fix: make PODVM_INSTANCE_TYPES configurable in peerpods-param-cm step

[thejasn]

Replace the hardcoded list of AWS instance types with an env var ${PODVM_INSTANCE_TYPES:-} so callers can override it. The default retains all original types except p3.2xlarge, which is not available in all regions. CAA validates all entries at startup, so only types available in the target region should be included.

Summary by CodeRabbit

This PR updates OpenShift CI configuration for the Sandboxed Containers Operator peer-pods setup by making the AWS instance-type list configurable.

What changed (practical effect)

• The peerpods-param-cm step (ci-operator step ref and its command script) now reads PODVM_INSTANCE_TYPES from an environment variable instead of using a hardcoded list. Callers can override the instance-type list by setting PODVM_INSTANCE_TYPES when invoking the step.
• The step reference (sandboxed-containers-operator-peerpods-param-cm-ref.yaml) declares the PODVM_INSTANCE_TYPES env var with a default value: "t3.small,t3.medium,t3.large,t3.xlarge,g4dn.2xlarge,g5.2xlarge". The default omits the previously included p3.2xlarge because it is not available in all regions.
• The command script (sandboxed-containers-operator-peerpods-param-cm-commands.sh) populates the peerpods-param-cm ConfigMap with PODVM_INSTANCE_TYPES from that env var.

Why it matters

• CI jobs running peer-pods tests can now choose instance types appropriate for the target AWS region (CAA validates availability at startup), improving portability and avoiding region-specific failures.

[coderabbitai]

Walkthrough

The ref manifest declares an env var PODVM_INSTANCE_TYPES with a default AWS instance-type list; the commands script now inserts ${PODVM_INSTANCE_TYPES} into the AWS peerpods-param-cm, falling back to an empty string when the env var is unset.

Changes

Configurable PODVM Instance Types

Layer / File(s)	Summary
PODVM instance type configurability ci-operator/step-registry/sandboxed-containers-operator/peerpods/param-cm/sandboxed-containers-operator-peerpods-param-cm-ref.yaml, ci-operator/step-registry/sandboxed-containers-operator/peerpods/param-cm/sandboxed-containers-operator-peerpods-param-cm-commands.sh	Adds PODVM_INSTANCE_TYPES env var to the ref manifest with default t3.small,t3.medium,t3.large,t3.xlarge,g4dn.2xlarge,g5.2xlarge. The commands script uses ${PODVM_INSTANCE_TYPES} when rendering the AWS peerpods-param-cm, using an empty-string fallback if unset.

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: making PODVM_INSTANCE_TYPES configurable in the peerpods-param-cm step, which is the core modification across both modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies CI configuration files (shell scripts and YAML), not Ginkgo tests. Custom check for stable test names is not applicable to CI/CD configuration changes.
Test Structure And Quality	✅ Passed	The PR modifies CI/CD configuration files (shell script, YAML, JSON) - no Ginkgo test files are present. The custom check is not applicable to this PR's scope.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR; changes are CI operator configuration files only. The custom check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR does not add any Ginkgo e2e tests; changes are limited to CI configuration files (bash script and YAML reference) for AWS peerpods parameter ConfigMap generation.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only CI test infrastructure files (shell scripts and step references), not deployment manifests or operator code. No scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies shell scripts and YAML configs, not OTE binaries or Go test code. OTE stdout contract check is inapplicable to CI infrastructure shell scripts.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. Changes are limited to CI/CD configuration files (shell script and YAML), not test code, so the IPv6/disconnected network compatibility check does not apply.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ci-operator/step-registry/sandboxed-containers-operator/peerpods/param-cm/sandboxed-containers-operator-peerpods-param-cm-commands.sh (1)

1-1: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Add required set -euo pipefail at the beginning of the script.

This script is missing the required error-handling flags. As per coding guidelines, step registry script files must use set -euo pipefail (without -x) as default. Without these flags, command failures may be silently ignored (e.g., the AWS CLI calls on lines 40-44 or the oc commands), leading to subtle bugs.

🛡️ Proposed fix

 #!/bin/bash
+set -euo pipefail

As per coding guidelines: "Step registry script files must use set -euo pipefail (without -x) as default and only enable -x when actively debugging"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/sandboxed-containers-operator/peerpods/param-cm/sandboxed-containers-operator-peerpods-param-cm-commands.sh`
at line 1, Add the required strict-shell flags to the top of the script:
immediately after the existing shebang (#!/bin/bash) insert a single line "set
-euo pipefail" (do not add -x). This ensures failures in subsequent commands
(including the AWS CLI calls and the oc commands referenced in the script) cause
the script to exit and prevents silent failures.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In
`@ci-operator/step-registry/sandboxed-containers-operator/peerpods/param-cm/sandboxed-containers-operator-peerpods-param-cm-commands.sh`:
- Line 1: Add the required strict-shell flags to the top of the script:
immediately after the existing shebang (#!/bin/bash) insert a single line "set
-euo pipefail" (do not add -x). This ensures failures in subsequent commands
(including the AWS CLI calls and the oc commands referenced in the script) cause
the script to exit and prevents silent failures.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 4215aa55-4966-42f3-8d1d-d6fabe6aa442

📥 Commits

Reviewing files that changed from the base of the PR and between 97df009 and 3d2dd5e.

📒 Files selected for processing (2)

• ci-operator/step-registry/sandboxed-containers-operator/peerpods/param-cm/sandboxed-containers-operator-peerpods-param-cm-commands.sh
• ci-operator/step-registry/sandboxed-containers-operator/peerpods/param-cm/sandboxed-containers-operator-peerpods-param-cm-ref.yaml

[vvoronko]

LGTM

[ldoktor]

Hello @thejasn I like your change, could you please separate the value change (removal of p3.2xlarge) and the introduction of the PODVM_INSTANCE_TYPES variable so in case of a revert or investigation of why things changed it's easily bisectable?

One more thing to consider is the defaults handling. I'd suggest having it only on one place, therefore remove it from the commands.sh as it will be set via the yaml file. That way we have only one place to modify and they will be always in sync. Another acceptable solution would be to set PODVM_INSTANCES_TYPES to "" in the yaml file and rely on commands.sh defaults. But I'd really like to see just one place to configure this value.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ci-operator/step-registry/sandboxed-containers-operator/peerpods/param-cm/sandboxed-containers-operator-peerpods-param-cm-commands.sh (1)

1-2: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add required error handling: set -euo pipefail

Step registry command scripts must include set -euo pipefail (without -x) after the shebang to ensure proper error handling: exit on undefined variables, command failures, and pipe failures.

🛡️ Proposed fix

 #!/bin/bash
+set -euo pipefail
 

As per coding guidelines: Step registry script files must use set -euo pipefail (without -x) as default and only enable -x when actively debugging.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/sandboxed-containers-operator/peerpods/param-cm/sandboxed-containers-operator-peerpods-param-cm-commands.sh`
around lines 1 - 2, The script currently only has the shebang (#!/bin/bash) and
is missing robust error handling; immediately after the shebang add the required
shell options by enabling errexit, nounset and pipefail (i.e., use set -euo
pipefail without -x) so the script exits on command failures, undefined
variables, and pipe errors; update the top of the
sandboxed-containers-operator-peerpods-param-cm-commands.sh script by inserting
this set invocation directly after the existing #! /bin/bash line.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In
`@ci-operator/step-registry/sandboxed-containers-operator/peerpods/param-cm/sandboxed-containers-operator-peerpods-param-cm-commands.sh`:
- Around line 1-2: The script currently only has the shebang (#!/bin/bash) and
is missing robust error handling; immediately after the shebang add the required
shell options by enabling errexit, nounset and pipefail (i.e., use set -euo
pipefail without -x) so the script exits on command failures, undefined
variables, and pipe errors; update the top of the
sandboxed-containers-operator-peerpods-param-cm-commands.sh script by inserting
this set invocation directly after the existing #! /bin/bash line.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: efb16548-5dad-43f6-b2f4-f3c7bc97a6e6

📥 Commits

Reviewing files that changed from the base of the PR and between 3d2dd5e and b8eb232.

📒 Files selected for processing (2)

• ci-operator/step-registry/sandboxed-containers-operator/peerpods/param-cm/sandboxed-containers-operator-peerpods-param-cm-commands.sh
• ci-operator/step-registry/sandboxed-containers-operator/peerpods/param-cm/sandboxed-containers-operator-peerpods-param-cm-ref.yaml

[ldoktor]

/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aws-ipi-peerpods

[openshift-merge-bot]

@ldoktor: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[ldoktor]

thanks, lgtm, only consider the removal of :- to be consistent with the other variables setting.

[thejasn]

/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aws-ipi-peerpods

[openshift-merge-bot]

@thejasn: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@thejasn: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-azure-ipi-kata	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-azure-ipi-kata	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate418-aws-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-azure-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate418-azure-ipi-kata	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-release-aro-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-aws-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate-aws-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-aro-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate-azure-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate417-azure-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate418-aws-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-azure-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-aws-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-release-aws-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-azure-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-aws-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate417-aro-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-azure-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-release-aro-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate418-aro-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate417-aws-ipi-peerpods	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate419-azure-ipi-kata	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate417-aro-ipi-coco	N/A	periodic	Registry content changed
periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate421-azure-ipi-coco	N/A	periodic	Registry content changed

A total of 49 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ci-operator/step-registry/sandboxed-containers-operator/peerpods/param-cm/sandboxed-containers-operator-peerpods-param-cm-commands.sh (1)

1-1: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add required set -euo pipefail at script start.

Step registry command scripts must use set -euo pipefail (without -x) as default. This pre-existing omission reduces error detection: -e would halt on command failures, -u would catch unset variable references, and -o pipefail would detect failures in pipelines.

As per coding guidelines, step registry scripts must follow this pattern.

🛡️ Proposed fix

 #!/bin/bash
+set -euo pipefail

 if [ "$ENABLEPEERPODS" != "true" ]; then

Note: After adding set -u, verify that all variable references are either guaranteed to be set or use the ${VAR:-default} pattern. In this case, PODVM_INSTANCE_TYPES is set by the ref file's default (line 19 in the .yaml), so line 72's ${PODVM_INSTANCE_TYPES} will work correctly.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/sandboxed-containers-operator/peerpods/param-cm/sandboxed-containers-operator-peerpods-param-cm-commands.sh`
at line 1, Add "set -euo pipefail" as the very first executable line of the
script (without "-x") to ensure the script exits on errors, treats unset
variables as errors, and catches pipeline failures; after adding it, audit any
variable usages and replace any potentially unset references with a safe default
or explicit check (e.g., use ${VAR:-default}) where needed — specifically verify
the use of PODVM_INSTANCE_TYPES in the script is safe (it is expected to be
provided by the ref file) and adjust any other variable references accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In
`@ci-operator/step-registry/sandboxed-containers-operator/peerpods/param-cm/sandboxed-containers-operator-peerpods-param-cm-commands.sh`:
- Line 1: Add "set -euo pipefail" as the very first executable line of the
script (without "-x") to ensure the script exits on errors, treats unset
variables as errors, and catches pipeline failures; after adding it, audit any
variable usages and replace any potentially unset references with a safe default
or explicit check (e.g., use ${VAR:-default}) where needed — specifically verify
the use of PODVM_INSTANCE_TYPES in the script is safe (it is expected to be
provided by the ref file) and adjust any other variable references accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ae630367-38f5-427b-b103-9d3ee86383b2

📥 Commits

Reviewing files that changed from the base of the PR and between b8eb232 and f32aa65.

📒 Files selected for processing (2)

• ci-operator/step-registry/sandboxed-containers-operator/peerpods/param-cm/sandboxed-containers-operator-peerpods-param-cm-commands.sh
• ci-operator/step-registry/sandboxed-containers-operator/peerpods/param-cm/sandboxed-containers-operator-peerpods-param-cm-ref.yaml

[ldoktor]

thanks, lgtm

[wainersm]

/lgtm

Thanks @thejasn !

[wainersm]

/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aws-ipi-peerpods

[openshift-merge-bot]

@wainersm: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ldoktor, thejasn, wainersm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/sandboxed-containers-operator/peerpods/param-cm/OWNERS [ldoktor,wainersm]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@thejasn: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aws-ipi-peerpods	f32aa65	link	unknown	/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-downstream-candidate420-aws-ipi-peerpods

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.