CNTRLPLANE-3527: Add Router to ServicePublishingStrategy for non-cloud platform support#2024
Conversation
|
Skipping CI for Draft Pull Request. |
|
@vsolanki12: This pull request references CNTRLPLANE-3527 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
cd86889 to
1cf0499
Compare
1cf0499 to
6c965ef
Compare
8196c7e to
ca4d4f6
Compare
| tracking-link: | ||
| - https://issues.redhat.com/browse/CNTRLPLANE-3527 | ||
| authors: | ||
| - "@vsolanki" |
There was a problem hiding this comment.
nit: pls use your github name
| cloud load-balancer controllers. | ||
|
|
||
| This enhancement extends the existing `ServicePublishingStrategyMapping` pattern — | ||
| already used for `APIServer`, `Konnectivity`, `OAuthServer`, `Ignition`, `OVNSbDb`, |
There was a problem hiding this comment.
It's not worth including OVNSbDb or OIDC, since they have been deprecated for a while now and are no longer rlevant.
There was a problem hiding this comment.
thank you, removed OVNSbDb and OIDC references.
| router provides an internal load balancer that keeps control plane traffic off the | ||
| public internet. Each hosted cluster gets its own isolated network path. | ||
|
|
||
| - **Custom DNS control** — Route publishing allows customers to specify explicit |
There was a problem hiding this comment.
This is not exclusive to Route publishing (all strategies allow using custom DNS names). I would omit this section.
There was a problem hiding this comment.
Thank you, changed as per the suggestion.
|
|
||
| - **Multi-tenant isolation** — Each hosted control plane gets its own dedicated | ||
| router, ensuring that traffic for one tenant's control plane does not traverse the | ||
| management cluster's shared ingress. This is important for customers running |
There was a problem hiding this comment.
This is important for customers running...
I would omit this sentence. Since for some use cases using the management cluster's router is fine.
There was a problem hiding this comment.
Thank you, changed as per the suggestion.
|
|
||
| ### Why Customers Choose Route Publishing | ||
|
|
||
| Self-managed HyperShift customers choose the `Route` publishing strategy because it |
There was a problem hiding this comment.
It's worth clarifying that only 'Route' on APIServer results in a per hcp router.
There was a problem hiding this comment.
Done updated as per suggestion
| ### What the HCP Router Does Today | ||
|
|
||
| When a HostedCluster uses the `Route` publishing strategy for control plane services | ||
| (particularly the Kubernetes API server), HyperShift deploys a dedicated HAProxy |
There was a problem hiding this comment.
the dedicated HAProxy is only deployed if route is used for the Kube API server, no other case.
There was a problem hiding this comment.
Thank you, changed as per the suggestion.
|
|
||
| The HCP router's LoadBalancer Service is created unconditionally, regardless of the | ||
| management cluster's platform. On platforms that lack a cloud load-balancer | ||
| controller — bare-metal Agent, KubeVirt, or None — the Service stays in `Pending` |
There was a problem hiding this comment.
I would remove 'None' since that's not a supported platform.
There was a problem hiding this comment.
Thank you, changed as per the suggestion.
| services: | ||
| - service: Router | ||
| servicePublishingStrategy: | ||
| type: LoadBalancer |
There was a problem hiding this comment.
It's worth noting that when LoadBalancer is specified, it makes no sense to specify a hostName for the LoadBalancer, since the router's job is to route other hostnames to control plane services.
There was a problem hiding this comment.
Thank you, changed as per the suggestion.
|
|
||
| ## Version Skew Strategy | ||
|
|
||
| - **HO knows Router but CPO doesn't**: CPO ignores it, creates LB (safe) |
There was a problem hiding this comment.
If you configure your HostedCluster with a router service and the CPO doesn't support it, the hostedcluster should fail to provision with an 'InvalidConfiguration' condition explaining why.
There was a problem hiding this comment.
Thank you, changed as per the suggestion.
52c80b0 to
59532e1
Compare
083b8ac to
a3647ac
Compare
…atforms Signed-off-by: Vimal Solanki <vsolanki@redhat.com>
52516f0 to
0f03441
Compare
|
@vsolanki12: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Why was this change needed?
The HCP private router Service is unconditionally created as
LoadBalancerregardless of platform.On management clusters without cloud load-balancer support (Agent, KubeVirt, None platforms), the
Service stays
Pendingindefinitely, blocking route status propagation and KAS service resolution.OCPBUGS-77856 identified this issue. PR openshift/hypershift#8439 provided an initial fix using
platform auto-detection, but was closed after review identified that ClusterIP used for NodePort
services is not externally reachable.
What changes are being made?
This enhancement proposes adding
Routeras a newServiceTypeinspec.services[], extendingthe existing
ServicePublishingStrategyMappingpattern to cover the private router. This givesoperators explicit control over the service type and external address used to reach HCP routes.
Key changes:
RouterServiceType constant in the HostedCluster APINodePortPublishingStrategy(address + port fields)Routerentry defaults toLoadBalancerReferences