Skip to content

CNTRLPLANE-3527: Add Router to ServicePublishingStrategy for non-cloud platform support#2024

Open
vsolanki12 wants to merge 1 commit into
openshift:masterfrom
vsolanki12:CNTRLPLANE-3527-router-service-publishing-strategy
Open

CNTRLPLANE-3527: Add Router to ServicePublishingStrategy for non-cloud platform support#2024
vsolanki12 wants to merge 1 commit into
openshift:masterfrom
vsolanki12:CNTRLPLANE-3527-router-service-publishing-strategy

Conversation

@vsolanki12

Copy link
Copy Markdown

Why was this change needed?

The HCP private router Service is unconditionally created as LoadBalancer regardless of platform.
On management clusters without cloud load-balancer support (Agent, KubeVirt, None platforms), the
Service stays Pending indefinitely, blocking route status propagation and KAS service resolution.

OCPBUGS-77856 identified this issue. PR openshift/hypershift#8439 provided an initial fix using
platform auto-detection, but was closed after review identified that ClusterIP used for NodePort
services is not externally reachable.

What changes are being made?

This enhancement proposes adding Router as a new ServiceType in spec.services[], extending
the existing ServicePublishingStrategyMapping pattern to cover the private router. This gives
operators explicit control over the service type and external address used to reach HCP routes.

Key changes:

  • New Router ServiceType constant in the HostedCluster API
  • Reuses existing NodePortPublishingStrategy (address + port fields)
  • CPO reads the strategy to determine service type and external address
  • Backward compatible — no Router entry defaults to LoadBalancer

References

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 28, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label May 28, 2026
@openshift-ci

openshift-ci Bot commented May 28, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci-robot

openshift-ci-robot commented May 28, 2026

Copy link
Copy Markdown

@vsolanki12: This pull request references CNTRLPLANE-3527 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Why was this change needed?

The HCP private router Service is unconditionally created as LoadBalancer regardless of platform.
On management clusters without cloud load-balancer support (Agent, KubeVirt, None platforms), the
Service stays Pending indefinitely, blocking route status propagation and KAS service resolution.

OCPBUGS-77856 identified this issue. PR openshift/hypershift#8439 provided an initial fix using
platform auto-detection, but was closed after review identified that ClusterIP used for NodePort
services is not externally reachable.

What changes are being made?

This enhancement proposes adding Router as a new ServiceType in spec.services[], extending
the existing ServicePublishingStrategyMapping pattern to cover the private router. This gives
operators explicit control over the service type and external address used to reach HCP routes.

Key changes:

  • New Router ServiceType constant in the HostedCluster API
  • Reuses existing NodePortPublishingStrategy (address + port fields)
  • CPO reads the strategy to determine service type and external address
  • Backward compatible — no Router entry defaults to LoadBalancer

References

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@vsolanki12 vsolanki12 force-pushed the CNTRLPLANE-3527-router-service-publishing-strategy branch from cd86889 to 1cf0499 Compare June 2, 2026 09:02
@vsolanki12 vsolanki12 force-pushed the CNTRLPLANE-3527-router-service-publishing-strategy branch from 1cf0499 to 6c965ef Compare June 10, 2026 09:24
@vsolanki12 vsolanki12 changed the title Enhancement CNTRLPLANE-3527: Add Router to ServicePublishingStrategy for non-cloud platform support CNTRLPLANE-3527: Add Router to ServicePublishingStrategy for non-cloud platform support Jun 11, 2026
@vsolanki12 vsolanki12 force-pushed the CNTRLPLANE-3527-router-service-publishing-strategy branch from 8196c7e to ca4d4f6 Compare June 11, 2026 11:41

@csrwng csrwng left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An initial pass

tracking-link:
- https://issues.redhat.com/browse/CNTRLPLANE-3527
authors:
- "@vsolanki"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: pls use your github name

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done updated to @vsolanki12.

cloud load-balancer controllers.

This enhancement extends the existing `ServicePublishingStrategyMapping` pattern —
already used for `APIServer`, `Konnectivity`, `OAuthServer`, `Ignition`, `OVNSbDb`,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not worth including OVNSbDb or OIDC, since they have been deprecated for a while now and are no longer rlevant.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you, removed OVNSbDb and OIDC references.

router provides an internal load balancer that keeps control plane traffic off the
public internet. Each hosted cluster gets its own isolated network path.

- **Custom DNS control** — Route publishing allows customers to specify explicit

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not exclusive to Route publishing (all strategies allow using custom DNS names). I would omit this section.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, changed as per the suggestion.


- **Multi-tenant isolation** — Each hosted control plane gets its own dedicated
router, ensuring that traffic for one tenant's control plane does not traverse the
management cluster's shared ingress. This is important for customers running

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is important for customers running...

I would omit this sentence. Since for some use cases using the management cluster's router is fine.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, changed as per the suggestion.


### Why Customers Choose Route Publishing

Self-managed HyperShift customers choose the `Route` publishing strategy because it

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's worth clarifying that only 'Route' on APIServer results in a per hcp router.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done updated as per suggestion

### What the HCP Router Does Today

When a HostedCluster uses the `Route` publishing strategy for control plane services
(particularly the Kubernetes API server), HyperShift deploys a dedicated HAProxy

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the dedicated HAProxy is only deployed if route is used for the Kube API server, no other case.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, changed as per the suggestion.


The HCP router's LoadBalancer Service is created unconditionally, regardless of the
management cluster's platform. On platforms that lack a cloud load-balancer
controller — bare-metal Agent, KubeVirt, or None — the Service stays in `Pending`

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would remove 'None' since that's not a supported platform.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, changed as per the suggestion.

services:
- service: Router
servicePublishingStrategy:
type: LoadBalancer

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's worth noting that when LoadBalancer is specified, it makes no sense to specify a hostName for the LoadBalancer, since the router's job is to route other hostnames to control plane services.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, changed as per the suggestion.


## Version Skew Strategy

- **HO knows Router but CPO doesn't**: CPO ignores it, creates LB (safe)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you configure your HostedCluster with a router service and the CPO doesn't support it, the hostedcluster should fail to provision with an 'InvalidConfiguration' condition explaining why.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, changed as per the suggestion.

@vsolanki12 vsolanki12 force-pushed the CNTRLPLANE-3527-router-service-publishing-strategy branch from 52c80b0 to 59532e1 Compare June 23, 2026 03:59
@vsolanki12 vsolanki12 marked this pull request as ready for review June 23, 2026 12:37
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 23, 2026
@openshift-ci openshift-ci Bot requested review from csrwng and enxebre June 23, 2026 12:38
@vsolanki12 vsolanki12 force-pushed the CNTRLPLANE-3527-router-service-publishing-strategy branch from 083b8ac to a3647ac Compare June 23, 2026 13:04
…atforms

Signed-off-by: Vimal Solanki <vsolanki@redhat.com>
@vsolanki12 vsolanki12 force-pushed the CNTRLPLANE-3527-router-service-publishing-strategy branch from 52516f0 to 0f03441 Compare June 24, 2026 13:21
@openshift-ci

openshift-ci Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

@vsolanki12: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@csrwng csrwng added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 29, 2026
@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants