[release-4.20] CNTRLPLANE-2814: feat(aro): Swift support#7885
[release-4.20] CNTRLPLANE-2814: feat(aro): Swift support#7885muraee wants to merge 7 commits intoopenshift:release-4.20from
Conversation
Move infrastructure-related reconciliation logic from hostedcontrolplane_controller.go to the infra package for better code organization and testability. cherry-pick from openshift#7658
…nents Regenerate testdata for aro swift scenario
- Introduces ARO Swift annotation - isPrivate returns true now when ARO and swift. - Router component runs when is ARO and swift. It listens on 443 - Data plane HAProxy: Updates nodepool apiserver-haproxy to handle Swift scenarios with different ports and proxy protocol settings - Shared ingress: Modified to skip dataplane-kas-service backend when Swift is enabled - Add a bunch of unit tests In this PR we still support the no swift path to not break CI.
When a hosted cluster uses KMS etcd encryption with a Key Vault behind a private endpoint, the azure-kms-provider sidecar in the KAS pod cannot reach the Key Vault because CoreDNS on the AKS VNet does not have the privatelink.vaultcore.azure.net zone linked. The private router deployment already runs on the customer VNet (via Swift) and can reach the private endpoint. This commit adds a TCP passthrough relay: HAProxy on the private router forwards connections to the Key Vault via SNI routing on port 8443, and the KAS pod uses a hostAlias to redirect the Key Vault hostname to the private-router Service ClusterIP. TLS passes through end-to-end. Changes: - Add GetKeyVaultFQDN() to azureutil for shared FQDN construction - Add resolvers, SNI ACL, and keyvault backend to HAProxy template - Add hostAlias to KAS deployment pointing vault FQDN to router svc - Gate all changes behind azureutil.IsAroHCP() Signed-off-by: Mulham Raee <mulham.raee@gmail.com> Commit-Message-Assisted-by: Claude (via Claude Code)
…nents Add Azure KMS configuration to the ARO Swift test case in TestControlPlaneComponents and add a private-router service to the fake objects so the KAS deployment hostAlias logic can resolve it. Update all affected AROSwift test fixtures. Signed-off-by: Mulham Raee <mulham.raee@gmail.com> Commit-Message-Assisted-by: Claude (via Claude Code)
…ting Previously, private Key Vault routing was unconditionally enabled for all ARO HCP clusters via IsAroHCP(). This adds a new KeyVaultAccess field (Public/Private enum) to AzureKMSSpec so users can opt in to private Key Vault routing. The condition now requires both IsAroHCP() and IsPrivateKeyVault(hcp) to enable private router relay. Changes: - Add AzureKeyVaultAccessType enum and KeyVaultAccess field to AzureKMSSpec - Add CEL validation enforcing backupKey uses the same Key Vault as activeKey - Add IsPrivateKeyVault helper in azureutil with unit tests - Update KAS deployment and router config conditions - Rename router template param from IsAroHCP to HasPrivateKeyVault Controllers treat an empty/omitted KeyVaultAccess value the same as "Public", so no CRD schema default is set to avoid issues with existing objects in etcd. Signed-off-by: Mulham Raee <mulham.raee@gmail.com> Commit-Message-Assisted-by: Claude (via Claude Code) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
openshift-ci-robot
added
the
jira/valid-reference
|
@muraee: This pull request references CNTRLPLANE-2812 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.20.z" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Tip Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs). Comment |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: muraee The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
area/api
muraee
changed the title
|
@muraee: This pull request references CNTRLPLANE-2814 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.20.z" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
…PI dependencies Move UseHCPRouter() to a shared util package to break the import cycle and allow infra.go to use it directly for determining whether router services should be deployed. This fixes an issue where router services were not deployed alongside the router deployment for private ARO clusters (Swift enabled). Additionally, remove the dependency of the router deployment on KAS and OAPI components, and add "router" to the list of components that are allowed to report not-found conditions without blocking overall status. Signed-off-by: Mulham Raee <mulham.raee@gmail.com> Commit-Message-Assisted-by: Claude (via Claude Code)
muraee
force-pushed
the
backport-swift-4.20
branch
from
a7efebc to
4afacf8
Compare
|
/test e2e-aks |
|
/uncc @rtheis |
|
@muraee: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
4 participants
manual backport of #7826