openshift · liweinan · Mar 2, 2026
diff --git a/...penshift-tests-private/openshift-openshift-tests-private-release-4.22__amd64-nightly.yaml b/...penshift-tests-private/openshift-openshift-tests-private-release-4.22__amd64-nightly.yaml
@@ -1851,6 +1851,29 @@ tests:
     test:
     - chain: openshift-e2e-test-qe-destructive
     workflow: cucushift-installer-rehearse-aws-usgov-ipi-private-workers-marketplace
+- as: aws-eusc-ipi-private-f60
+  cron: 0 6 */60 * *
+  steps:
+    cluster_profile: aws-eusc-qe
+    env:
+      BASE_DOMAIN: qe.devcluster.openshift.com
+      AWS_EUSC_REGION: eusc-de-east-1
+      TEST_FILTERS: ~EdgeZones&;~HyperShiftMGMT&;~MicroShiftOnly&
+    test:
+    - chain: openshift-e2e-test-qe
+    workflow: cucushift-installer-rehearse-aws-eusc-ipi-private
+- as: aws-eusc-ipi-private-nlb-f60
+  cron: 0 12 */60 * *
+  steps:
+    cluster_profile: aws-eusc-qe
+    env:
+      BASE_DOMAIN: qe.devcluster.openshift.com
+      AWS_EUSC_REGION: eusc-de-east-1
+      AWS_LB_TYPE: NLB
+      TEST_FILTERS: ~EdgeZones&;~HyperShiftMGMT&;~MicroShiftOnly&
+    test:
+    - chain: openshift-e2e-test-qe
+    workflow: cucushift-installer-rehearse-aws-eusc-ipi-private
 - as: azure-aks-hypershift-arm-nodepool-guest-f7
   cron: 1 2 7,14,23,30 * *
   steps:

diff --git a/ci-operator/step-registry/cluster-profiles/cluster-profiles-config.yaml b/ci-operator/step-registry/cluster-profiles/cluster-profiles-config.yaml
@@ -616,6 +616,13 @@
         - openshift-tests-private
         - verification-tests
 
+- profile: aws-eusc-qe
+  owners:
+    - org: openshift
+      repos:
+        - openshift-tests-private
+        - verification-tests
+
 - profile: aws-autorelease-qe
   owners:
     - org: openshift

diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/eusc/ipi/private/OWNERS b/ci-operator/step-registry/cucushift/installer/rehearse/aws/eusc/ipi/private/OWNERS
@@ -0,0 +1,10 @@
+approvers:
+- jianlinliu
+- yunjiang29
+- gpei
+- liweinan
+reviewers:
+- jianlinliu
+- yunjiang29
+- gpei
+- liweinan
diff --git a/...arse/aws/eusc/ipi/private/cucushift-installer-rehearse-aws-eusc-ipi-private-workflow.yaml b/...arse/aws/eusc/ipi/private/cucushift-installer-rehearse-aws-eusc-ipi-private-workflow.yaml
@@ -0,0 +1,20 @@
+workflow:
+  as: cucushift-installer-rehearse-aws-eusc-ipi-private
+  steps:
+    pre:
+      - chain: cucushift-installer-rehearse-aws-eusc-ipi-private-provision
+      - ref: cucushift-installer-reportportal-marker
+    post:
+      - chain: cucushift-installer-rehearse-aws-eusc-ipi-private-deprovision
+      - ref: send-results-to-reportportal
+  documentation: |-
+    This workflow provisions an OpenShift cluster on AWS European Sovereign
+    Cloud (EUSC) using IPI with private network configuration, runs tests,
+    and deprovisions the cluster.
+
+    EUSC-specific features:
+    - Region: eusc-de-east-1 (Brandenburg, Germany)
+    - Partition: aws-eusc
+    - Custom service endpoints configuration
+    - Custom RHCOS AMI requirement
+    - 2 availability zones only (eusc-de-east-1a, eusc-de-east-1b)
diff --git a/...erator/step-registry/cucushift/installer/rehearse/aws/eusc/ipi/private/deprovision/OWNERS b/...erator/step-registry/cucushift/installer/rehearse/aws/eusc/ipi/private/deprovision/OWNERS
@@ -0,0 +1,10 @@
+approvers:
+- jianlinliu
+- yunjiang29
+- gpei
+- liweinan
+reviewers:
+- jianlinliu
+- yunjiang29
+- gpei
+- liweinan
diff --git a/...vate/deprovision/cucushift-installer-rehearse-aws-eusc-ipi-private-deprovision-chain.yaml b/...vate/deprovision/cucushift-installer-rehearse-aws-eusc-ipi-private-deprovision-chain.yaml
@@ -0,0 +1,6 @@
+chain:
+  as: cucushift-installer-rehearse-aws-eusc-ipi-private-deprovision
+  steps:
+  - chain: ipi-deprovision
+  documentation: |-
+    Deprovision an OpenShift cluster from AWS EUSC and collect artifacts.
diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/eusc/ipi/private/provision/OWNERS b/ci-operator/step-registry/cucushift/installer/rehearse/aws/eusc/ipi/private/provision/OWNERS
@@ -0,0 +1,10 @@
+approvers:
+- jianlinliu
+- yunjiang29
+- gpei
+- liweinan
+reviewers:
+- jianlinliu
+- yunjiang29
+- gpei
+- liweinan
diff --git a/.../private/provision/cucushift-installer-rehearse-aws-eusc-ipi-private-provision-chain.yaml b/.../private/provision/cucushift-installer-rehearse-aws-eusc-ipi-private-provision-chain.yaml
@@ -0,0 +1,18 @@
+chain:
+  as: cucushift-installer-rehearse-aws-eusc-ipi-private-provision
+  steps:
+  - ref: ipi-conf
+  - ref: ipi-conf-telemetry
+  - ref: ipi-conf-aws
+  - ref: ipi-conf-aws-eusc-endpoints
+  - ref: ipi-conf-aws-eusc-ami
+  - chain: ipi-install
+  - chain: cucushift-installer-check
+  documentation: |-
+    Provision an OpenShift cluster on AWS European Sovereign Cloud (EUSC)
+    with private network configuration.
+
+    This chain configures EUSC-specific requirements:
+    - Service endpoints for eusc-de-east-1 region
+    - Custom RHCOS AMI (required for EUSC)
+    - Standard AWS IPI configuration
diff --git a/ci-operator/step-registry/ipi/conf/aws/eusc-ami/OWNERS b/ci-operator/step-registry/ipi/conf/aws/eusc-ami/OWNERS
@@ -0,0 +1,10 @@
+approvers:
+- jianlinliu
+- yunjiang29
+- gpei
+- liweinan
+reviewers:
+- jianlinliu
+- yunjiang29
+- gpei
+- liweinan
diff --git a/ci-operator/step-registry/ipi/conf/aws/eusc-ami/ipi-conf-aws-eusc-ami-commands.sh b/ci-operator/step-registry/ipi/conf/aws/eusc-ami/ipi-conf-aws-eusc-ami-commands.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+set -o nounset
+set -o errexit
+set -o pipefail
+
+CONFIG="${SHARED_DIR}/install-config.yaml"
+
+if [[ -z "${AWS_EUSC_AMI_ID}" ]]; then
+  echo "ERROR: AWS_EUSC_AMI_ID is not set. EUSC regions require custom RHCOS AMI."
+  echo "Please provide a valid AMI ID for eusc-de-east-1 region."
+  exit 1
+fi
+
+echo "Configuring custom RHCOS AMI: ${AWS_EUSC_AMI_ID}"
+
+# Create patch for custom AMI
+CONFIG_PATCH="${SHARED_DIR}/install-config-eusc-ami.yaml.patch"
+cat > "${CONFIG_PATCH}" << EOF
+platform:
+  aws:
+    amiID: ${AWS_EUSC_AMI_ID}
+EOF
+
+# Apply patch
+yq-go m -x -i "${CONFIG}" "${CONFIG_PATCH}"
+
+echo "Custom AMI configured successfully"
diff --git a/ci-operator/step-registry/ipi/conf/aws/eusc-ami/ipi-conf-aws-eusc-ami-ref.yaml b/ci-operator/step-registry/ipi/conf/aws/eusc-ami/ipi-conf-aws-eusc-ami-ref.yaml
@@ -0,0 +1,26 @@
+ref:
+  as: ipi-conf-aws-eusc-ami
+  from_image:
+    namespace: ocp
+    name: "4.22"
+    tag: upi-installer
+  commands: ipi-conf-aws-eusc-ami-commands.sh
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+  env:
+  - name: AWS_EUSC_AMI_ID
+    default: ""
+    documentation: |-
+      Custom RHCOS AMI ID for EUSC region. Required because no public
+      RHCOS AMIs are available in eusc-de-east-1.
+
+      This should be set in the cluster profile secrets or provided
+      via environment variable in the job configuration.
+  documentation: |-
+    Configure custom RHCOS AMI for AWS EUSC region.
+
+    EUSC regions do not have public RHCOS AMIs available, so a custom
+    AMI must be provided. This step configures the install-config.yaml
+    to use the specified AMI ID.
diff --git a/ci-operator/step-registry/ipi/conf/aws/eusc-endpoints/OWNERS b/ci-operator/step-registry/ipi/conf/aws/eusc-endpoints/OWNERS
@@ -0,0 +1,10 @@
+approvers:
+- jianlinliu
+- yunjiang29
+- gpei
+- liweinan
+reviewers:
+- jianlinliu
+- yunjiang29
+- gpei
+- liweinan
diff --git a/...perator/step-registry/ipi/conf/aws/eusc-endpoints/ipi-conf-aws-eusc-endpoints-commands.sh b/...perator/step-registry/ipi/conf/aws/eusc-endpoints/ipi-conf-aws-eusc-endpoints-commands.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+set -o nounset
+set -o errexit
+set -o pipefail
+
+CONFIG="${SHARED_DIR}/install-config.yaml"
+REGION="${AWS_EUSC_REGION}"
+
+echo "Configuring AWS EUSC service endpoints for region: ${REGION}"
+
+# EUSC service endpoints configuration
+# Note: Route53 is a global service, others are regional
+declare -A EUSC_ENDPOINTS=(
+  ["ec2"]="https://ec2.${REGION}.amazonaws.eu"
+  ["elasticloadbalancing"]="https://elasticloadbalancing.${REGION}.amazonaws.eu"
+  ["s3"]="https://s3.${REGION}.amazonaws.eu"
+  ["route53"]="https://route53.amazonaws.eu"
+  ["iam"]="https://iam.${REGION}.amazonaws.eu"
+  ["sts"]="https://sts.${REGION}.amazonaws.eu"
+  ["tagging"]="https://tagging.${REGION}.amazonaws.eu"
+)
+
+# Build serviceEndpoints YAML array
+ENDPOINTS_YAML=""
+for service_name in "${!EUSC_ENDPOINTS[@]}"; do
+  endpoint_url="${EUSC_ENDPOINTS[$service_name]}"
+  ENDPOINTS_YAML+="    - name: ${service_name}
+      url: ${endpoint_url}
+"
+  echo "  - ${service_name}: ${endpoint_url}"
+done
+
+# Create patch file
+CONFIG_PATCH="${SHARED_DIR}/install-config-eusc-endpoints.yaml.patch"
+cat > "${CONFIG_PATCH}" << EOF
+platform:
+  aws:
+    serviceEndpoints:
+${ENDPOINTS_YAML}
+EOF
+
+# Apply patch using yq-go
+echo "Applying EUSC endpoints patch to install-config.yaml..."
+yq-go m -a -x -i "${CONFIG}" "${CONFIG_PATCH}"
+
+echo "EUSC service endpoints configured successfully"
diff --git a/ci-operator/step-registry/ipi/conf/aws/eusc-endpoints/ipi-conf-aws-eusc-endpoints-ref.yaml b/ci-operator/step-registry/ipi/conf/aws/eusc-endpoints/ipi-conf-aws-eusc-endpoints-ref.yaml
@@ -0,0 +1,26 @@
+ref:
+  as: ipi-conf-aws-eusc-endpoints
+  from_image:
+    namespace: ocp
+    name: "4.22"
+    tag: upi-installer
+  commands: ipi-conf-aws-eusc-endpoints-commands.sh
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+  env:
+  - name: AWS_EUSC_REGION
+    default: "eusc-de-east-1"
+    documentation: |-
+      AWS EUSC region for deployment (currently only eusc-de-east-1 is supported)
+  documentation: |-
+    Configure AWS European Sovereign Cloud (EUSC) service endpoints.
+
+    EUSC requires explicit service endpoint configuration because AWS SDK v1
+    cannot automatically resolve endpoints in this new partition (aws-eusc).
+
+    This step configures all required service endpoints for eusc-de-east-1:
+    - EC2, ELB, S3 (regional services)
+    - Route53 (global service at route53.amazonaws.eu)
+    - IAM, STS, Tagging (regional services)