CORS-4352: aws: validations to ensure install-config is valid for dualstack install

[tthvo]

This PR added validations to ensure the install-config fields are valid in order to install a dualstack cluster. The following validations are performed when ipFamily is dualstack:

Scope	Details	Notes
Instance type	The type must now be Nitro-based in order to support IPv6 HTTP IMDS Endpoint and IPv6 Route53 resolver. Most modern instance types are Nitro-based anyway
BYO subnets	Existing subnets must have an associated IPv6 CIDR and it must be contained in one of the networking.machineNetwork	This means the users must provide either a VPC or all provided subnet IPv6 CIDRs in the machineNetwork field
Edge compute pool	Edge compute pool supports BYO subnets in Local zones only. That means the installer cannot auto-provision dualstack edge subnets and Wavelength zone, according to AWS, does not support IPv6 at the moment	The user can provision a secondary IPv6 CIDR to the VPC in the local zone network border and create dualstack local-zone subnets

For local zones, the following zones support IPv6, according to AWS docs:

The following Local Zones support IPv6: us-east-1-atl-2a, us-east-1-chi-2a, us-east-1-dfw-2a, us-east-1-iah-2a, us-east-1-mia-2a, us-east-1-nyc-2a, us-west-2-lax-1a, us-west-2-lax-1b, and us-west-2-phx-2a.

/label platform/aws

[openshift-ci-robot]

@tthvo: This pull request references CORS-4352 which is a valid jira issue.

Details

In response to this:

This PR added validations to ensure the install-config fields are valid in order to install a dualstack cluster. The following validations are performed when ipFamily is dualstack:

Scope	Details	Notes
Instance type	The type must now be Nitro-based in order to support IPv6 HTTP IMDS Endpoint and IPv6 Route53 resolver. Most modern instance types are Nitro-based anyway
BYO subnets	Existing subnets must have an associated IPv6 CIDR and it must be contained in one of the networking.machineNetwork	This means the users must provide either a VPC or all provided subnet IPv6 CIDRs in the machineNetwork field
Edge compute pool	Edge compute pool supports BYO subnets in Local zones only. That means the installer cannot auto-provision dualstack edge subnets and Wavelength zone, according to AWS, does not support IPv6 at the moment	The user can provision a secondary IPv6 CIDR to the VPC in the local zone network border and create dualstack local-zone subnets

/label platform/aws

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Adds Hypervisor to InstanceType and IPv6CIDR to Subnet; refactors AWS subnet and dual‑stack validation to validate combined IPv4/IPv6 CIDRs, enforce IPv6+Nitro requirements for dual‑stack, tighten edge-pool checks, and expands unit tests for these scenarios.

Changes

Cohort / File(s)	Summary
Data Structure Enhancements pkg/asset/installconfig/aws/instancetypes.go, pkg/asset/installconfig/aws/subnet.go	Added exported fields: InstanceType.Hypervisor string and Subnet.IPv6CIDR string. Populate Hypervisor from SDK type info and extract IPv6CIDR from subnet IPv6 associations; switched Subnet.CIDR assignment to aws.ToString(...).
Validation Refactor & Dual‑Stack Logic pkg/asset/installconfig/aws/validation.go	Introduced subnet type constants; replaced per-subnet CIDR validation with validateSubnetCIDRs that requires IPv4 (and IPv6 when dual‑stack) and checks containment against ic.MachineNetwork; added validateMachineNetworksContainSubnetCIDR; enforced Nitro hypervisor requirement for dual‑stack instance types; forbids non-BYO edge subnets for dual‑stack and disallows wavelength edge subnets in dual‑stack BYO scenarios.
Tests & Test Helpers pkg/asset/installconfig/aws/validation_test.go	Extended tests and fixtures: added Hypervisor values to validInstanceTypes() (Xen vs Nitro), added dual‑stack fixtures and helpers (withDualStackMachineNetworks, validDualstackSubnets), and added test cases covering Nitro requirement and BYO dual‑stack/subnet edge validations.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 46.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding validations to ensure install-config is valid for dual-stack installations on AWS, which matches the primary objective across all modified files.
Stable And Deterministic Test Names	✅ Passed	Test file maintains stable and deterministic test names with static descriptive strings and no dynamic content like timestamps, UUIDs, or fmt.Sprintf formatting.
Test Structure And Quality	✅ Passed	The validation_test.go file uses standard Go table-driven testing, not Ginkgo, so Ginkgo quality requirements do not apply.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.3)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tthvo]

/cc @sadasu

[openshift-ci-robot]

@tthvo: This pull request references CORS-4352 which is a valid jira issue.

Details

In response to this:

This PR added validations to ensure the install-config fields are valid in order to install a dualstack cluster. The following validations are performed when ipFamily is dualstack:

Scope	Details	Notes
Instance type	The type must now be Nitro-based in order to support IPv6 HTTP IMDS Endpoint and IPv6 Route53 resolver. Most modern instance types are Nitro-based anyway
BYO subnets	Existing subnets must have an associated IPv6 CIDR and it must be contained in one of the networking.machineNetwork	This means the users must provide either a VPC or all provided subnet IPv6 CIDRs in the machineNetwork field
Edge compute pool	Edge compute pool supports BYO subnets in Local zones only. That means the installer cannot auto-provision dualstack edge subnets and Wavelength zone, according to AWS, does not support IPv6 at the moment	The user can provision a secondary IPv6 CIDR to the VPC in the local zone network border and create dualstack local-zone subnets

/label platform/aws

Summary by CodeRabbit

• New Features

• Enhanced IPv6 dual-stack networking support with automatic CIDR block detection and validation.

• Improved instance type metadata to include hypervisor information.

• Bug Fixes

• Strengthened validation for dual-stack configurations with edge deployments and instance type compatibility checks.

• Enhanced subnet configuration validation with IPv6 CIDR block support.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

🧹 Nitpick comments (1)

pkg/asset/installconfig/aws/validation_test.go (1)

2322-2328: Consider adding Hypervisor field to m6a.xlarge for consistency.

The m6a.xlarge instance type is missing the Hypervisor field, while all other instance types now include it. Although m6a.xlarge is currently only used for SEV-SNP tests and not dual-stack tests, adding the field maintains consistency and prevents potential issues if this type is used in future dual-stack test scenarios.

Proposed fix

 		"m6a.xlarge": {
 			DefaultVCpus: 4,
 			MemInMiB:     16384,
 			Arches:       []string{string(ec2types.ArchitectureTypeX8664)},
+			Hypervisor:   string(ec2types.InstanceTypeHypervisorNitro),
 			Features:     []string{"amd-sev-snp"},
 		},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/asset/installconfig/aws/validation_test.go` around lines 2322 - 2328, Add
the missing Hypervisor field to the m6a.xlarge instance map entry so it matches
other entries; edit the map entry for "m6a.xlarge" in
pkg/asset/installconfig/aws/validation_test.go and add a Hypervisor key with the
same value used by other AMD/SEV-SNP instance entries (for example "nitro") to
maintain consistency and prevent future dual-stack/test issues.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/asset/installconfig/aws/validation_test.go`:
- Around line 2322-2328: Add the missing Hypervisor field to the m6a.xlarge
instance map entry so it matches other entries; edit the map entry for
"m6a.xlarge" in pkg/asset/installconfig/aws/validation_test.go and add a
Hypervisor key with the same value used by other AMD/SEV-SNP instance entries
(for example "nitro") to maintain consistency and prevent future dual-stack/test
issues.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 948a71d4-64e3-43a2-9387-9232f7eaca31

📥 Commits

Reviewing files that changed from the base of the PR and between dea68b7 and 97f73bf.

📒 Files selected for processing (4)

• pkg/asset/installconfig/aws/instancetypes.go
• pkg/asset/installconfig/aws/subnet.go
• pkg/asset/installconfig/aws/validation.go
• pkg/asset/installconfig/aws/validation_test.go

[openshift-ci-robot]

@tthvo: This pull request references CORS-4352 which is a valid jira issue.

Details

In response to this:

This PR added validations to ensure the install-config fields are valid in order to install a dualstack cluster. The following validations are performed when ipFamily is dualstack:

Scope	Details	Notes
Instance type	The type must now be Nitro-based in order to support IPv6 HTTP IMDS Endpoint and IPv6 Route53 resolver. Most modern instance types are Nitro-based anyway
BYO subnets	Existing subnets must have an associated IPv6 CIDR and it must be contained in one of the networking.machineNetwork	This means the users must provide either a VPC or all provided subnet IPv6 CIDRs in the machineNetwork field
Edge compute pool	Edge compute pool supports BYO subnets in Local zones only. That means the installer cannot auto-provision dualstack edge subnets and Wavelength zone, according to AWS, does not support IPv6 at the moment	The user can provision a secondary IPv6 CIDR to the VPC in the local zone network border and create dualstack local-zone subnets

For local zones, the following zones support IPv6, according to AWS docs:

The following Local Zones support IPv6: us-east-1-atl-2a, us-east-1-chi-2a, us-east-1-dfw-2a, us-east-1-iah-2a, us-east-1-mia-2a, us-east-1-nyc-2a, us-west-2-lax-1a, us-west-2-lax-1b, and us-west-2-phx-2a.

/label platform/aws

Summary by CodeRabbit

• New Features

• Enhanced IPv6 dual-stack networking support with automatic CIDR block detection and validation.

• Improved instance type metadata to include hypervisor information.

• Bug Fixes

• Strengthened validation for dual-stack configurations with edge deployments and instance type compatibility checks.

• Enhanced subnet configuration validation with IPv6 CIDR block support.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@tthvo: This pull request references CORS-4352 which is a valid jira issue.

Details

In response to this:

This PR added validations to ensure the install-config fields are valid in order to install a dualstack cluster. The following validations are performed when ipFamily is dualstack:

Scope	Details	Notes
Instance type	The type must now be Nitro-based in order to support IPv6 HTTP IMDS Endpoint and IPv6 Route53 resolver. Most modern instance types are Nitro-based anyway
BYO subnets	Existing subnets must have an associated IPv6 CIDR and it must be contained in one of the networking.machineNetwork	This means the users must provide either a VPC or all provided subnet IPv6 CIDRs in the machineNetwork field
Edge compute pool	Edge compute pool supports BYO subnets in Local zones only. That means the installer cannot auto-provision dualstack edge subnets and Wavelength zone, according to AWS, does not support IPv6 at the moment	The user can provision a secondary IPv6 CIDR to the VPC in the local zone network border and create dualstack local-zone subnets

For local zones, the following zones support IPv6, according to AWS docs:

The following Local Zones support IPv6: us-east-1-atl-2a, us-east-1-chi-2a, us-east-1-dfw-2a, us-east-1-iah-2a, us-east-1-mia-2a, us-east-1-nyc-2a, us-west-2-lax-1a, us-west-2-lax-1b, and us-west-2-phx-2a.

/label platform/aws

Summary by CodeRabbit

• New Features

• Enhanced IPv6 dual-stack networking with automatic IPv6 CIDR detection and validation.

• Instance type metadata now exposes hypervisor information.

• Bug Fixes

• Strengthened dual-stack validation, including edge/wavelength constraints and subnet containment checks.

• Enforced IPv6 and Nitro-related instance type requirements and improved subnet IPv6 CIDR handling.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

🧹 Nitpick comments (1)

pkg/asset/installconfig/aws/validation_test.go (1)

418-458: Add one IPv6-primary containment failure case.

Line 2609 adds an IPv6-primary branch by reversing MachineNetwork, but every new BYO dual-stack subnet case here still uses withDualStackMachineNetworks(network.DualStackIPv4Primary) and only exercises the “missing IPv6 CIDR” path. That leaves the IPv6-primary ordering and the “subnet IPv6 CIDR is outside networking.machineNetwork” validation untested. A single negative case with network.DualStackIPv6Primary and one out-of-range subnet IPv6CIDR would close both gaps.

Also applies to: 500-556, 2609-2620

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/asset/installconfig/aws/validation_test.go` around lines 418 - 458, Add a
new negative test case beside the existing dual-stack BYO subnet tests that
switches the machine network ordering to IPv6-primary by calling
icBuild.withDualStackMachineNetworks(network.DualStackIPv6Primary) (and keep
withIPFamily(network.DualStackIPv4Primary) or appropriate IPFamily), and supply
a BYO subnet in SubnetGroups (use mergeSubnets like the other cases) whose IPv6
CIDR is intentionally outside the configured networking.machineNetwork; set
withVPCSubnetIDs to include that subnet ID and assert expectErr matches the
containment-failure message for IPv6 CIDR being outside
networking.machineNetwork (the same style as the existing expectErr regex for
missing IPv6 CIDR) so the validation for DualStackIPv6Primary and out-of-range
IPv6 CIDR is exercised.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/asset/installconfig/aws/validation_test.go`:
- Around line 418-458: Add a new negative test case beside the existing
dual-stack BYO subnet tests that switches the machine network ordering to
IPv6-primary by calling
icBuild.withDualStackMachineNetworks(network.DualStackIPv6Primary) (and keep
withIPFamily(network.DualStackIPv4Primary) or appropriate IPFamily), and supply
a BYO subnet in SubnetGroups (use mergeSubnets like the other cases) whose IPv6
CIDR is intentionally outside the configured networking.machineNetwork; set
withVPCSubnetIDs to include that subnet ID and assert expectErr matches the
containment-failure message for IPv6 CIDR being outside
networking.machineNetwork (the same style as the existing expectErr regex for
missing IPv6 CIDR) so the validation for DualStackIPv6Primary and out-of-range
IPv6 CIDR is exercised.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2469be9e-555e-4554-ba58-f30c615f5b6b

📥 Commits

Reviewing files that changed from the base of the PR and between 97f73bf and 262ce8d.

📒 Files selected for processing (1)

• pkg/asset/installconfig/aws/validation_test.go

[tthvo]

/retest-required

[tthvo]

/testwith openshift/installer/main/e2e-aws-ovn-dualstack-ipv6-primary-techpreview #10353

/testwith openshift/installer/main/e2e-aws-ovn-dualstack-ipv4-primary-techpreview #10353

[tthvo]

/test e2e-aws-ovn-dualstack-ipv6-primary-techpreview e2e-aws-ovn-dualstack-ipv4-primary-techpreview

[sadasu]

Nit: Commit message for 1st commit says intro in place of nitro.

[sadasu]

/approve

Have a couple of minor comments

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sadasu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/asset/installconfig/aws/OWNERS [sadasu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sadasu]

/retest

[openshift-ci]

@tthvo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-rhcos10-devpreview	262ce8d	link	false	/test e2e-aws-ovn-rhcos10-devpreview
ci/prow/e2e-aws-ovn-dualstack-ipv6-primary-techpreview	262ce8d	link	false	/test e2e-aws-ovn-dualstack-ipv6-primary-techpreview
ci/prow/e2e-aws-ovn-dualstack-ipv4-primary-techpreview	262ce8d	link	false	/test e2e-aws-ovn-dualstack-ipv4-primary-techpreview
ci/prow/e2e-aws-ovn-edge-zones	943a547	link	false	/test e2e-aws-ovn-edge-zones

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[coderabbitai]

🧹 Nitpick comments (2)

pkg/asset/installconfig/aws/validation_test.go (2)

2760-2771: Exercise the IPv6-primary ordering branch.

Lines 423, 440, and 506 all call withDualStackMachineNetworks with network.DualStackIPv4Primary, so the slices.Reverse path on Line 2767 never runs. Add one BYO-subnet case with network.DualStackIPv6Primary to prove subnet validation does not depend on the IPv4 machine network being first.

Possible follow-up

+		{
+			name: "valid dual-stack byo subnets with IPv6-primary machine networks",
+			installConfig: icBuild.build(
+				icBuild.withBaseBYO(),
+				icBuild.withIPFamily(network.DualStackIPv6Primary),
+				icBuild.withDualStackMachineNetworks(network.DualStackIPv6Primary),
+			),
+			availRegions:  validAvailRegions(),
+			availZones:    validAvailZones(),
+			instanceTypes: validInstanceTypes(),
+			subnets: SubnetGroups{
+				Private: validDualstackSubnets("private"),
+				Public:  validDualstackSubnets("public"),
+				VpcID:   validVPCID,
+			},
+		},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/asset/installconfig/aws/validation_test.go` around lines 2760 - 2771, The
tests never exercise the IPv6-primary branch in withDualStackMachineNetworks;
add a BYO-subnet test case that uses network.DualStackIPv6Primary so
slices.Reverse(ic.Networking.MachineNetwork) runs. Locate the existing
BYO-subnet test group that currently calls
withDualStackMachineNetworks(network.DualStackIPv4Primary) and duplicate one
case, changing the invocation to
withDualStackMachineNetworks(network.DualStackIPv6Primary) and asserting the
same validation outcome to prove subnet validation is independent of machine
network ordering; ensure you reference the withDualStackMachineNetworks helper
and the BYO-subnet test name when adding the case.

---

418-459: Add a failing case for IPv6 CIDR containment.

This block proves IPv6CIDR is present, but it never asserts the new rule that a provided subnet's IPv6 range must be inside networking.machineNetwork. Lines 749-769 already pin the IPv4 equivalent; without the IPv6 negative, a validator that only checks non-empty IPv6CIDR would still satisfy this table.

Possible follow-up

+		{
+			name: "invalid dual-stack byo subnets, IPv6 CIDR outside machine network",
+			installConfig: icBuild.build(
+				icBuild.withBaseBYO(),
+				icBuild.withVPCSubnetIDs([]string{"invalid-private-ipv6-cidr-subnet"}, false),
+				icBuild.withIPFamily(network.DualStackIPv4Primary),
+				icBuild.withDualStackMachineNetworks(network.DualStackIPv4Primary),
+			),
+			availRegions:  validAvailRegions(),
+			availZones:    append(validAvailZones(), "zone-for-invalid-ipv6-cidr-subnet"),
+			instanceTypes: validInstanceTypes(),
+			subnets: SubnetGroups{
+				Private: mergeSubnets(validDualstackSubnets("private"), Subnets{
+					"invalid-private-ipv6-cidr-subnet": {
+						ID:       "invalid-private-ipv6-cidr-subnet",
+						Zone:     &Zone{Name: "zone-for-invalid-ipv6-cidr-subnet"},
+						CIDR:     "10.0.7.0/24",
+						IPv6CIDR: "2600:1f13:ff0::/64",
+					},
+				}),
+				Public: validDualstackSubnets("public"),
+				VpcID:  validVPCID,
+			},
+			expectErr: `platform\.aws\.vpc\.subnets\[\d+\]: Invalid value: "invalid-private-ipv6-cidr-subnet": subnet's CIDR range start 2600:1f13:ff0:: is outside of the specified machine networks`,
+		},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/asset/installconfig/aws/validation_test.go` around lines 418 - 459, Add a
negative test case that mirrors the IPv4 containment failure but for IPv6:
create a case alongside the existing "invalid dual-stack byo subnets, some
subnets missing IPv6 CIDR" test that uses
icBuild.withDualStackMachineNetworks(network.DualStackIPv4Primary) (so
machineNetwork has an IPv6 range) and supply BYO subnets (via
icBuild.withVPCSubnetIDs and SubnetGroups.Private/Public) that include an
IPv6CIDR value that is outside the configured networking.machineNetwork; use
validDualstackSubnets(...) as the base and merge in subnets that set IPv6CIDR to
ranges not contained in the machineNetwork, then assert expectErr using a regex
similar to the IPv4 containment error (matching platform.aws.vpc.subnets[...]
Required value: IPv6 CIDR not contained in machineNetwork or the existing error
message format) so the validator must check IPv6 containment for
functions/structures around Subnet (SubnetGroups, IPv6CIDR) and the machine
network validation path (withDualStackMachineNetworks /
networking.machineNetwork).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/asset/installconfig/aws/validation_test.go`:
- Around line 2760-2771: The tests never exercise the IPv6-primary branch in
withDualStackMachineNetworks; add a BYO-subnet test case that uses
network.DualStackIPv6Primary so slices.Reverse(ic.Networking.MachineNetwork)
runs. Locate the existing BYO-subnet test group that currently calls
withDualStackMachineNetworks(network.DualStackIPv4Primary) and duplicate one
case, changing the invocation to
withDualStackMachineNetworks(network.DualStackIPv6Primary) and asserting the
same validation outcome to prove subnet validation is independent of machine
network ordering; ensure you reference the withDualStackMachineNetworks helper
and the BYO-subnet test name when adding the case.
- Around line 418-459: Add a negative test case that mirrors the IPv4
containment failure but for IPv6: create a case alongside the existing "invalid
dual-stack byo subnets, some subnets missing IPv6 CIDR" test that uses
icBuild.withDualStackMachineNetworks(network.DualStackIPv4Primary) (so
machineNetwork has an IPv6 range) and supply BYO subnets (via
icBuild.withVPCSubnetIDs and SubnetGroups.Private/Public) that include an
IPv6CIDR value that is outside the configured networking.machineNetwork; use
validDualstackSubnets(...) as the base and merge in subnets that set IPv6CIDR to
ranges not contained in the machineNetwork, then assert expectErr using a regex
similar to the IPv4 containment error (matching platform.aws.vpc.subnets[...]
Required value: IPv6 CIDR not contained in machineNetwork or the existing error
message format) so the validator must check IPv6 containment for
functions/structures around Subnet (SubnetGroups, IPv6CIDR) and the machine
network validation path (withDualStackMachineNetworks /
networking.machineNetwork).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1ee23c8b-87af-4859-88ba-04ec5a619a8c

📥 Commits

Reviewing files that changed from the base of the PR and between 943a547 and f59258b.

📒 Files selected for processing (4)

• pkg/asset/installconfig/aws/instancetypes.go
• pkg/asset/installconfig/aws/subnet.go
• pkg/asset/installconfig/aws/validation.go
• pkg/asset/installconfig/aws/validation_test.go

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/asset/installconfig/aws/instancetypes.go
• pkg/asset/installconfig/aws/subnet.go
• pkg/asset/installconfig/aws/validation.go