Address yunfei's review comments on PR #75568:

1. Job naming convention:
   - Rename jobs from -f60 to -f7 suffix (non-destructive tests)
   - Update cron schedule to standard f7 pattern: 7,14,23,30

2. Private cluster configuration:
   - Add complete private cluster setup with bastion host
   - Add VPC, security groups, and proxy configuration
   - Set PUBLISH=Internal for private cluster access
   - Add minimal IAM permission provisioning
   - Follow pattern from cucushift-installer-rehearse-aws-ipi-private-provision

3. Generalize step registry components for maximum reusability:

   a) Enhance ipi-conf-aws-custom-endpoints for all AWS partitions:
      - Add AWS_DOMAIN_SUFFIX env var (defaults to amazonaws.com)
      - Support amazonaws.eu (EUSC), amazonaws.com.cn (China)
      - Allow full URLs for maximum flexibility
      - Remove obsolete ipi-conf-aws-eusc-endpoints step

   b) Extend ipi-conf-aws to support custom AMI configuration:
      - Add AWS_AMI_ID env var for custom RHCOS AMI
      - Useful for EUSC, China, GovCloud, or any partition without public AMIs
      - Fix deprecated amiID field -> defaultMachinePlatform.amiID
      - Auto-detection still works for C2S/SC2S
      - Remove obsolete ipi-conf-aws-eusc-ami step

   c) EUSC provision chain now uses only generic steps with env config

This refactoring reduces code duplication (net -59 lines) and makes step
components reusable across all AWS partitions.

Author: liweinan

ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.22__amd64-nightly.yaml

@@ -1851,8 +1851,8 @@ tests:
     test:
     - chain: openshift-e2e-test-qe-destructive
     workflow: cucushift-installer-rehearse-aws-usgov-ipi-private-workers-marketplace
-- as: aws-eusc-ipi-private-f60
-  cron: 0 6 */60 * *
+- as: aws-eusc-ipi-private-f7
+  cron: 0 6 7,14,23,30 * *
   steps:
     cluster_profile: aws-eusc
     env:
@@ -1862,8 +1862,8 @@ tests:
     test:
     - chain: openshift-e2e-test-qe
     workflow: cucushift-installer-rehearse-aws-eusc-ipi-private
-- as: aws-eusc-ipi-private-nlb-f60
-  cron: 0 12 */60 * *
+- as: aws-eusc-ipi-private-nlb-f7
+  cron: 1 12 7,14,23,30 * *
   steps:
     cluster_profile: aws-eusc
     env:

ci-operator/step-registry/cucushift/installer/rehearse/aws/eusc/ipi/private/provision/cucushift-installer-rehearse-aws-eusc-ipi-private-provision-chain.yaml

@@ -3,16 +3,66 @@ chain:
   steps:
   - ref: ipi-conf
   - ref: ipi-conf-telemetry
+  - ref: aws-provision-vpc-shared
+  - chain: aws-provision-bastionhost
+  - ref: aws-provision-security-group
+  - ref: ipi-conf-aws-custom-vpc
   - ref: ipi-conf-aws
-  - ref: ipi-conf-aws-eusc-endpoints
-  - ref: ipi-conf-aws-eusc-ami
+  - ref: ipi-conf-aws-custom-security-groups
+  - ref: ipi-conf-aws-custom-endpoints
+  - ref: ipi-install-monitoringpvc
+  - ref: proxy-config-generate
+  - ref: ipi-conf-aws-usage-info
+  - chain: aws-provision-iam-user-minimal-permission
   - chain: ipi-install
+  - ref: aws-provision-tags-for-byo-vpc
+  - ref: cucushift-installer-check-aws-custom-vpc
+  - ref: enable-qe-catalogsource
   - chain: cucushift-installer-check
+  env:
+  - name: AWS_DOMAIN_SUFFIX
+    default: "amazonaws.eu"
+    documentation: "AWS domain suffix for EUSC partition"
+  - name: SERVICE_ENDPOINT_EC2
+    default: "DEFAULT_ENDPOINT"
+    documentation: "EC2 service endpoint"
+  - name: SERVICE_ENDPOINT_ELB
+    default: "DEFAULT_ENDPOINT"
+    documentation: "ELB service endpoint"
+  - name: SERVICE_ENDPOINT_S3
+    default: "DEFAULT_ENDPOINT"
+    documentation: "S3 service endpoint"
+  - name: SERVICE_ENDPOINT_IAM
+    default: "DEFAULT_ENDPOINT"
+    documentation: "IAM service endpoint"
+  - name: SERVICE_ENDPOINT_TAGGING
+    default: "DEFAULT_ENDPOINT"
+    documentation: "Tagging service endpoint"
+  - name: SERVICE_ENDPOINT_ROUTE53
+    default: "https://route53.amazonaws.eu"
+    documentation: "Route53 service endpoint (global for EUSC)"
+  - name: SERVICE_ENDPOINT_STS
+    default: "DEFAULT_ENDPOINT"
+    documentation: "STS service endpoint"
+  - name: CONTROL_PLANE_INSTANCE_TYPE
+    default: "m6i.xlarge"
+    documentation: "Instance type for control plane nodes"
+  - name: COMPUTE_NODE_TYPE
+    default: "m5.xlarge"
+    documentation: "Instance type for compute nodes"
+  - name: PUBLISH
+    default: "Internal"
+    documentation: "Cluster publish strategy for private cluster."
   documentation: |-
-    Provision an OpenShift cluster on AWS European Sovereign Cloud (EUSC)
-    with private network configuration.
+    Provision a private OpenShift cluster on AWS European Sovereign Cloud (EUSC).
 
     This chain configures EUSC-specific requirements:
-    - Service endpoints for eusc-de-east-1 region
-    - Custom RHCOS AMI (required for EUSC)
-    - Standard AWS IPI configuration
+    - Private network with bastion host for installer access
+    - Service endpoints for eusc-de-east-1 region (.amazonaws.eu domain)
+    - Custom RHCOS AMI (set AWS_AMI_ID in cluster profile secret or job env)
+    - Custom VPC and security groups
+    - Minimal IAM permissions
+    - Internal publish strategy (publish: Internal)
+
+    Note: AWS_AMI_ID must be provided as EUSC regions don't have public RHCOS AMIs.
+    It should be defined in the cluster profile secret or passed as environment variable.

ci-operator/step-registry/ipi/conf/aws/custom-endpoints/ipi-conf-aws-custom-endpoints-commands.sh

@@ -2,17 +2,24 @@
 
 REGION="${LEASED_RESOURCE}"
 CONFIG="${SHARED_DIR}/install-config.yaml"
+# Support different AWS partitions (commercial, GovCloud, China, EUSC, etc.)
+AWS_DOMAIN_SUFFIX="${AWS_DOMAIN_SUFFIX:-amazonaws.com}"
 
 function patch_endpoint()
 {
   local service_name=$1
   local custom_service_endpoint=$2
   local config_patch="${SHARED_DIR}/install-config-${service_name}.yaml.patch"
-  if [ "$custom_service_endpoint" == "DEFAULT_ENDPOINT" ]; then
-    ep="https://${service_name}.${REGION}.amazonaws.com"
+
+  # If the value starts with http, use it as-is (full URL)
+  if [[ "$custom_service_endpoint" =~ ^https?:// ]]; then
+    ep="$custom_service_endpoint"
+  elif [ "$custom_service_endpoint" == "DEFAULT_ENDPOINT" ]; then
+    ep="https://${service_name}.${REGION}.${AWS_DOMAIN_SUFFIX}"
   else
-    ep="https://${custom_service_endpoint}.${REGION}.amazonaws.com"
+    ep="https://${custom_service_endpoint}.${REGION}.${AWS_DOMAIN_SUFFIX}"
   fi
+
   cat > "${config_patch}" << EOF
 platform:
   aws:

ci-operator/step-registry/ipi/conf/aws/custom-endpoints/ipi-conf-aws-custom-endpoints-ref.yaml

@@ -11,10 +11,15 @@ ref:
       cpu: 10m
       memory: 100Mi
   env:
+  - name: AWS_DOMAIN_SUFFIX
+    default: "amazonaws.com"
+    documentation: |-
+      AWS domain suffix for service endpoints. Use "amazonaws.com" for commercial,
+      "amazonaws.com.cn" for China, "amazonaws.eu" for EUSC partition.
   - name: SERVICE_ENDPOINT_EC2
     default: ""
     documentation: |-
-      ec2 endpoint
+      ec2 endpoint (can be service name, partial URL, or full URL starting with https://)
   - name: SERVICE_ENDPOINT_ELB
     default: ""
     documentation: |-
@@ -52,6 +57,15 @@ ref:
     documentation: |-
       kms endpoint
   documentation: |-
-    Generate configurations for custom endpoints.
-    If SERVICE_ENDPOINT_* value is "DEFAULT_ENDPOINT", then the endpoint will be set to https://${service_name}.${REGION}.amazonaws.com
+    Generate configurations for custom endpoints for different AWS partitions.
+
+    Set AWS_DOMAIN_SUFFIX to specify the domain (default: "amazonaws.com"):
+    - Commercial: amazonaws.com
+    - China: amazonaws.com.cn
+    - EUSC: amazonaws.eu
+
+    For SERVICE_ENDPOINT_* variables:
+    - "DEFAULT_ENDPOINT" -> https://${service_name}.${REGION}.${AWS_DOMAIN_SUFFIX}
+    - Full URL (starts with https://) -> use as-is
+    - Partial value -> https://${value}.${REGION}.${AWS_DOMAIN_SUFFIX}