OCPBUGS-77040, which adds AWS ISO domains to IsCloudAPI). The test creates a HighlyAvailable hosted cluster with 5 custom node pools (2 request-serving + 3 non-request-serving), and during infrastructure provisioning, the CreateVpcEndpoint EC2 API call was rate-limited by AWS on account 820196288204. The AWS SDK exhausted all 11 retry attempts (HTTP 503 / RequestLimitExceeded), causing the infra creation to fail. The remaining 441 passing tests (+ 25 skipped) all succeeded, confirming the PR's code change is not at fault.

Root Cause

AWS EC2 API throttling on shared CI account — not a product or test code bug.

The failure chain is:

1. TestCreateClusterRequestServingIsolation starts and creates 5 management-cluster node pools, all of which become ready successfully.
2. The test then calls e2eutil.NewHypershiftTest().Execute() → createCluster() → CreateInfra() → CreateVPCS3Endpoint() (cmd/infra/aws/ec2.go:124).
3. CreateVPCS3Endpoint calls ec2:CreateVpcEndpoint. The AWS SDK retries this call up to 11 times with exponential jitter backoff (configured in cmd/infra/aws/util/util.go:130-138).
4. All 11 attempts fail with HTTP 503 / RequestLimitExceeded — the shared CI AWS account (820196288204) was being throttled because multiple concurrent test jobs (this job runs ~12 tests in parallel including TestCreateCluster, TestCreateClusterPrivate, TestCreateClusterProxy, TestCreateClusterCustomConfig, etc.) were all making EC2 API calls simultaneously.
5. After the SDK retries are exhausted, the application-level retry in CreateVPCS3Endpoint does NOT retry because its isRetriable function (ec2.go:133-138) only considers InvalidRouteTableId.NotFound as retriable — it does not treat RequestLimitExceeded as retriable.
6. The error propagates back to hypershift_framework.go:501 which logs "failed to create cluster, tearing down" and marks the test as FAIL.

Why this is a flake, not a regression: The PR changes (support/konnectivityproxy/dialer.go) only add string suffix checks to IsCloudAPI() — code that is never invoked during infrastructure creation. The throttling is purely an environmental/capacity issue on the shared AWS CI account.

Recommendations

1. Retest the PR — this is a flake. A /retest on the PR should pass if the AWS account is not under heavy load at that time.

2. Potential code improvement (not blocking): The application-level isRetriable function in cmd/infra/aws/ec2.go:133-138 should be extended to also retry on RequestLimitExceeded and Throttling error codes with appropriate backoff, similar to how Route53 operations have more aggressive retry handling. This would make the infra creation more resilient to transient AWS throttling:

   isRetriable := func(err error) bool {
       var apiErr smithy.APIError
       if errors.As(err, &apiErr) {
           code := apiErr.ErrorCode()
           return strings.EqualFold(code, invalidRouteTableID) ||
                  strings.EqualFold(code, "RequestLimitExceeded") ||
                  strings.EqualFold(code, "Throttling")
       }
       return false
   }

3. No action needed on the PR itself — the changes to support/konnectivityproxy/dialer.go and support/konnectivityproxy/dialer_test.go are correct and unrelated to this failure.

Evidence

Evidence	Detail
Failed test	TestCreateClusterRequestServingIsolation — 1 of 467 tests
Error location	hypershift_framework.go:501 → cmd/infra/aws/ec2.go:152 (CreateVPCS3Endpoint)
AWS API error	ec2:CreateVpcEndpoint — HTTP 503, RequestLimitExceeded
AWS Account	820196288204 (shared CI account)
Retry exhaustion	"exceeded maximum number of attempts, 11" (SDK-level retries)
App-level retry gap	isRetriable in ec2.go:133 only retries InvalidRouteTableId.NotFound, not throttling errors
PR changes	support/konnectivityproxy/dialer.go — adds ISO domain suffixes to IsCloudAPI(), completely unrelated to EC2 infra creation
Passing tests	441 passed, 25 skipped — all other cluster creation tests (TestCreateCluster, TestCreateClusterPrivate, TestCreateClusterProxy, etc.) passed
Concurrency	~12 tests ran in parallel, all creating AWS infrastructure on the same account
Test duration	4253.61s (~71 minutes) before failing

---

[csrwng]

/retest-required

[csrwng]

/verified by unit test

[openshift-ci-robot]

@csrwng: This PR has been marked as verified by unit test.

Details

In response to this:

/verified by unit test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@csrwng: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@csrwng: Jira Issue Verification Checks: Jira Issue OCPBUGS-77040
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-77040 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

What this PR does / why we need it:

The konnectivity proxy's IsCloudAPI method was missing AWS ISO (classified) region domains from its cloud API detection list. This prevented the ingress operator from adding these domains to the NO_PROXY list, blocking direct (not proxied) communication with endpoints in those namespaces.

This PR adds three AWS ISO domain suffixes to the IsCloudAPI method:

• .c2s.ic.gov (AWS ISO / C2S)
• .hci.ic.gov (AWS ISO / HCI)
• .sc2s.sgov.gov (AWS ISO-B / SC2S)

Which issue(s) this PR fixes:

Fixes OCPBUGS-77040

Special notes for your reviewer:

The change is minimal and follows the existing pattern of strings.HasSuffix checks in IsCloudAPI. The three new domains are grouped together after the existing .amazonaws.com suffix check.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

🤖 Generated with Claude Code via /jira:solve OCPBUGS-77040

Summary by CodeRabbit

• New Features

• Added support for AWS ISO-specific cloud API domains: .c2s.ic.gov, .hci.ic.gov, and .sc2s.sgov.gov, enabling connectivity to isolated AWS regions.

• Tests

• Added test cases validating proper recognition of the new AWS ISO-specific domains as cloud API endpoints.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-robot]

Fix included in release 5.0.0-0.nightly-2026-05-06-052707

[csrwng]

/cherry-pick release-4.22

[openshift-cherrypick-robot]

@csrwng: new pull request created: #8447

Details

In response to this:

/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.