Skip to content

CNTRLPLANE-3250,CNTRLPLANE-430: API-driven Azure topology and private connectivity (Phase 1) #8537

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 8 commits into from
Jun 10, 2026
Merged

CNTRLPLANE-3250,CNTRLPLANE-430: API-driven Azure topology and private connectivity (Phase 1) #8537

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
8ce50ee
feat(azure): add Swift to AzurePrivateType enum and AzureSwiftSpec st…
muraee Jun 5, 2026
d3e14d6
chore(api): regenerate CRDs, deepcopy, apply configurations, and docs
muraee Jun 5, 2026
0bfc62c
feat(azure): add API-driven Swift networking and shared ingress helpers
muraee Jun 5, 2026
129a981
refactor(cpo): replace isAroHCP/UseSharedIngress with API-driven helpers
muraee Jun 5, 2026
eb9d9f9
refactor(ho): replace isAroHCP/UseSharedIngress with API-driven helpers
muraee Jun 5, 2026
cf0eb68
feat(azure): reconcile PublicEndpointExposed condition via TLS probe
muraee Jun 5, 2026
189a75a
test(azure): update tests to use Swift API fields and API-driven helpers
muraee Jun 5, 2026
e2aa9ff
fix(cpo): handle Swift private topology in infra reconciliation
muraee Jun 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 40 additions & 4 deletions api/hypershift/v1beta1/azure.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -653,31 +653,38 @@ const (
// AzurePrivateType specifies the type of private connectivity mechanism used for the Azure
// hosted cluster's API server. This acts as the discriminator for the AzurePrivateSpec union.
//
// +kubebuilder:validation:Enum=PrivateLink
// +kubebuilder:validation:Enum=PrivateLink;Swift
type AzurePrivateType string

const (
// AzurePrivateTypePrivateLink specifies private connectivity using Azure Private Link Service.
// In this mode, the operator creates a Private Link Service backed by the management cluster's
// internal load balancer, and a Private Endpoint in the guest VNet for private API server access.
AzurePrivateTypePrivateLink AzurePrivateType = "PrivateLink"

// AzurePrivateTypeSwift specifies private connectivity using Azure Swift pod networking.
// In this mode, Azure Swift assigns a private IP from the customer VNet directly
// to the hosted cluster's router pods, providing private API server access without a
// separate Private Link Service. This is used by ARO HCP managed clusters.
AzurePrivateTypeSwift AzurePrivateType = "Swift"
)

// AzurePrivateSpec configures private connectivity to an Azure hosted cluster's API server.
// It is a discriminated union keyed on the type field, which selects the private connectivity
// mechanism. Currently only PrivateLink is supported; additional mechanisms (e.g., Swift) may
// be added in the future.
// mechanism.
//
// +kubebuilder:validation:XValidation:rule="!has(oldSelf.type) || self.type == oldSelf.type",message="type is immutable"
// +kubebuilder:validation:XValidation:rule="self.type == 'PrivateLink' ? has(self.privateLink) : !has(self.privateLink)",message="privateLink is required when type is PrivateLink, and forbidden otherwise"
Comment thread
muraee marked this conversation as resolved.
// +kubebuilder:validation:XValidation:rule="self.type == 'Swift' ? has(self.swift) : !has(self.swift)",message="swift is required when type is Swift, and forbidden otherwise"
// +union
type AzurePrivateSpec struct {
// type specifies the private connectivity mechanism used for the hosted cluster's API server.
// "PrivateLink" selects Azure Private Link Service for private API server access.
// "Swift" selects Azure Swift pod networking for private API server access, used by ARO HCP.
// This field is immutable once set.
//
// +unionDiscriminator
// +required
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="type is immutable"
Type AzurePrivateType `json:"type,omitempty"`

// privateLink configures Azure Private Link Service for private API server access.
Expand All @@ -686,6 +693,15 @@ type AzurePrivateSpec struct {
// +optional
// +unionMember
PrivateLink AzurePrivateLinkSpec `json:"privateLink,omitzero"`

// swift configures Azure Swift pod networking for private API server access.
// Swift networking requires the management cluster to be pre-configured with
// Azure Swift support; this is not provisioned by HyperShift automatically.
// This field is required when type is "Swift" and must not be set otherwise.
//
Comment thread
muraee marked this conversation as resolved.
// +optional
// +unionMember
Swift AzureSwiftSpec `json:"swift,omitzero"`
}

// AzurePrivateLinkSpec configures Azure Private Link Service connectivity.
Expand Down Expand Up @@ -716,6 +732,26 @@ type AzurePrivateLinkSpec struct {
AdditionalAllowedSubscriptions []AzureSubscriptionID `json:"additionalAllowedSubscriptions,omitempty"`
}

// AzureSwiftSpec configures Azure Swift pod networking for private API server access.
// Swift assigns a private IP from the customer VNet directly to the hosted cluster's
// router pods, providing private connectivity without a separate Private Link Service.
//
// +kubebuilder:validation:XValidation:rule="self.podNetworkInstance == oldSelf.podNetworkInstance",message="podNetworkInstance is immutable"
type AzureSwiftSpec struct {
// podNetworkInstance is the name of a PodNetworkInstance custom resource in the
// hosted control plane namespace. This resource configures Azure Swift pod networking
// for private connectivity to the hosted cluster's router pods.
// The value must be a valid Kubernetes object name (RFC 1123 DNS label): lowercase
// alphanumeric characters or hyphens, must start and end with an alphanumeric character.
// This field is immutable once set.
//
// +required
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=63
// +kubebuilder:validation:XValidation:rule="self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')",message="podNetworkInstance must be a valid DNS label: lowercase alphanumeric characters or hyphens, must start and end with an alphanumeric character"
PodNetworkInstance string `json:"podNetworkInstance,omitempty"`
Comment thread
muraee marked this conversation as resolved.
Comment thread
muraee marked this conversation as resolved.
}

// ControlPlaneManagedIdentities contains the managed identities on the HCP control plane needing to authenticate with
// Azure's API.
type ControlPlaneManagedIdentities struct {
Expand Down
13 changes: 13 additions & 0 deletions api/hypershift/v1beta1/hostedcluster_conditions.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -252,6 +252,19 @@ const (
// **False / AutoNodeProgressing** means AutoNode is being enabled or disabled — the operation is in progress.
// **False / AutoNodeNotConfigured** means AutoNode is not configured in the spec and all Karpenter components have been removed.
AutoNodeEnabled ConditionType = "AutoNodeEnabled"

// PublicEndpointExposed indicates whether public API server endpoints are
// currently configured and exposed for this cluster via the management
// cluster's shared ingress. Status reflects observed state: True means
// public endpoints are reachable, False means they are not.
PublicEndpointExposed ConditionType = "PublicEndpointExposed"
)

// Reasons for PublicEndpointExposed condition.
const (
PublicEndpointSharedIngressConfiguredReason = "SharedIngressConfigured"
PublicEndpointTopologyPrivateReason = "TopologyPrivate"
PublicEndpointConvergenceInProgressReason = "ConvergenceInProgress"
)

// Reasons.
Expand Down
16 changes: 16 additions & 0 deletions api/hypershift/v1beta1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

39 changes: 36 additions & 3 deletions ...erated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5276,25 +5276,58 @@ spec:
(e.g., /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Network/virtualNetworks/{vnet}/subnets/{subnet})
rule: self.matches('^/subscriptions/[^/]+/resourceGroups/[^/]+/providers/Microsoft\\.Network/virtualNetworks/[^/]+/subnets/[^/]+$')
type: object
swift:
description: |-
swift configures Azure Swift pod networking for private API server access.
Swift networking requires the management cluster to be pre-configured with
Azure Swift support; this is not provisioned by HyperShift automatically.
This field is required when type is "Swift" and must not be set otherwise.
properties:
podNetworkInstance:
description: |-
podNetworkInstance is the name of a PodNetworkInstance custom resource in the
hosted control plane namespace. This resource configures Azure Swift pod networking
for private connectivity to the hosted cluster's router pods.
The value must be a valid Kubernetes object name (RFC 1123 DNS label): lowercase
alphanumeric characters or hyphens, must start and end with an alphanumeric character.
This field is immutable once set.
maxLength: 63
minLength: 1
type: string
x-kubernetes-validations:
- message: 'podNetworkInstance must be a valid DNS
label: lowercase alphanumeric characters or hyphens,
must start and end with an alphanumeric character'
rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')
required:
- podNetworkInstance
type: object
x-kubernetes-validations:
- message: podNetworkInstance is immutable
rule: self.podNetworkInstance == oldSelf.podNetworkInstance
type:
description: |-
type specifies the private connectivity mechanism used for the hosted cluster's API server.
"PrivateLink" selects Azure Private Link Service for private API server access.
"Swift" selects Azure Swift pod networking for private API server access, used by ARO HCP.
This field is immutable once set.
enum:
- PrivateLink
- Swift
type: string
x-kubernetes-validations:
- message: type is immutable
rule: self == oldSelf
required:
- type
type: object
x-kubernetes-validations:
- message: type is immutable
rule: '!has(oldSelf.type) || self.type == oldSelf.type'
- message: privateLink is required when type is PrivateLink,
and forbidden otherwise
rule: 'self.type == ''PrivateLink'' ? has(self.privateLink)
: !has(self.privateLink)'
- message: swift is required when type is Swift, and forbidden
otherwise
rule: 'self.type == ''Swift'' ? has(self.swift) : !has(self.swift)'
resourceGroup:
default: default
description: |-
Expand Down
39 changes: 36 additions & 3 deletions ...egated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5267,25 +5267,58 @@ spec:
(e.g., /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Network/virtualNetworks/{vnet}/subnets/{subnet})
rule: self.matches('^/subscriptions/[^/]+/resourceGroups/[^/]+/providers/Microsoft\\.Network/virtualNetworks/[^/]+/subnets/[^/]+$')
type: object
swift:
description: |-
swift configures Azure Swift pod networking for private API server access.
Swift networking requires the management cluster to be pre-configured with
Azure Swift support; this is not provisioned by HyperShift automatically.
This field is required when type is "Swift" and must not be set otherwise.
properties:
podNetworkInstance:
description: |-
podNetworkInstance is the name of a PodNetworkInstance custom resource in the
hosted control plane namespace. This resource configures Azure Swift pod networking
for private connectivity to the hosted cluster's router pods.
The value must be a valid Kubernetes object name (RFC 1123 DNS label): lowercase
alphanumeric characters or hyphens, must start and end with an alphanumeric character.
This field is immutable once set.
maxLength: 63
minLength: 1
type: string
x-kubernetes-validations:
- message: 'podNetworkInstance must be a valid DNS
label: lowercase alphanumeric characters or hyphens,
must start and end with an alphanumeric character'
rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')
required:
- podNetworkInstance
type: object
x-kubernetes-validations:
- message: podNetworkInstance is immutable
rule: self.podNetworkInstance == oldSelf.podNetworkInstance
type:
description: |-
type specifies the private connectivity mechanism used for the hosted cluster's API server.
"PrivateLink" selects Azure Private Link Service for private API server access.
"Swift" selects Azure Swift pod networking for private API server access, used by ARO HCP.
This field is immutable once set.
enum:
- PrivateLink
- Swift
type: string
x-kubernetes-validations:
- message: type is immutable
rule: self == oldSelf
required:
- type
type: object
x-kubernetes-validations:
- message: type is immutable
rule: '!has(oldSelf.type) || self.type == oldSelf.type'
- message: privateLink is required when type is PrivateLink,
and forbidden otherwise
rule: 'self.type == ''PrivateLink'' ? has(self.privateLink)
: !has(self.privateLink)'
- message: swift is required when type is Swift, and forbidden
otherwise
rule: 'self.type == ''Swift'' ? has(self.swift) : !has(self.swift)'
resourceGroup:
default: default
description: |-
Expand Down
39 changes: 36 additions & 3 deletions ...manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5287,25 +5287,58 @@ spec:
(e.g., /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Network/virtualNetworks/{vnet}/subnets/{subnet})
rule: self.matches('^/subscriptions/[^/]+/resourceGroups/[^/]+/providers/Microsoft\\.Network/virtualNetworks/[^/]+/subnets/[^/]+$')
type: object
swift:
description: |-
swift configures Azure Swift pod networking for private API server access.
Swift networking requires the management cluster to be pre-configured with
Azure Swift support; this is not provisioned by HyperShift automatically.
This field is required when type is "Swift" and must not be set otherwise.
properties:
podNetworkInstance:
description: |-
podNetworkInstance is the name of a PodNetworkInstance custom resource in the
hosted control plane namespace. This resource configures Azure Swift pod networking
for private connectivity to the hosted cluster's router pods.
The value must be a valid Kubernetes object name (RFC 1123 DNS label): lowercase
alphanumeric characters or hyphens, must start and end with an alphanumeric character.
This field is immutable once set.
maxLength: 63
minLength: 1
type: string
x-kubernetes-validations:
- message: 'podNetworkInstance must be a valid DNS
label: lowercase alphanumeric characters or hyphens,
must start and end with an alphanumeric character'
rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')
required:
- podNetworkInstance
type: object
x-kubernetes-validations:
- message: podNetworkInstance is immutable
rule: self.podNetworkInstance == oldSelf.podNetworkInstance
type:
description: |-
type specifies the private connectivity mechanism used for the hosted cluster's API server.
"PrivateLink" selects Azure Private Link Service for private API server access.
"Swift" selects Azure Swift pod networking for private API server access, used by ARO HCP.
This field is immutable once set.
enum:
- PrivateLink
- Swift
type: string
x-kubernetes-validations:
- message: type is immutable
rule: self == oldSelf
required:
- type
type: object
x-kubernetes-validations:
- message: type is immutable
rule: '!has(oldSelf.type) || self.type == oldSelf.type'
- message: privateLink is required when type is PrivateLink,
and forbidden otherwise
rule: 'self.type == ''PrivateLink'' ? has(self.privateLink)
: !has(self.privateLink)'
- message: swift is required when type is Swift, and forbidden
otherwise
rule: 'self.type == ''Swift'' ? has(self.swift) : !has(self.swift)'
resourceGroup:
default: default
description: |-
Expand Down
Loading