WINC-1869: Drop support for Windows Server 2019 in CI and machineset.sh script

[jrvaldes]

This PR removes Server2019 from supported versions, provider image
selectors,container image selection, and PowerShell compatibility workarounds.

All available Azure Marketplace images for the 2019-datacenter-smalldisk
SKU have the OpenSSH regression introduced in KB5044277 (Oct 2024, OS
Build 17763.6414). The previously pinned version 17763.6293.240905 has
been deprecated and removed. Windows Server 2019 mainstream support
ended January 2024.

Summary by CodeRabbit

• Chores
  • Removed Windows Server 2019 support from machine configuration and end-to-end testing. Supported Windows Server versions are now limited to 2022 and 2025, with 2022 as the default. Windows Server 2019-specific image filters and configuration logic have been removed.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Excluded labels (none allowed) (2)

• do-not-merge/work-in-progress
• do-not-merge/hold

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: b8401f76-5eed-466b-9145-cf76c66ec7ea

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This pull request removes Windows Server 2019 support across the Windows Machine Config Operator codebase. Changes include: removing 2019 version checks from the machine set configuration script (now only accepts 2022 or 2025), eliminating 2019-specific AMI filters and image configurations for AWS, Azure, and GCP providers, updating container image selection to default to 2022, removing the Server2019 constant from version definitions, and simplifying PowerShell SSH command handling by eliminating version-specific conditional logic. The 2019 references now fall back to 2022-based defaults, or are rejected outright at validation time.

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Platform-Specific Requirements	⚠️ Warning	PR removes Windows Server 2019 support but fails to update docs and help text accordingly.	Update docs/wmco-prerequisites.md to remove 2019 references and modify test/e2e/main_test.go flag help text to reflect 2022/2025 only. Ensure consistent version validation across all cloud providers.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: dropping Windows Server 2019 support across CI and machineset.sh, which aligns with all the changeset modifications.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Go Best Practices & Build Tags	✅ Passed	Pull request maintains proper Go best practices: error handling uses fmt.Errorf with %w wrapping, nil checks protect map/slice access, build tags are appropriately applied (e2e tests correctly lack //go:build tags as Linux-based, daemon code properly maintains //go:build windows), and no panic calls or ignored errors introduced.
Security: Secrets, Ssh & Csr	✅ Passed	PR removes Windows Server 2019 support without introducing security issues. PowerShell escaping simplification is more secure; SSH key management, CSR validation, and credential handling remain secure.
Kubernetes Controller Patterns	✅ Passed	PR modifies test infrastructure and e2e test files only; no Kubernetes controller code with reconciliation logic, status conditions, finalizers, or watch patterns present.
Windows Service Management	✅ Passed	PR removes Windows Server 2019 support without modifying Windows service management code in pkg/servicescm/, leaving service priority, dependencies, and cleanup logic unaffected.
Stable And Deterministic Test Names	✅ Passed	PR modifications do not introduce dynamic or non-deterministic Ginkgo test names. Changes affect only internal test helper functions like getWindowsServerContainerImage() and runPowerShellSSHJob(), not test titles.
Test Structure And Quality	✅ Passed	PR modifications to helper functions maintain test quality standards by removing Windows Server 2019 branching while preserving single responsibility, setup/cleanup patterns, timeouts, assertions, and infrastructure consistency.
Microshift Test Compatibility	✅ Passed	This PR contains only refactoring of existing helper functions and removal of Windows Server 2019-specific logic with zero new Ginkgo test definitions.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	SNO compatibility check does not apply; PR contains only removals and simplifications of Windows Server 2019 support with no new Ginkgo test definitions.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only test infrastructure and shell scripts, removing Windows Server 2019 support without altering deployment manifests, operator code, controllers, or scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	PR modifications do not introduce process-level stdout writes violating the OTE Binary Stdout Contract; all changes are module-level literals or test helper methods called from test blocks where stdout is permitted.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies existing test helper functions and updates provider-specific image selection logic but introduces no new Ginkgo e2e tests, making the custom check not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jrvaldes

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jrvaldes]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jrvaldes]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[openshift-ci-robot]

@jrvaldes: This pull request references WINC-1869 which is a valid jira issue.

Details

In response to this:

This PR removes Server2019 from supported versions, provider image
selectors,container image selection, and PowerShell compatibility workarounds.

All available Azure Marketplace images for the 2019-datacenter-smalldisk
SKU have the OpenSSH regression introduced in KB5044277 (Oct 2024, OS
Build 17763.6414). The previously pinned version 17763.6293.240905 has
been deprecated and removed. Windows Server 2019 mainstream support
ended January 2024.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@jrvaldes: This pull request references WINC-1869 which is a valid jira issue.

Details

In response to this:

This PR removes Server2019 from supported versions, provider image
selectors,container image selection, and PowerShell compatibility workarounds.

All available Azure Marketplace images for the 2019-datacenter-smalldisk
SKU have the OpenSSH regression introduced in KB5044277 (Oct 2024, OS
Build 17763.6414). The previously pinned version 17763.6293.240905 has
been deprecated and removed. Windows Server 2019 mainstream support
ended January 2024.

Summary by CodeRabbit

• Chores
• Removed Windows Server 2019 support from machine configuration and end-to-end testing. Supported Windows Server versions are now limited to 2022 and 2025, with 2022 as the default. Windows Server 2019-specific image filters and configuration logic have been removed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@hack/machineset.sh`:
- Around line 429-431: The catch-all case handling invalid CLI options in the
case pattern '\? )' currently exits with 0; change it to exit with non-zero to
indicate error (use exit 1) and print the usage message to stderr (redirect echo
to >&2) so scripts/CI detect failure; update the '\? )' block in
hack/machineset.sh that emits "Usage: $0 -w <2022/2025> -b apply/delete" to echo
to stderr and call exit 1.
- Around line 421-423: The regex in the if check that validates the winver
variable currently uses unanchored alternation and allows partial matches;
update the conditional that tests "$winver" (the if [[ ! "$winver" =~ 2022|2025$
]] block) to use a fully anchored alternation such as ^(2022|2025)$ so only
exact values "2022" or "2025" pass; keep the same quoting and exit behavior but
replace the regex with the anchored pattern.

In `@test/e2e/windows/version.go`:
- Line 14: The help text for the e2e flag that advertises supported server
versions is out of sync with SupportedVersions; locate the flag definition in
test/e2e/main_test.go (the help string around the -server-version/usage text)
and update the message to remove “2019” so it advertises only “2022 or 2025” (or
otherwise reflect Server2022 and Server2025), ensuring the flag usage string
matches the SupportedVersions slice and any related validation logic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 98885134-a9b7-4dbc-8284-9d4c61104e9c

📥 Commits

Reviewing files that changed from the base of the PR and between 86c5888 and f319489.

📒 Files selected for processing (7)

• hack/machineset.sh
• test/e2e/network_test.go
• test/e2e/providers/aws/aws.go
• test/e2e/providers/azure/azure.go
• test/e2e/providers/gcp/gcp.go
• test/e2e/validation_test.go
• test/e2e/windows/version.go

💤 Files with no reviewable changes (4)

• test/e2e/providers/azure/azure.go
• test/e2e/providers/gcp/gcp.go
• test/e2e/network_test.go
• test/e2e/providers/aws/aws.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify the current regex in the script
rg -n 'winver.*=~' hack/machineset.sh

# Demonstrate current behavior of the same regex expression
pattern='2022|2025$'
for v in 2022 2025 abc2022 20220 x2025y; do
  if [[ "$v" =~ $pattern ]]; then
    echo "accepted: $v"
  else
    echo "rejected: $v"
  fi
done

# Expected: malformed values should be rejected, but current pattern accepts some of them.

Repository: openshift/windows-machine-config-operator

Length of output: 216

---

🏁 Script executed:

sed -n '410,435p' hack/machineset.sh

Repository: openshift/windows-machine-config-operator

Length of output: 621

---

Fix -w regex anchoring to reject malformed Windows versions.

Line 421 uses 2022|2025$, which accepts partial matches like abc2022 and 20220. Fully anchor the alternation to ensure only exact matches for valid Windows Server versions.

Proposed fix

-      if [[ ! "$winver" =~ 2022|2025$ ]]; then
+      if [[ ! "$winver" =~ ^(2022|2025)$ ]]; then
         echo "Invalid -w option $winver. Valid options are 2022 or 2025"
         exit 1
       fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if [[ ! "$winver" =~ 2022|2025$ ]]; then
	echo "Invalid -w option $winver. Valid options are 2022 or 2025"
	exit 1
	if [[ ! "$winver" =~ ^(2022|2025)$ ]]; then
	echo "Invalid -w option $winver. Valid options are 2022 or 2025"
	exit 1
	fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hack/machineset.sh` around lines 421 - 423, The regex in the if check that
validates the winver variable currently uses unanchored alternation and allows
partial matches; update the conditional that tests "$winver" (the if [[ !
"$winver" =~ 2022|2025$ ]] block) to use a fully anchored alternation such as
^(2022|2025)$ so only exact values "2022" or "2025" pass; keep the same quoting
and exit behavior but replace the regex with the anchored pattern.

[jrvaldes]

not related

[coderabbitai]

@jrvaldes, understood — the regex anchoring concern is pre-existing and not related to the 2019 removal in scope here. Would you like me to open a follow-up GitHub issue to track the fix (^(2022|2025)$) so it doesn't get lost?

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Static verification of the invalid-option branch behavior.
rg -n -C2 '\\\? \)|Usage: .*2022/2025|exit 0|exit 1' hack/machineset.sh

Repository: openshift/windows-machine-config-operator

Length of output: 405

---

Return non-zero exit code for invalid CLI option usage.

Line 431 exits with 0 (success) when invalid options are provided, which masks failures in CI/scripts. Invalid CLI usage should signal an error. Note the inconsistency: line 423 correctly exits with 1 for invalid argument values, but the catchall \? ) pattern exits with 0.

Proposed fix

    \? )
      echo "Usage: $0 -w <2022/2025> -b apply/delete"
-     exit 0
+     exit 1
       ;;

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	\? )
	echo "Usage: $0 -w <2019/2022> -b apply/delete"
	echo "Usage: $0 -w <2022/2025> -b apply/delete"
	exit 0
	\? )
	echo "Usage: $0 -w <2022/2025> -b apply/delete"
	exit 1
	;;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hack/machineset.sh` around lines 429 - 431, The catch-all case handling
invalid CLI options in the case pattern '\? )' currently exits with 0; change it
to exit with non-zero to indicate error (use exit 1) and print the usage message
to stderr (redirect echo to >&2) so scripts/CI detect failure; update the '\? )'
block in hack/machineset.sh that emits "Usage: $0 -w <2022/2025> -b
apply/delete" to echo to stderr and call exit 1.

[jrvaldes]

not related

[coderabbitai]

@jrvaldes, understood — this is a pre-existing issue unrelated to the WS2019 removal. Would you like me to open a follow-up GitHub issue to track fixing the exit 0 → exit 1 behavior in the \? case of hack/machineset.sh?

[jrvaldes]

bocking PR merged

• WINC-1869: replace WS2019 for WS2025 in azure-e2e job release#77975

[jrvaldes]

/test ?

[jrvaldes]

/test azure-e2e-operator

[jrvaldes]

/test azure-e2e-operator

[openshift-ci]

@jrvaldes: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/azure-e2e-operator	0011f27	link	true	/test azure-e2e-operator

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.