CNTRLPLANE-216: Add KubeAPIExteralName api (#5458)

* CNTRLPLANE-216: Add KubeAPIExteralName api

This new API changes the value of the KAS Custom URL to points to your desired one

Signed-off-by: Juan Manuel Parrilla Madrid <jparrill@redhat.com>

* CNTRLPLANE-216: Add autogenerated code and files

Signed-off-by: Juan Manuel Parrilla Madrid <jparrill@redhat.com>

* CNTRLPLANE-216: Add E2E test for new API KubeAPIDNSName

Signed-off-by: Juan Manuel Parrilla Madrid <jparrill@redhat.com>

* NO-JIRA: Fix new gosimple minor issues in the code

Signed-off-by: Juan Manuel Parrilla Madrid <jparrill@redhat.com>

---------

Signed-off-by: Juan Manuel Parrilla Madrid <jparrill@redhat.com>

Author: jparrill

Diff for: Dockerfile.control-plane

@@ -26,3 +26,4 @@ LABEL io.openshift.hypershift.control-plane-operator-applies-management-kas-netw
 LABEL io.openshift.hypershift.restricted-psa=true
 LABEL io.openshift.hypershift.control-plane-pki-operator-signs-csrs=true
 LABEL io.openshift.hypershift.hosted-cluster-config-operator-reports-node-count=true
+LABEL io.openshift.hypershift.control-plane-operator-supports-kas-custom-kubeconfig=true

Diff for: Dockerfile.dev

@@ -36,4 +36,5 @@ LABEL io.openshift.hypershift.control-plane-operator-creates-aws-sg=true
 LABEL io.openshift.hypershift.control-plane-operator-applies-management-kas-network-policy-label=true
 LABEL io.openshift.hypershift.restricted-psa=true
 LABEL io.openshift.hypershift.control-plane-pki-operator-signs-csrs=true
-LABEL io.openshift.hypershift.hosted-cluster-config-operator-reports-node-count=true
+LABEL io.openshift.hypershift.hosted-cluster-config-operator-reports-node-count=true
+LABEL io.openshift.hypershift.control-plane-operator-supports-kas-custom-kubeconfig=true

Diff for: api/hypershift/v1beta1/hosted_controlplane.go

@@ -116,6 +116,20 @@ type HostedControlPlaneSpec struct {
 	// +optional
 	KubeConfig *KubeconfigSecretRef `json:"kubeconfig,omitempty"`
 
+	// kubeAPIServerDNSName specifies a desired DNS name to resolve to the KAS.
+	// When set, the controller will automatically generate a secret with kubeconfig and expose it in the hostedCluster Status.customKubeconfig field.
+	// If it's set or removed day 2, the kubeconfig generated secret will be created, recreated or deleted.
+	// The DNS entries should be resolvable from the cluster, so this should be manually configured in the DNS provider.
+	// This field works in conjunction with configuration.APIServer.ServingCerts.NamedCertificates to enable
+	// access to the API server via a custom domain name. The NamedCertificates provide the TLS certificates
+	// for the custom domain, while this field triggers the generation of a kubeconfig that uses those certificates.
+	//
+	// +kubebuilder:validation:XValidation:rule=`self == "" || self.matches('^(?:(?:[a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,}|[a-zA-Z0-9-]+)$')`,message="kubeAPIServerDNSName must be a valid URL name (e.g., api.example.com)"
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:example: "api.example.com"
+	// +optional
+	KubeAPIServerDNSName string `json:"kubeAPIServerDNSName,omitempty"`
+
 	// Services defines metadata about how control plane services are published
 	// in the management cluster.
 	// +kubebuilder:validation:MaxItems=6
@@ -314,6 +328,15 @@ type HostedControlPlaneStatus struct {
 	// for this control plane.
 	KubeConfig *KubeconfigSecretRef `json:"kubeConfig,omitempty"`
 
+	// customKubeconfig references an external custom kubeconfig secret.
+	// This field is populated in the status when a custom kubeconfig secret has been generated
+	// for the hosted cluster. It contains the name and key of the secret located in the
+	// hostedCluster namespace. This field is only populated when kubeApiExternalName is set.
+	// If this field is removed during a day 2 operation, the referenced secret will be deleted
+	// and this field will be removed from the hostedCluster status.
+	// +optional
+	CustomKubeconfig *KubeconfigSecretRef `json:"customKubeconfig,omitempty"`
+
 	// KubeadminPassword is a reference to the secret containing the initial kubeadmin password
 	// for the guest cluster.
 	// +optional

Diff for: api/hypershift/v1beta1/hostedcluster_types.go

@@ -472,6 +472,20 @@ type HostedClusterSpec struct {
 	// +required
 	Platform PlatformSpec `json:"platform"`
 
+	// kubeAPIServerDNSName specifies a desired DNS name to resolve to the KAS.
+	// When set, the controller will automatically generate a secret with kubeconfig and expose it in the hostedCluster Status.customKubeconfig field.
+	// If it's set or removed day 2, the kubeconfig generated secret will be created, recreated or deleted.
+	// The DNS entries should be resolvable from the cluster, so this should be manually configured in the DNS provider.
+	// This field works in conjunction with configuration.APIServer.ServingCerts.NamedCertificates to enable
+	// access to the API server via a custom domain name. The NamedCertificates provide the TLS certificates
+	// for the custom domain, while this field triggers the generation of a kubeconfig that uses those certificates.
+	// This API endpoint only works in OCP version 4.19 or later. Older versions will result in a no-op.
+	// +kubebuilder:validation:XValidation:rule=`self == "" || self.matches('^(?:(?:[a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,}|[a-zA-Z0-9-]+)$')`,message="kubeAPIServerDNSName must be a valid URL name (e.g., api.example.com)"
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:example: "api.example.com"
+	// +optional
+	KubeAPIServerDNSName string `json:"kubeAPIServerDNSName,omitempty"`
+
 	// controllerAvailabilityPolicy specifies the availability policy applied to critical control plane components like the Kube API Server.
 	// Possible values are HighlyAvailable and SingleReplica. The default value is HighlyAvailable.
 	// This field is immutable.
@@ -1478,6 +1492,11 @@ type HostedClusterStatus struct {
 	// +optional
 	KubeConfig *corev1.LocalObjectReference `json:"kubeconfig,omitempty"`
 
+	// CustomKubeconfig is a local secret reference to the external custom kubeconfig.
+	// Once the hypershift operator sets this status field, it will generate a secret with the specified name containing a kubeconfig within the `HostedCluster` namespace.
+	// +optional
+	CustomKubeconfig *corev1.LocalObjectReference `json:"customKubeconfig,omitempty"`
+
 	// KubeadminPassword is a reference to the secret that contains the initial
 	// kubeadmin user password for the guest cluster.
 	// +optional

Diff for: api/hypershift/v1beta1/zz_generated.deepcopy.go

@@ -2393,6 +2393,21 @@ spec:
                   rule: self == oldSelf
                 - message: issuerURL must be a valid absolute URL
                   rule: isURL(self)
+              kubeAPIServerDNSName:
+                description: |-
+                  kubeAPIServerDNSName specifies a desired DNS name to resolve to the KAS.
+                  When set, the controller will automatically generate a secret with kubeconfig and expose it in the hostedCluster Status.customKubeconfig field.
+                  If it's set or removed day 2, the kubeconfig generated secret will be created, recreated or deleted.
+                  The DNS entries should be resolvable from the cluster, so this should be manually configured in the DNS provider.
+                  This field works in conjunction with configuration.APIServer.ServingCerts.NamedCertificates to enable
+                  access to the API server via a custom domain name. The NamedCertificates provide the TLS certificates
+                  for the custom domain, while this field triggers the generation of a kubeconfig that uses those certificates.
+                  This API endpoint only works in OCP version 4.19 or later. Older versions will result in a no-op.
+                maxLength: 253
+                type: string
+                x-kubernetes-validations:
+                - message: kubeAPIServerDNSName must be a valid URL name (e.g., api.example.com)
+                  rule: self == "" || self.matches('^(?:(?:[a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,}|[a-zA-Z0-9-]+)$')
               labels:
                 additionalProperties:
                   type: string
@@ -4827,6 +4842,22 @@ spec:
                 - host
                 - port
                 type: object
+              customKubeconfig:
+                description: |-
+                  CustomKubeconfig is a local secret reference to the external custom kubeconfig.
+                  Once the hypershift operator sets this status field, it will generate a secret with the specified name containing a kubeconfig within the `HostedCluster` namespace.
+                properties:
+                  name:
+                    default: ""
+                    description: |-
+                      Name of the referent.
+                      This field is effectively required, but due to backwards compatibility is
+                      allowed to be empty. Instances of this type with an empty value here are
+                      almost certainly wrong.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
               ignitionEndpoint:
                 description: |-
                   IgnitionEndpoint is the endpoint injected in the ign config userdata.

Diff for: api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml

@@ -2434,6 +2434,21 @@ spec:
                   rule: self == oldSelf
                 - message: issuerURL must be a valid absolute URL
                   rule: isURL(self)
+              kubeAPIServerDNSName:
+                description: |-
+                  kubeAPIServerDNSName specifies a desired DNS name to resolve to the KAS.
+                  When set, the controller will automatically generate a secret with kubeconfig and expose it in the hostedCluster Status.customKubeconfig field.
+                  If it's set or removed day 2, the kubeconfig generated secret will be created, recreated or deleted.
+                  The DNS entries should be resolvable from the cluster, so this should be manually configured in the DNS provider.
+                  This field works in conjunction with configuration.APIServer.ServingCerts.NamedCertificates to enable
+                  access to the API server via a custom domain name. The NamedCertificates provide the TLS certificates
+                  for the custom domain, while this field triggers the generation of a kubeconfig that uses those certificates.
+                  This API endpoint only works in OCP version 4.19 or later. Older versions will result in a no-op.
+                maxLength: 253
+                type: string
+                x-kubernetes-validations:
+                - message: kubeAPIServerDNSName must be a valid URL name (e.g., api.example.com)
+                  rule: self == "" || self.matches('^(?:(?:[a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,}|[a-zA-Z0-9-]+)$')
               labels:
                 additionalProperties:
                   type: string
@@ -4860,6 +4875,22 @@ spec:
                 - host
                 - port
                 type: object
+              customKubeconfig:
+                description: |-
+                  CustomKubeconfig is a local secret reference to the external custom kubeconfig.
+                  Once the hypershift operator sets this status field, it will generate a secret with the specified name containing a kubeconfig within the `HostedCluster` namespace.
+                properties:
+                  name:
+                    default: ""
+                    description: |-
+                      Name of the referent.
+                      This field is effectively required, but due to backwards compatibility is
+                      allowed to be empty. Instances of this type with an empty value here are
+                      almost certainly wrong.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
               ignitionEndpoint:
                 description: |-
                   IgnitionEndpoint is the endpoint injected in the ign config userdata.

Diff for: api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml

@@ -2389,6 +2389,21 @@ spec:
                   rule: self == oldSelf
                 - message: issuerURL must be a valid absolute URL
                   rule: isURL(self)
+              kubeAPIServerDNSName:
+                description: |-
+                  kubeAPIServerDNSName specifies a desired DNS name to resolve to the KAS.
+                  When set, the controller will automatically generate a secret with kubeconfig and expose it in the hostedCluster Status.customKubeconfig field.
+                  If it's set or removed day 2, the kubeconfig generated secret will be created, recreated or deleted.
+                  The DNS entries should be resolvable from the cluster, so this should be manually configured in the DNS provider.
+                  This field works in conjunction with configuration.APIServer.ServingCerts.NamedCertificates to enable
+                  access to the API server via a custom domain name. The NamedCertificates provide the TLS certificates
+                  for the custom domain, while this field triggers the generation of a kubeconfig that uses those certificates.
+                  This API endpoint only works in OCP version 4.19 or later. Older versions will result in a no-op.
+                maxLength: 253
+                type: string
+                x-kubernetes-validations:
+                - message: kubeAPIServerDNSName must be a valid URL name (e.g., api.example.com)
+                  rule: self == "" || self.matches('^(?:(?:[a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,}|[a-zA-Z0-9-]+)$')
               labels:
                 additionalProperties:
                   type: string
@@ -4840,6 +4855,22 @@ spec:
                 - host
                 - port
                 type: object
+              customKubeconfig:
+                description: |-
+                  CustomKubeconfig is a local secret reference to the external custom kubeconfig.
+                  Once the hypershift operator sets this status field, it will generate a secret with the specified name containing a kubeconfig within the `HostedCluster` namespace.
+                properties:
+                  name:
+                    default: ""
+                    description: |-
+                      Name of the referent.
+                      This field is effectively required, but due to backwards compatibility is
+                      allowed to be empty. Instances of this type with an empty value here are
+                      almost certainly wrong.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
               ignitionEndpoint:
                 description: |-
                   IgnitionEndpoint is the endpoint injected in the ign config userdata.

Diff for: api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml

@@ -2410,6 +2410,21 @@ spec:
                   rule: self == oldSelf
                 - message: issuerURL must be a valid absolute URL
                   rule: isURL(self)
+              kubeAPIServerDNSName:
+                description: |-
+                  kubeAPIServerDNSName specifies a desired DNS name to resolve to the KAS.
+                  When set, the controller will automatically generate a secret with kubeconfig and expose it in the hostedCluster Status.customKubeconfig field.
+                  If it's set or removed day 2, the kubeconfig generated secret will be created, recreated or deleted.
+                  The DNS entries should be resolvable from the cluster, so this should be manually configured in the DNS provider.
+                  This field works in conjunction with configuration.APIServer.ServingCerts.NamedCertificates to enable
+                  access to the API server via a custom domain name. The NamedCertificates provide the TLS certificates
+                  for the custom domain, while this field triggers the generation of a kubeconfig that uses those certificates.
+                  This API endpoint only works in OCP version 4.19 or later. Older versions will result in a no-op.
+                maxLength: 253
+                type: string
+                x-kubernetes-validations:
+                - message: kubeAPIServerDNSName must be a valid URL name (e.g., api.example.com)
+                  rule: self == "" || self.matches('^(?:(?:[a-zA-Z0-9-]+\\.)+[a-zA-Z]{2,}|[a-zA-Z0-9-]+)$')
               labels:
                 additionalProperties:
                   type: string
@@ -4836,6 +4851,22 @@ spec:
                 - host
                 - port
                 type: object
+              customKubeconfig:
+                description: |-
+                  CustomKubeconfig is a local secret reference to the external custom kubeconfig.
+                  Once the hypershift operator sets this status field, it will generate a secret with the specified name containing a kubeconfig within the `HostedCluster` namespace.
+                properties:
+                  name:
+                    default: ""
+                    description: |-
+                      Name of the referent.
+                      This field is effectively required, but due to backwards compatibility is
+                      allowed to be empty. Instances of this type with an empty value here are
+                      almost certainly wrong.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
               ignitionEndpoint:
                 description: |-
                   IgnitionEndpoint is the endpoint injected in the ign config userdata.