CORS-4029: Promote AWSClusterHostedDNSInstall to Default

[sadasu]

This promotes AWS Cluster Hosted DNS feature from techpreview to available by default.

[openshift-ci-robot]

Pipeline controller notification
This repository is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. Review these jobs and use /test <job> to manually trigger optional jobs most likely to be impacted by the proposed changes.

[openshift-ci-robot]

@sadasu: This pull request references CORS-4029 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

This promotes AWS Cluster Hosted DNS feature from techpreview to available by default.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Hello @sadasu! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[coderabbitai]

Walkthrough

This pull request introduces cloud load balancer configuration capabilities to infrastructure and machine configuration CRDs. It adds a cloudLoadBalancerConfig object supporting DNS type selection (ClusterHosted or PlatformDefault) with optional load balancer IP arrays for API, API-Int, and Ingress endpoints, along with corresponding immutability and conditional validations. Feature gates for AWSClusterHostedDNSInstall and ConsolePluginCSP are enabled across default configuration levels, and the OpenAPI schema is updated with enhanced enumerations and validations.

Changes

Cohort / File(s)	Summary
Infrastructure CRD Schema config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml, payload-manifests/crds/0000_10_config-operator_01_infrastructures-Default.crd.yaml	Added cloudLoadBalancerConfig under AWS provider with nested dnsType (enum: ClusterHosted, PlatformDefault, default PlatformDefault, immutable) and clusterHosted object containing apiLoadBalancerIPs, apiIntLoadBalancerIPs, ingressLoadBalancerIPs arrays with IP validation, maxItems 16, and set-list semantics. Added cross-field validation ensuring clusterHosted is permitted only when dnsType is ClusterHosted. Second file mirrors additions to both AWS and GCP provider sections.
Machine Configuration CRD Schema machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml, payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml	Added cloudLoadBalancerConfig structure under AWS and GCP provider configurations with identical nested structure: dnsType with immutability validation and enum constraints, clusterHosted object with three IP arrays (maxItems 16 each), IP format validations, and cross-field validation rule.
Feature Gate Enablement features/features.go, features.md	Updated ConsolePluginCSP and AWSClusterHostedDNSInstall feature gates to include Default configuration level in their enableIn lists alongside DevPreviewNoUpgrade and TechPreviewNoUpgrade. Reordered AWSClusterHostedDNSInstall row in feature gate table.
Feature Gate Manifest Updates payload-manifests/featuregates/featureGate-Hypershift-Default.yaml, payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml	Moved AWSClusterHostedDNSInstall from disabled to enabled list in both feature gate manifests.
OpenAPI Schema openapi/openapi.json	Extensive additions of explicit enum values, default values, and refined descriptions across multiple API objects for protocols, TLS profiles, load balancer types, network policies, and security configurations. Enhanced schema precision with discriminator fields for union types and expanded status/condition definitions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Validation rules scrutiny: The cross-field validation logic (clusterHosted permitted only when dnsType is ClusterHosted) and immutability constraints require careful verification for correctness and potential edge cases
• IP validation schema: Confirm IP format validation patterns and maxItems constraints are correctly applied across all three IP list arrays in both AWS and GCP sections
• Feature gate consistency: Verify that AWSClusterHostedDNSInstall and ConsolePluginCSP enablement across Default/DevPreviewNoUpgrade/TechPreviewNoUpgrade is intentional and complete across all feature gate files (Hypershift, SelfManagedHA)
• Generated file consistency: Ensure schema changes in zz_generated.crd-manifests/ files match their counterparts in payload-manifests/crds/ and align with the source definitions
• OpenAPI drift: Review whether openapi.json changes are auto-generated and accurately reflect the CRD schema updates

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign everettraven for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (5)

machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml (1)

1456-1559: AWS cloudLoadBalancerConfig schema is well-structured and consistent with GCP

The new aws.cloudLoadBalancerConfig block is backward compatible (optional + defaulted), reuses established IP validation patterns, and mirrors the existing GCP schema, including immutability for dnsType and the CEL guard tying clusterHosted to dnsType == ClusterHosted.

If you want to harden this further later, you could add CEL rules to require non-empty IP lists when dnsType is ClusterHosted, but that’s an optional enhancement, not a blocker.

payload-manifests/crds/0000_10_config-operator_01_infrastructures-Default.crd.yaml (1)

1199-1199: Minor: Move format: ip validation from array level to items level for OpenAPI compliance.

The format: ip directive is currently placed at the array container level (e.g., line 1199), but according to OpenAPI/Kubernetes validation semantics, format validation only applies to individual items, not the array itself. Move each format: ip inside the items: block to ensure the schema accurately reflects validation intent.

Example fix for apiIntLoadBalancerIPs:

  apiIntLoadBalancerIPs:
    description: ...
-   format: ip
    items:
+     format: ip
      description: IP is an IP address...
      maxLength: 39

Note: This appears to be a project-wide pattern; if this is intentional or already handled by tooling, this can be deferred to a separate cleanup effort.

Also applies to: 1219-1219, 1238-1238, 1625-1625, 1645-1645, 1664-1664

payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml (1)

1481-1481: format: ip at array level is redundant in OpenAPI schema.

The format: ip directive is applied to arrays (lines 1481, 1501, 1520) rather than the individual string items. In OpenAPI 3.0, format applies to scalar types, not arrays. The actual IP validation is correctly handled by x-kubernetes-validations: isIP(self) rules on the item strings, which is the proper Kubernetes approach.

While this pattern exists elsewhere in the file and is harmless (Kubernetes ignores the misplaced directive), consider moving format inside the items schema for correctness, or removing it since the CEL validation already ensures correctness.

Also applies to: 1501-1501, 1520-1520

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml (1)

1269-1271: Consider stricter immutability semantics for dnsType.

The immutability validation rule oldSelf == '' || self == oldSelf permits transitions from an empty string to any value, effectively allowing modification during initial setup. While this may be intentional for the install-time configuration workflow, it deviates from typical immutability semantics where a field cannot change once set. Clarify whether this permissive rule aligns with the intended behavior of promoting AWSClusterHostedDNSInstall to default—should users be able to change dnsType post-install?

Also applies to: 1695-1697

openapi/openapi.json (1)

30792-30795: Add schema-level duration constraints to httpKeepAliveTimeout.

The description documents a valid range of "1 millisecond to 15 minutes," but the schema uses a generic duration type reference without explicit min/max validation constraints. Consider adding minDuration and maxDuration annotations or CEL validation rules to the schema to enforce these bounds programmatically, rather than relying on documentation alone.

 "httpKeepAliveTimeout": {
   "description": "...",
   "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Duration",
+  "x-kubernetes-validations": [
+    {
+      "rule": "self >= 'PT1ms' && self <= 'PT15m'",
+      "message": "duration must be between 1 millisecond and 15 minutes"
+    }
+  ]
 }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 42e8320 and d54365f.

📒 Files selected for processing (9)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml (1 hunks)
• features.md (1 hunks)
• features/features.go (1 hunks)
• machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml (1 hunks)
• openapi/openapi.json (7 hunks)
• payload-manifests/crds/0000_10_config-operator_01_infrastructures-Default.crd.yaml (1 hunks)
• payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml (1 hunks)
• payload-manifests/featuregates/featureGate-Hypershift-Default.yaml (1 hunks)
• payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• features/features.go
• features.md
• payload-manifests/featuregates/featureGate-Hypershift-Default.yaml
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml
• payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml
• machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml
• payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml
• openapi/openapi.json
• payload-manifests/crds/0000_10_config-operator_01_infrastructures-Default.crd.yaml

🔇 Additional comments (11)

features.md (1)

75-75: AWSClusterHostedDNSInstall row looks consistent with code and manifests

The row correctly shows this gate enabled across Default/DevPreview/TechPreview for both Hypershift and SelfManagedHA, matching the FeatureGate JSON and enableIn configuration.

payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml (1)

227-229: Enabling AWSClusterHostedDNSInstall for SelfManagedHA Default is coherent

Moving AWSClusterHostedDNSInstall into the enabled list here aligns SelfManagedHA defaults with the documented feature matrix and Go feature-gate definitions.

payload-manifests/featuregates/featureGate-Hypershift-Default.yaml (1)

233-235: Hypershift Default feature gate now correctly enables AWSClusterHostedDNSInstall

Adding AWSClusterHostedDNSInstall to the enabled list keeps Hypershift’s Default behavior consistent with SelfManagedHA and the documented feature set.

features/features.go (1)

826-832: AWSClusterHostedDNSInstall enablement set matches manifests/docs

Including configv1.Default in enableIn(...) for FeatureGateAWSClusterHostedDNSInstall is consistent with the updated FeatureGate payloads and the feature matrix; no logic or API-compat issues in this change.

payload-manifests/crds/0000_10_config-operator_01_infrastructures-Default.crd.yaml (1)

1174-1277: ✓ Structure and validations are sound across both AWS and GCP implementations.

The cloudLoadBalancerConfig additions are well-structured with appropriate defaults, immutability constraints, and conditional validations. Both AWS (lines 1174–1277) and GCP (lines 1600–1703) implementations are correctly mirrored, ensuring consistency.

Key strengths:

• Immutability validation on dnsType prevents accidental DNS configuration changes post-installation
• Conditional validation ensures clusterHosted only appears when dnsType: ClusterHosted, preventing invalid configurations
• Set semantics (x-kubernetes-list-type: set) enforce unique IP addresses across all load balancer IP arrays
• maxItems: 16 provides a reasonable cap on IP addresses

Also applies to: 1600-1703

payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml (3)

1456-1559: Well-structured cloud load balancer configuration with appropriate validations.

The AWS cloudLoadBalancerConfig addition is properly designed with:

• Immutability constraint on dnsType after initial set
• Cross-field validation ensuring clusterHosted only permitted when dnsType=ClusterHosted
• Clear descriptions for operator guidance
• Backward-compatible default value (PlatformDefault)

---

1886-1989: GCP cloudLoadBalancerConfig mirrors AWS implementation—good consistency.

The GCP section (lines 1886-1989) is structurally identical to the AWS implementation, ensuring consistency across cloud providers. Schema validation rules, defaults, and field structure align properly.

---

1554-1554: Cross-field validation rule correctly enforces conditional field presence.

The validation rule at line 1558 (has(self.dnsType) && self.dnsType != 'ClusterHosted' ? !has(self.clusterHosted) : true) correctly prevents clusterHosted from being set unless dnsType=ClusterHosted. This safeguard prevents configuration errors and maintains semantic integrity.

Also applies to: 1558-1558

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml (1)

1174-1277: Well-designed cross-field validation and consistent AWS/GCP parity.

The cross-field validation rule at lines 1273–1277 (AWS) and 1699–1703 (GCP) correctly enforces that clusterHosted is only present when dnsType is ClusterHosted. The identical structure and constraints across both providers ensure consistency and maintainability. The three IP list fields with maxItems: 16 and set semantics provide appropriate constraints for load balancer IP management.

Also applies to: 1600-1703

openapi/openapi.json (2)

30662-30666: Add enum constraint to idleConnectionTerminationPolicy.

The idleConnectionTerminationPolicy description documents two allowed values ("Immediate" and "Deferred"), but the schema snippet shows only type: "string" without an enum constraint. Add the enum to enforce these values and prevent invalid inputs.

Is the full schema context available? If yes, verify whether the enum constraint is already present elsewhere in the definition.

Suggested fix:

 "idleConnectionTerminationPolicy": {
   "description": "...",
   "type": "string",
+  "enum": ["Immediate", "Deferred"],
   "default": "Immediate"
 }

---

4782-4788: Verify dnsRecordsType additions align with corresponding Go type definition and infrastructure CRD changes.

The dnsRecordsType field repetition across five locations (lines 4782-4788, 8935-8941, 9553-9559, 9751-9757, 11670-11676) is expected since openapi.json is auto-generated from Go CRD type definitions. However, verify that the schema changes in this PR correspond to actual changes in the infrastructure CRD manifests and Go type definitions, as the related source files were not provided for inspection.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

Verify format: ip placement for schema validation compatibility.

The format: ip field is placed at the array level (lines 1199, 1219, 1238 for AWS; lines 1625, 1645, 1664 for GCP) rather than on individual items. In OpenAPI and Kubernetes validation schemas, the format keyword typically applies to the string type of items, not the array container. This placement may not enforce IP validation as intended.

If the format should be on items, apply this diff for the AWS section (and mirror for GCP):

              apiIntLoadBalancerIPs:
                description: |-
                  apiIntLoadBalancerIPs holds Load Balancer IPs for the internal API service.
                  These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses.
                  Entries in the apiIntLoadBalancerIPs must be unique.
                  A maximum of 16 IP addresses are permitted.
-               format: ip
                items:
                  description: IP is an IP address (for example, "10.0.0.0"
                    or "fd00::").
+                 format: ip
                  maxLength: 39

Also applies to: 1600-1703

---

🌐 Web query:

Does Kubernetes CRD validation support `format: ip` on array fields in OpenAPI v3 schemas, or should it be on the items?

💡 Result:

Use items. The OpenAPI/CRD schema "format" applies to string types only, so for an array you must put format (e.g. "ip", "ipv4", "ipv6") on the items schema (items.type: string + items.format: ...). Kubernetes docs note format can only be set when type is string, and examples/CEL examples validate items rather than the array itself. [1][2]

Sources:

1. Kubernetes API docs: openAPIV3Schema field — "format is an OpenAPI v3 format string... NOTE: Can only be set if type is string." [turn1search2].
2. Kubernetes CRD examples / CEL validation showing array items use (put format/constraints under items). [turn1search0].

---

---

Move format: ip from array level to items schema for proper IP validation.

The OpenAPI v3 format keyword applies only to string types, so for arrays you must place format (e.g., "ip", "ipv4", "ipv6") on the items schema, not the array container. Currently, format: ip is placed at the array level (lines 1199, 1219, 1238 for AWS; lines 1625, 1645, 1664 for GCP), which will not enforce IP validation as intended.

Apply this fix to all three IP list fields in both AWS and GCP sections:

              apiIntLoadBalancerIPs:
                description: |-
                  apiIntLoadBalancerIPs holds Load Balancer IPs for the internal API service.
                  These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses.
                  Entries in the apiIntLoadBalancerIPs must be unique.
                  A maximum of 16 IP addresses are permitted.
-               format: ip
                items:
                  description: IP is an IP address (for example, "10.0.0.0"
                    or "fd00::").
+                 format: ip
                  maxLength: 39

Apply the same pattern to apiLoadBalancerIPs and ingressLoadBalancerIPs in both AWS (lines 1199, 1219, 1238) and GCP (lines 1625, 1645, 1664) sections.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In
config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml
around lines 1174-1277 (and similarly apply to the GCP blocks referenced at
~1625-1664), the array-level "format: ip" is incorrectly placed on the array
node for apiIntLoadBalancerIPs, apiLoadBalancerIPs and ingressLoadBalancerIPs;
move the "format: ip" key out of the array object and into each field's "items"
schema (next to type: string and its validations), and remove the array-level
format so the OpenAPI string items actually enforce IP format validation for all
three IP list fields in both AWS and GCP sections.

[openshift-ci]

@sadasu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/integration	d54365f	link	true	/test integration
ci/prow/verify-feature-promotion	d54365f	link	true	/test verify-feature-promotion

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.