HOSTEDCP-1960: Add KubeAPIExteralName api

This new API changes the value of the Kubeconfig External URL to points to your desired one

Signed-off-by: Juan Manuel Parrilla Madrid <[email protected]>

api/hypershift/v1beta1/hosted_controlplane.go

@@ -115,6 +115,12 @@ type HostedControlPlaneSpec struct {
 	// +optional
 	KubeConfig *KubeconfigSecretRef `json:"kubeconfig,omitempty"`
 
+	// kubeApiExternalName specifies the external name for the Kube API Server service.
+	// +kubebuilder:validation:MaxLength=100
+	// +kubebuilder:validation:MinLength=1
+	// +optional
+	KubeAPIExternalName string `json:"kubeApiExternalName,omitempty"`
+
 	// Services defines metadata about how control plane services are published
 	// in the management cluster.
 	// +kubebuilder:validation:MaxItems=6

api/hypershift/v1beta1/hostedcluster_types.go

@@ -432,6 +432,12 @@ type HostedClusterSpec struct {
 	// +required
 	Platform PlatformSpec `json:"platform"`
 
+	// kubeApiExternalName specifies the external name for the Kube API Server service.
+	// +kubebuilder:validation:MaxLength=100
+	// +kubebuilder:validation:MinLength=1
+	// +optional
+	KubeAPIExternalName string `json:"kubeApiExternalName,omitempty"`
+
 	// controllerAvailabilityPolicy specifies the availability policy applied to critical control plane components like the Kube API Server.
 	// Possible values are HighlyAvailable and SingleReplica. The default value is HighlyAvailable.
 	// +optional

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml

@@ -2347,6 +2347,12 @@ spec:
                   rule: self == oldSelf
                 - message: issuerURL must be a valid absolute URL
                   rule: isURL(self)
+              kubeApiExternalName:
+                description: kubeApiExternalName specifies the external name for the
+                  Kube API Server service.
+                maxLength: 100
+                minLength: 1
+                type: string
               networking:
                 default:
                   clusterNetwork:

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AROHCPManagedIdentities.yaml

@@ -2343,6 +2343,12 @@ spec:
                   rule: self == oldSelf
                 - message: issuerURL must be a valid absolute URL
                   rule: isURL(self)
+              kubeApiExternalName:
+                description: kubeApiExternalName specifies the external name for the
+                  Kube API Server service.
+                maxLength: 100
+                minLength: 1
+                type: string
               networking:
                 default:
                   clusterNetwork:

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml

@@ -2388,6 +2388,12 @@ spec:
                   rule: self == oldSelf
                 - message: issuerURL must be a valid absolute URL
                   rule: isURL(self)
+              kubeApiExternalName:
+                description: kubeApiExternalName specifies the external name for the
+                  Kube API Server service.
+                maxLength: 100
+                minLength: 1
+                type: string
               networking:
                 default:
                   clusterNetwork:

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/DynamicResourceAllocation.yaml

@@ -2364,6 +2364,12 @@ spec:
                   rule: self == oldSelf
                 - message: issuerURL must be a valid absolute URL
                   rule: isURL(self)
+              kubeApiExternalName:
+                description: kubeApiExternalName specifies the external name for the
+                  Kube API Server service.
+                maxLength: 100
+                minLength: 1
+                type: string
               networking:
                 default:
                   clusterNetwork:

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml

@@ -2585,6 +2585,12 @@ spec:
                   rule: self == oldSelf
                 - message: issuerURL must be a valid absolute URL
                   rule: isURL(self)
+              kubeApiExternalName:
+                description: kubeApiExternalName specifies the external name for the
+                  Kube API Server service.
+                maxLength: 100
+                minLength: 1
+                type: string
               networking:
                 default:
                   clusterNetwork:

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPPodsLabels.yaml

@@ -2343,6 +2343,12 @@ spec:
                   rule: self == oldSelf
                 - message: issuerURL must be a valid absolute URL
                   rule: isURL(self)
+              kubeApiExternalName:
+                description: kubeApiExternalName specifies the external name for the
+                  Kube API Server service.
+                maxLength: 100
+                minLength: 1
+                type: string
               labels:
                 additionalProperties:
                   type: string

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml

@@ -2495,6 +2495,12 @@ spec:
                   rule: self == oldSelf
                 - message: issuerURL must be a valid absolute URL
                   rule: isURL(self)
+              kubeApiExternalName:
+                description: kubeApiExternalName specifies the external name for the
+                  Kube API Server service.
+                maxLength: 100
+                minLength: 1
+                type: string
               networking:
                 default:
                   clusterNetwork:

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml

@@ -2343,6 +2343,12 @@ spec:
                   rule: self == oldSelf
                 - message: issuerURL must be a valid absolute URL
                   rule: isURL(self)
+              kubeApiExternalName:
+                description: kubeApiExternalName specifies the external name for the
+                  Kube API Server service.
+                maxLength: 100
+                minLength: 1
+                type: string
               networking:
                 default:
                   clusterNetwork:

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml

@@ -2245,6 +2245,12 @@ spec:
                   default value is kubernetes.default.svc, which only works for in-cluster
                   validation.
                 type: string
+              kubeApiExternalName:
+                description: kubeApiExternalName specifies the external name for the
+                  Kube API Server service.
+                maxLength: 100
+                minLength: 1
+                type: string
               kubeconfig:
                 description: KubeConfig specifies the name and key for the kubeconfig
                   secret

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AROHCPManagedIdentities.yaml

@@ -2241,6 +2241,12 @@ spec:
                   default value is kubernetes.default.svc, which only works for in-cluster
                   validation.
                 type: string
+              kubeApiExternalName:
+                description: kubeApiExternalName specifies the external name for the
+                  Kube API Server service.
+                maxLength: 100
+                minLength: 1
+                type: string
               kubeconfig:
                 description: KubeConfig specifies the name and key for the kubeconfig
                   secret

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AutoNodeKarpenter.yaml

@@ -2286,6 +2286,12 @@ spec:
                   default value is kubernetes.default.svc, which only works for in-cluster
                   validation.
                 type: string
+              kubeApiExternalName:
+                description: kubeApiExternalName specifies the external name for the
+                  Kube API Server service.
+                maxLength: 100
+                minLength: 1
+                type: string
               kubeconfig:
                 description: KubeConfig specifies the name and key for the kubeconfig
                   secret

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/DynamicResourceAllocation.yaml

@@ -2262,6 +2262,12 @@ spec:
                   default value is kubernetes.default.svc, which only works for in-cluster
                   validation.
                 type: string
+              kubeApiExternalName:
+                description: kubeApiExternalName specifies the external name for the
+                  Kube API Server service.
+                maxLength: 100
+                minLength: 1
+                type: string
               kubeconfig:
                 description: KubeConfig specifies the name and key for the kubeconfig
                   secret

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml

@@ -2483,6 +2483,12 @@ spec:
                   default value is kubernetes.default.svc, which only works for in-cluster
                   validation.
                 type: string
+              kubeApiExternalName:
+                description: kubeApiExternalName specifies the external name for the
+                  Kube API Server service.
+                maxLength: 100
+                minLength: 1
+                type: string
               kubeconfig:
                 description: KubeConfig specifies the name and key for the kubeconfig
                   secret

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml

@@ -2393,6 +2393,12 @@ spec:
                   default value is kubernetes.default.svc, which only works for in-cluster
                   validation.
                 type: string
+              kubeApiExternalName:
+                description: kubeApiExternalName specifies the external name for the
+                  Kube API Server service.
+                maxLength: 100
+                minLength: 1
+                type: string
               kubeconfig:
                 description: KubeConfig specifies the name and key for the kubeconfig
                   secret

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml

@@ -2241,6 +2241,12 @@ spec:
                   default value is kubernetes.default.svc, which only works for in-cluster
                   validation.
                 type: string
+              kubeApiExternalName:
+                description: kubeApiExternalName specifies the external name for the
+                  Kube API Server service.
+                maxLength: 100
+                minLength: 1
+                type: string
               kubeconfig:
                 description: KubeConfig specifies the name and key for the kubeconfig
                   secret

cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-CustomNoUpgrade.crd.yaml

@@ -2806,6 +2806,12 @@ spec:
                   rule: self == oldSelf
                 - message: issuerURL must be a valid absolute URL
                   rule: isURL(self)
+              kubeApiExternalName:
+                description: kubeApiExternalName specifies the external name for the
+                  Kube API Server service.
+                maxLength: 100
+                minLength: 1
+                type: string
               labels:
                 additionalProperties:
                   type: string

cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Default.crd.yaml

@@ -2761,6 +2761,12 @@ spec:
                   rule: self == oldSelf
                 - message: issuerURL must be a valid absolute URL
                   rule: isURL(self)
+              kubeApiExternalName:
+                description: kubeApiExternalName specifies the external name for the
+                  Kube API Server service.
+                maxLength: 100
+                minLength: 1
+                type: string
               networking:
                 default:
                   clusterNetwork:

cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-TechPreviewNoUpgrade.crd.yaml

@@ -2806,6 +2806,12 @@ spec:
                   rule: self == oldSelf
                 - message: issuerURL must be a valid absolute URL
                   rule: isURL(self)
+              kubeApiExternalName:
+                description: kubeApiExternalName specifies the external name for the
+                  Kube API Server service.
+                maxLength: 100
+                minLength: 1
+                type: string
               labels:
                 additionalProperties:
                   type: string

cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-CustomNoUpgrade.crd.yaml

@@ -2704,6 +2704,12 @@ spec:
                   default value is kubernetes.default.svc, which only works for in-cluster
                   validation.
                 type: string
+              kubeApiExternalName:
+                description: kubeApiExternalName specifies the external name for the
+                  Kube API Server service.
+                maxLength: 100
+                minLength: 1
+                type: string
               kubeconfig:
                 description: KubeConfig specifies the name and key for the kubeconfig
                   secret

cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Default.crd.yaml

@@ -2659,6 +2659,12 @@ spec:
                   default value is kubernetes.default.svc, which only works for in-cluster
                   validation.
                 type: string
+              kubeApiExternalName:
+                description: kubeApiExternalName specifies the external name for the
+                  Kube API Server service.
+                maxLength: 100
+                minLength: 1
+                type: string
               kubeconfig:
                 description: KubeConfig specifies the name and key for the kubeconfig
                   secret

cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-TechPreviewNoUpgrade.crd.yaml

@@ -2704,6 +2704,12 @@ spec:
                   default value is kubernetes.default.svc, which only works for in-cluster
                   validation.
                 type: string
+              kubeApiExternalName:
+                description: kubeApiExternalName specifies the external name for the
+                  Kube API Server service.
+                maxLength: 100
+                minLength: 1
+                type: string
               kubeconfig:
                 description: KubeConfig specifies the name and key for the kubeconfig
                   secret

control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go

@@ -1111,7 +1111,12 @@ func (r *HostedControlPlaneReconciler) reconcile(ctx context.Context, hostedCont
 		// Reconcile kube apiserver
 		r.Log.Info("Reconciling Kube API Server")
 		kubeAPIServerDeployment := manifests.KASDeployment(hostedControlPlane.Namespace)
-		if err := r.reconcileKubeAPIServer(ctx, hostedControlPlane, releaseImageProvider, userReleaseImageProvider, infraStatus.APIHost, infraStatus.APIPort, infraStatus.OAuthHost, infraStatus.OAuthPort, createOrUpdate, kubeAPIServerDeployment); err != nil {
+		apiAddress := infraStatus.APIHost
+		if len(hostedControlPlane.Spec.KubeAPIExternalName) > 0 {
+			apiAddress = hostedControlPlane.Spec.KubeAPIExternalName
+		}
+
+		if err := r.reconcileKubeAPIServer(ctx, hostedControlPlane, releaseImageProvider, userReleaseImageProvider, apiAddress, infraStatus.APIPort, infraStatus.OAuthHost, infraStatus.OAuthPort, createOrUpdate, kubeAPIServerDeployment); err != nil {
 			return fmt.Errorf("failed to reconcile kube apiserver: %w", err)
 		}
 
@@ -2977,14 +2982,23 @@ func (r *HostedControlPlaneReconciler) reconcileKubeAPIServer(ctx context.Contex
 		return fmt.Errorf("failed to reconcile localhost kubeconfig secret: %w", err)
 	}
 
-	externalKubeconfigSecret := manifests.KASExternalKubeconfigSecret(hcp.Namespace, hcp.Spec.KubeConfig)
-	if _, err := createOrUpdate(ctx, r, externalKubeconfigSecret, func() error {
+	if util.IsExtApiSet(hcp) {
+		externalKubeconfigSecret := manifests.KASExternalKubeconfigSecret(hcp.Namespace, hcp.Spec.KubeConfig)
+		if _, err := createOrUpdate(ctx, r, externalKubeconfigSecret, func() error {
+			return kas.ReconcileExternalKubeconfigSecret(externalKubeconfigSecret, clientCertSecret, rootCA, p.OwnerRef, p.ExternalURL(), p.ExternalKubeconfigKey())
+		}); err != nil {
+			return fmt.Errorf("failed to reconcile external kubeconfig secret: %w", err)
+		}
+	}
+
+	internalKubeconfigSecret := manifests.KASInternalKubeconfigSecret(hcp.Namespace, hcp.Spec.KubeConfig)
+	if _, err := createOrUpdate(ctx, r, internalKubeconfigSecret, func() error {
 		if !util.IsPublicHCP(hcp) && !util.IsRouteKAS(hcp) {
-			return kas.ReconcileExternalKubeconfigSecret(externalKubeconfigSecret, clientCertSecret, rootCA, p.OwnerRef, p.InternalURL(), p.ExternalKubeconfigKey())
+			return kas.ReconcileExternalKubeconfigSecret(internalKubeconfigSecret, clientCertSecret, rootCA, p.OwnerRef, p.InternalURL(), p.ExternalKubeconfigKey())
 		}
-		return kas.ReconcileExternalKubeconfigSecret(externalKubeconfigSecret, clientCertSecret, rootCA, p.OwnerRef, p.ExternalURL(), p.ExternalKubeconfigKey())
+		return kas.ReconcileExternalKubeconfigSecret(internalKubeconfigSecret, clientCertSecret, rootCA, p.OwnerRef, p.ExternalURL(), p.ExternalKubeconfigKey())
 	}); err != nil {
-		return fmt.Errorf("failed to reconcile external kubeconfig secret: %w", err)
+		return fmt.Errorf("failed to reconcile internal kubeconfig secret: %w", err)
 	}
 
 	bootstrapKubeconfigSecret := manifests.KASBootstrapKubeconfigSecret(hcp.Namespace)