Skip to content

OCPBUGS-75932: [release-4.19] fix(cpo): Correct route labeling logic for HCP router infrastructure#7643

Draft
csrwng wants to merge 1 commit intoopenshift:release-4.19from
csrwng:private_router_fix_419
Draft

OCPBUGS-75932: [release-4.19] fix(cpo): Correct route labeling logic for HCP router infrastructure#7643
csrwng wants to merge 1 commit intoopenshift:release-4.19from
csrwng:private_router_fix_419

Conversation

@csrwng
Copy link
Contributor

@csrwng csrwng commented Feb 5, 2026
edited
Loading

Manual backport of #7642

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 5, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 5, 2026
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 5, 2026
edited
Loading

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Excluded labels (none allowed) (1)
  • do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

  • 🔍 Trigger a full review
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Comment @coderabbitai help to get the list of available commands and usage tips.

@csrwng
Copy link
Contributor Author

csrwng commented Feb 5, 2026

/test verify
/test unit

@openshift-ci openshift-ci bot added the area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release label Feb 5, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 5, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: csrwng

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed do-not-merge/needs-area labels Feb 5, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 5, 2026

@csrwng: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@csrwng
Copy link
Contributor Author

csrwng commented Feb 5, 2026

/jira cherry-pick OCPBUGS-75931

@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 5, 2026

@csrwng: Jira Issue OCPBUGS-75931 has been cloned as Jira Issue OCPBUGS-75932. Will retitle bug to link to clone.
/retitle OCPBUGS-75932: [release-4.19] fix(cpo): Correct route labeling logic for HCP router infrastructure

Details

In response to this:

/jira cherry-pick OCPBUGS-75931

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot changed the title [release-4.19] fix(cpo): Correct route labeling logic for HCP router infrastructure OCPBUGS-75932: [release-4.19] fix(cpo): Correct route labeling logic for HCP router infrastructure Feb 5, 2026
@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Feb 5, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 5, 2026

@csrwng: This pull request references Jira Issue OCPBUGS-75932, which is invalid:

  • expected dependent Jira Issue OCPBUGS-75931 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is New instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Manual backport of #7642

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@csrwng @claude
fix(cpo): Correct route labeling logic for HCP router infrastructure
fa9b608 
During upgrades from 4.18 to 4.19, an unexpected LoadBalancer service named
"router" was created, blocking upgrades on platforms with limited LoadBalancer
IPs. This occurred because the previous fix (f0f8b08) used incorrect logic
to determine when to create the HCP router infrastructure.

Root Cause:
Previous fixes (f0f8b08 and ee45d1b) treated route labeling as a per-service
decision, checking if individual services had DNS hostnames. This created router
infrastructure even when routes should use the management cluster router.

For PublicAndPrivate clusters with KAS LoadBalancer + OAuth Route with hostname:
- Old logic: IsPublicWithDNS() returned true (OAuth has DNS)
- Result: Created router LB when not needed -> upgrade blocked
- Routes got labeled inconsistently based on per-service DNS config

Why the previous approach was wrong:
1. Route labeling should be a cluster-level infrastructure decision, not per-service
2. Router infrastructure availability is determined by KAS publishing strategy
3. Checking if ANY service has DNS doesn't indicate if HCP router exists
4. Could label routes for HCP router even when no HCP router infrastructure exists

Correct Solution:
Routes should be labeled for HCP router based on HCP router infrastructure
availability, which is determined by the KAS publishing strategy:

- Label routes for HCP router when:
  1. Cluster uses PrivateLink (AWS PublicAndPrivate or Private), OR
  2. Cluster is public with dedicated DNS for KAS (KAS uses Route with hostname)

- For PrivateLink with KAS LoadBalancer:
  - External route (OAuth) uses management cluster router
  - Internal routes (Konnectivity and Ignition) are handled by HCP
    router

Implementation:
- Added util.LabelHCPRoutes() as single source of truth for labeling decisions
- Updated all route reconciliation (OAuth, Konnectivity, Ignition) to use unified logic
- Fixed router service creation to align with labeling: only create when routes need it
- Removed incorrect per-service DNS functions (UseDedicatedDNSForOAuth, etc.)
- Removed IsPublicWithDNS() functions that checked if ANY service had DNS
- Removed validation that relied on IsPublicWithDNS()

Changes:
- support/util/visibility.go: Added LabelHCPRoutes(), removed IsPublicWithDNS functions
- support/util/expose.go: Removed per-service DNS helper functions
- hostedcontrolplane_controller.go: Use LabelHCPRoutes() for all route labeling
- v2/ignitionserver/route.go: Use LabelHCPRoutes()
- v2/router/component.go: Use LabelHCPRoutes()
- hostedcluster_controller.go: Removed incorrect validation

Result:
For PublicAndPrivate + KAS LoadBalancer + OAuth with hostname:
- OAuth route NOT labeled -> uses management cluster router
- Internal Router LB created -> only used for internal routes
  (Konnectivity and Ignition)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@csrwng csrwng force-pushed the private_router_fix_419 branch from 74a7d50 to fa9b608 Compare February 5, 2026 20:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@csrwng @openshift-ci-robot