[release-4.21] CNTRLPLANE-2812: feat(aro): Swift support#7826
[release-4.21] CNTRLPLANE-2812: feat(aro): Swift support#7826openshift-merge-bot[bot] merged 7 commits intoopenshift:release-4.21from
Conversation
Move infrastructure-related reconciliation logic from hostedcontrolplane_controller.go to the infra package for better code organization and testability. cherry-pick from openshift#7658
…nents Regenerate testdata for aro swift scenario
- Introduces ARO Swift annotation - isPrivate returns true now when ARO and swift. - Router component runs when is ARO and swift. It listens on 443 - Data plane HAProxy: Updates nodepool apiserver-haproxy to handle Swift scenarios with different ports and proxy protocol settings - Shared ingress: Modified to skip dataplane-kas-service backend when Swift is enabled - Add a bunch of unit tests In this PR we still support the no swift path to not break CI.
When a hosted cluster uses KMS etcd encryption with a Key Vault behind a private endpoint, the azure-kms-provider sidecar in the KAS pod cannot reach the Key Vault because CoreDNS on the AKS VNet does not have the privatelink.vaultcore.azure.net zone linked. The private router deployment already runs on the customer VNet (via Swift) and can reach the private endpoint. This commit adds a TCP passthrough relay: HAProxy on the private router forwards connections to the Key Vault via SNI routing on port 8443, and the KAS pod uses a hostAlias to redirect the Key Vault hostname to the private-router Service ClusterIP. TLS passes through end-to-end. Changes: - Add GetKeyVaultFQDN() to azureutil for shared FQDN construction - Add resolvers, SNI ACL, and keyvault backend to HAProxy template - Add hostAlias to KAS deployment pointing vault FQDN to router svc - Gate all changes behind azureutil.IsAroHCP() Signed-off-by: Mulham Raee <mulham.raee@gmail.com> Commit-Message-Assisted-by: Claude (via Claude Code)
…nents Add Azure KMS configuration to the ARO Swift test case in TestControlPlaneComponents and add a private-router service to the fake objects so the KAS deployment hostAlias logic can resolve it. Update all affected AROSwift test fixtures. Signed-off-by: Mulham Raee <mulham.raee@gmail.com> Commit-Message-Assisted-by: Claude (via Claude Code)
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Tip Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs). Comment |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: muraee The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
area/api
muraee
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@muraee: This pull request references CNTRLPLANE-2812 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.21.z" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
muraee
force-pushed
the
backport-swift
branch
2 times, most recently
from
3c2b91b to
865e622
Compare
…ting Previously, private Key Vault routing was unconditionally enabled for all ARO HCP clusters via IsAroHCP(). This adds a new KeyVaultAccess field (Public/Private enum) to AzureKMSSpec so users can opt in to private Key Vault routing. The condition now requires both IsAroHCP() and IsPrivateKeyVault(hcp) to enable private router relay. Changes: - Add AzureKeyVaultAccessType enum and KeyVaultAccess field to AzureKMSSpec - Add CEL validation enforcing backupKey uses the same Key Vault as activeKey - Add IsPrivateKeyVault helper in azureutil with unit tests - Update KAS deployment and router config conditions - Rename router template param from IsAroHCP to HasPrivateKeyVault Controllers treat an empty/omitted KeyVaultAccess value the same as "Public", so no CRD schema default is set to avoid issues with existing objects in etcd. Signed-off-by: Mulham Raee <mulham.raee@gmail.com> Commit-Message-Assisted-by: Claude (via Claude Code) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
/retest-required |
enxebre
added
the
backport-risk-assessed
|
/lgtm |
openshift-ci
Bot
added
the
do-not-merge/hold
…PI dependencies Move UseHCPRouter() to a shared util package to break the import cycle and allow infra.go to use it directly for determining whether router services should be deployed. This fixes an issue where router services were not deployed alongside the router deployment for private ARO clusters (Swift enabled). Additionally, remove the dependency of the router deployment on KAS and OAPI components, and add "router" to the list of components that are allowed to report not-found conditions without blocking overall status. Signed-off-by: Mulham Raee <mulham.raee@gmail.com> Commit-Message-Assisted-by: Claude (via Claude Code)
|
@muraee: This pull request references CNTRLPLANE-2812 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.21.z" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/retest-required |
|
@muraee: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm |
|
/verified by @muraee |
|
/unhold |
openshift-ci-robot
added
the
verified
|
@muraee: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
Bot
removed
the
do-not-merge/hold
celebdor
added
the
jira/valid-bug
|
/cherry-pick release-4.20 |
|
@muraee: once the present PR merges, I will cherry-pick it on top of DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
openshift-merge-bot
Bot
merged commit 2bfe193
into
openshift:release-4.21
|
@muraee: Failed to get PR patch from GitHub. This PR will need to be manually cherrypicked. Error messagestatus code 406 not one of [200], body: {"message":"Sorry, the diff exceeded the maximum number of lines (20000)","errors":[{"resource":"PullRequest","field":"diff","code":"too_large"}],"documentation_url":"https://docs.github.com/rest/pulls/pulls#get-a-pull-request","status":"406"}DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
5 participants
manual backport of: