From 5019da0f0608443398e2d6ac00e83cfb0db890af Mon Sep 17 00:00:00 2001 From: Xiuwang Date: Fri, 26 Dec 2025 17:40:42 +0800 Subject: [PATCH] Update cert-manager-custom-aggregated-cert step --- ...s-private-release-4.19__amd64-nightly.yaml | 1 + ...s-private-release-4.20__amd64-nightly.yaml | 1 + ...s-private-release-4.21__amd64-nightly.yaml | 1 + ...tom-aggregated-cert-hypershift-commands.sh | 101 ++++++++++-------- ...custom-aggregated-cert-hypershift-ref.yaml | 3 + ...s-hypershift-full-cert-guest-workflow.yaml | 1 + .../create/hypershift-azure-create-chain.yaml | 15 ++- .../hypershift/azure/kas-dns-update/OWNERS | 8 ++ ...ypershift-azure-kas-dns-update-commands.sh | 101 ++++++++++++++++++ ...ift-azure-kas-dns-update-ref.metadata.json | 15 +++ .../hypershift-azure-kas-dns-update-ref.yaml | 34 ++++++ 11 files changed, 237 insertions(+), 44 deletions(-) create mode 100644 ci-operator/step-registry/hypershift/azure/kas-dns-update/OWNERS create mode 100755 ci-operator/step-registry/hypershift/azure/kas-dns-update/hypershift-azure-kas-dns-update-commands.sh create mode 100644 ci-operator/step-registry/hypershift/azure/kas-dns-update/hypershift-azure-kas-dns-update-ref.metadata.json create mode 100644 ci-operator/step-registry/hypershift/azure/kas-dns-update/hypershift-azure-kas-dns-update-ref.yaml diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly.yaml index a10f1658a62a3..c6760b8e2f95b 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly.yaml @@ -1804,6 +1804,7 @@ tests: HYPERSHIFT_AZURE_MARKETPLACE_IMAGE_PUBLISHER: azureopenshift HYPERSHIFT_AZURE_MARKETPLACE_IMAGE_SKU: aro_419 HYPERSHIFT_AZURE_MARKETPLACE_IMAGE_VERSION: 419.6.20250523 + HYPERSHIFT_DYNAMIC_DNS: hypershift-kas-dns.qe1.azure.devcluster.openshift.com TEST_FILTERS: ~ChkUpgrade&;~DisconnectedOnly&;~NonPreRelease&;~HyperShiftMGMT&;~MicroShiftOnly&;~NonHyperShiftHOST&;~Serial&;~Disruptive& TEST_TIMEOUT: "30" test: diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.20__amd64-nightly.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.20__amd64-nightly.yaml index 4391e842e02fd..32fbad2cdc449 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.20__amd64-nightly.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.20__amd64-nightly.yaml @@ -1968,6 +1968,7 @@ tests: HYPERSHIFT_AZURE_MARKETPLACE_IMAGE_PUBLISHER: azureopenshift HYPERSHIFT_AZURE_MARKETPLACE_IMAGE_SKU: aro_419 HYPERSHIFT_AZURE_MARKETPLACE_IMAGE_VERSION: 419.6.20250523 + HYPERSHIFT_DYNAMIC_DNS: hypershift-kas-dns.qe1.azure.devcluster.openshift.com TEST_FILTERS: ~ChkUpgrade&;~DisconnectedOnly&;~NonPreRelease&;~HyperShiftMGMT&;~MicroShiftOnly&;~NonHyperShiftHOST&;~Serial&;~Disruptive& TEST_TIMEOUT: "30" test: diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.21__amd64-nightly.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.21__amd64-nightly.yaml index 91a8d53a50688..25485f6c2303a 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.21__amd64-nightly.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.21__amd64-nightly.yaml @@ -2035,6 +2035,7 @@ tests: steps: cluster_profile: azure-qe env: + HYPERSHIFT_DYNAMIC_DNS: hypershift-kas-dns.qe1.azure.devcluster.openshift.com TEST_FILTERS: ~ChkUpgrade&;~DisconnectedOnly&;~NonPreRelease&;~HyperShiftMGMT&;~MicroShiftOnly&;~NonHyperShiftHOST&;~Serial&;~Disruptive& TEST_TIMEOUT: "30" test: diff --git a/ci-operator/step-registry/cert-manager/custom-aggregated-cert/hypershift/cert-manager-custom-aggregated-cert-hypershift-commands.sh b/ci-operator/step-registry/cert-manager/custom-aggregated-cert/hypershift/cert-manager-custom-aggregated-cert-hypershift-commands.sh index 4172ea62df874..9075188aca84c 100644 --- a/ci-operator/step-registry/cert-manager/custom-aggregated-cert/hypershift/cert-manager-custom-aggregated-cert-hypershift-commands.sh +++ b/ci-operator/step-registry/cert-manager/custom-aggregated-cert/hypershift/cert-manager-custom-aggregated-cert-hypershift-commands.sh @@ -53,8 +53,8 @@ spec: commonName: "*.${INGRESS_DOMAIN}" dnsNames: - "*.${INGRESS_DOMAIN}" - - "api-${HC_NAME}.${HYPERSHIFT_EXTERNAL_DNS_DOMAIN}" - - "oauth-${HC_NAME}.${HYPERSHIFT_EXTERNAL_DNS_DOMAIN}" + - "${KUBE_API_SERVER_DNS_NAME}" + - "oauth-${HC_NAME}.${HYPERSHIFT_DNS_DOMAIN}" usages: - server auth issuerRef: @@ -64,7 +64,7 @@ spec: duration: 2h renewBefore: 1h30m EOF - oc wait certificate "$AGGREGATED_CERT_NAME" -n openshift-ingress --for=condition=Ready=True --timeout=5m + oc wait certificate "$AGGREGATED_CERT_NAME" -n openshift-ingress --for=condition=Ready=True --timeout=10m } function configure_default_ic_cert() { @@ -89,7 +89,10 @@ spec: apiServer: servingCerts: namedCertificates: - - servingCertificate: + - names: + - $KUBE_API_SERVER_DNS_NAME + - oauth-$HC_NAME.$HYPERSHIFT_DNS_DOMAIN + servingCertificate: name: $AGGREGATED_CERT_SECRET_NAME" # Wait for kube-apiserver and oauth-openshift to restart @@ -103,24 +106,6 @@ spec: mgmt oc rollout status deployment -n "$HCP_NS" oauth-openshift --timeout=6m } -function remove_kubelet_kubeconfig_cluster_ca() { - local pids_to_wait=() - - for node in $(oc get node -o jsonpath='{.items[*].metadata.name}'); do - { timeout 90s oc debug node/"$node" -- chroot /host bash -c ' -# Wait for the debug pod to be ready -sleep 60 -sed "/certificate-authority-data/d" /var/lib/kubelet/kubeconfig > /var/lib/kubelet/kubeconfig.tmp -mv /var/lib/kubelet/kubeconfig.tmp /var/lib/kubelet/kubeconfig -systemctl restart kubelet' || true; } & - pids_to_wait+=($!) - done - wait "${pids_to_wait[@]}" - - # Nodes become unreachable - oc wait node --all --for=condition=Ready=Unknown --timeout=5m -} - function check_cert_issuer() { local fqdn="$1" local port="$2" @@ -155,7 +140,7 @@ if [[ -z "$OAUTH_ROUTE_HOSTNAME" ]]; then echo "Empty OAuth route hostname, exiting" >&2 exit 1 fi -HYPERSHIFT_EXTERNAL_DNS_DOMAIN="$(cut -d '.' -f 1 --complement <<< "$KAS_ROUTE_HOSTNAME")" +HYPERSHIFT_DNS_DOMAIN="$(cut -d '.' -f 1 --complement <<< "$KAS_ROUTE_HOSTNAME")" # Create aggregated cert AGGREGATED_CERT_NAME=custom-aggregated-cert @@ -163,6 +148,14 @@ AGGREGATED_CERT_SECRET_NAME=cert-manager-managed-aggregated-cert-tls INGRESS_DOMAIN=$(oc get ingress.config cluster -o jsonpath='{.spec.domain}') HC_NAME="$(cut -d '.' -f 2 <<< "$INGRESS_DOMAIN")" HCP_NS="clusters-$HC_NAME" + +# Get kubeAPIServerDNSName from HostedCluster spec +KUBE_API_SERVER_DNS_NAME="$(mgmt oc get hc -n clusters "$HC_NAME" -o jsonpath='{.spec.kubeAPIServerDNSName}')" +if [[ -z "$KUBE_API_SERVER_DNS_NAME" ]]; then + echo "kubeAPIServerDNSName is not set in HostedCluster spec." >&2 + exit 1 +fi + create_aggregated_cert # Configure ic cert @@ -180,31 +173,56 @@ pushd "$TMP_DIR" oc extract secret/"$AGGREGATED_CERT_SECRET_NAME" -n openshift-ingress mgmt oc create secret tls "$AGGREGATED_CERT_SECRET_NAME" --cert=tls.crt --key=tls.key -n clusters -# Get kubeconfig cluster ca data before configuring kas serving cert -BACKUP_KUBECONFIG_CA_DATA="$(grep certificate-authority-data "$KUBECONFIG" | awk '{print $2}')" - -# Update KUBECONFIG to allow secure communication between kubelets and the external KAS endpoint -# TODO: remove this workaround once https://issues.redhat.com/browse/OCPBUGS-41853 is resolved -remove_kubelet_kubeconfig_cluster_ca - # Configure kas & oauth serving cert configure_kas_oauth_serving_cert -# Check kas & oauth cert -check_cert_issuer "$KAS_ROUTE_HOSTNAME" 443 "Let's Encrypt" +# Check kas custom DNS name cert & oauth cert (should use cert-manager certificate) +check_cert_issuer "$KUBE_API_SERVER_DNS_NAME" 443 "Let's Encrypt" check_cert_issuer "$OAUTH_ROUTE_HOSTNAME" 443 "Let's Encrypt" -# Download the updated KUBECONFIG after it's reconciled to include the default ingress certificate ( set +x - CURRENT_KUBECONFIG_CONTENT="$(mgmt oc extract secret/"${HC_NAME}-admin-kubeconfig" -n clusters --to -)" - CURRENT_KUBECONFIG_CA_DATA="$(grep certificate-authority-data <<< "$CURRENT_KUBECONFIG_CONTENT" | awk '{print $2}')" - until [[ "$CURRENT_KUBECONFIG_CA_DATA" != "$BACKUP_KUBECONFIG_CA_DATA" ]]; do - CURRENT_KUBECONFIG_CONTENT="$(mgmt oc extract secret/"${HC_NAME}-admin-kubeconfig" -n clusters --to -)" - CURRENT_KUBECONFIG_CA_DATA="$(grep certificate-authority-data <<< "$CURRENT_KUBECONFIG_CONTENT" | awk '{print $2}')" - sleep 15 + echo "Waiting for custom kubeconfig to be generated..." + + # Wait for customKubeconfig to be available + CUSTOM_KUBECONFIG_SECRET="" + RETRY_COUNT=0 + MAX_RETRIES=30 + while [[ -z "$CUSTOM_KUBECONFIG_SECRET" && $RETRY_COUNT -lt $MAX_RETRIES ]]; do + CUSTOM_KUBECONFIG_SECRET=$(mgmt oc get hc -n clusters "$HC_NAME" -o jsonpath='{.status.customKubeconfig.name}' 2>/dev/null || echo "") + if [[ -z "$CUSTOM_KUBECONFIG_SECRET" ]]; then + echo "Waiting for status.customKubeconfig to be set... (attempt $((RETRY_COUNT+1))/$MAX_RETRIES)" + sleep 10 + RETRY_COUNT=$((RETRY_COUNT+1)) + fi done - tee "$KUBECONFIG" "${SHARED_DIR}/kubeconfig" "${SHARED_DIR}/nested_kubeconfig" <<< "$CURRENT_KUBECONFIG_CONTENT" >/dev/null + + if [[ -z "$CUSTOM_KUBECONFIG_SECRET" ]]; then + echo "ERROR: Custom kubeconfig not generated. spec.kubeAPIServerDNSName may not be set." + echo "This test requires the cluster to be created with --kas-dns-name flag." + exit 1 + fi + + echo "✓ Custom kubeconfig generated: ${CUSTOM_KUBECONFIG_SECRET}" + + # Extract the custom kubeconfig + CUSTOM_KUBECONFIG_CONTENT="$(mgmt oc extract secret/"${CUSTOM_KUBECONFIG_SECRET}" -n clusters --to -)" + + # Check if external-dns is enabled + # When external-dns is enabled, the custom kubeconfig needs port 443 instead of 6443 + # Workaround for https://issues.redhat.com/browse/OCPBUGS-72258 + if [[ -n "${HYPERSHIFT_EXTERNAL_DNS_DOMAIN:-}" ]]; then + echo "Applying port replacement: 6443 → 443 (workaround for OCPBUGS-72258)" + CUSTOM_KUBECONFIG_CONTENT="$(echo "$CUSTOM_KUBECONFIG_CONTENT" | sed 's/:6443/:443/g')" + else + echo "External DNS not enabled, no port replacement needed" + fi + + # Write modified kubeconfig to all required locations + tee "$KUBECONFIG" "${SHARED_DIR}/kubeconfig" "${SHARED_DIR}/nested_kubeconfig" <<< "$CUSTOM_KUBECONFIG_CONTENT" >/dev/null + + echo "✓ Custom kubeconfig deployed" + echo "Performing health check on KAS endpoint..." ) # Perform oc login test if possible @@ -212,7 +230,4 @@ if mgmt oc get secret/"${HC_NAME}-kubeadmin-password" -n clusters >/dev/null; th oc_login_kubeadmin_passwd fi -# Restart ovnkube-node -oc delete po -n openshift-ovn-kubernetes --all - wait_for_hc_readiness diff --git a/ci-operator/step-registry/cert-manager/custom-aggregated-cert/hypershift/cert-manager-custom-aggregated-cert-hypershift-ref.yaml b/ci-operator/step-registry/cert-manager/custom-aggregated-cert/hypershift/cert-manager-custom-aggregated-cert-hypershift-ref.yaml index 5a708ee589476..d280747b08a0d 100644 --- a/ci-operator/step-registry/cert-manager/custom-aggregated-cert/hypershift/cert-manager-custom-aggregated-cert-hypershift-ref.yaml +++ b/ci-operator/step-registry/cert-manager/custom-aggregated-cert/hypershift/cert-manager-custom-aggregated-cert-hypershift-ref.yaml @@ -12,6 +12,9 @@ ref: - name: CLUSTERISSUER_NAME documentation: The name of the cert-manager ClusterIssuer to use for the external certificates issuance. (Prerequsite is that the ClusterIssuer is created and ready.) default: "letsencrypt-prodoction-ci-hypershift" + - name: HYPERSHIFT_EXTERNAL_DNS_DOMAIN + default: "" + documentation: Specifies the external DNS domain. If left empty, external DNS is assumed to be disabled. documentation: |- Issue and configure public trusted certificates for KAS, OAuth and Ingress by using cert-manager. Run against Hypershift hosted clusters. diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/azure/aks/hypershift/full-cert/guest/cucushift-installer-rehearse-azure-aks-hypershift-full-cert-guest-workflow.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/azure/aks/hypershift/full-cert/guest/cucushift-installer-rehearse-azure-aks-hypershift-full-cert-guest-workflow.yaml index 55c51da3ef310..a0d70c85b233f 100644 --- a/ci-operator/step-registry/cucushift/installer/rehearse/azure/aks/hypershift/full-cert/guest/cucushift-installer-rehearse-azure-aks-hypershift-full-cert-guest-workflow.yaml +++ b/ci-operator/step-registry/cucushift/installer/rehearse/azure/aks/hypershift/full-cert/guest/cucushift-installer-rehearse-azure-aks-hypershift-full-cert-guest-workflow.yaml @@ -3,6 +3,7 @@ workflow: steps: pre: - chain: cucushift-installer-rehearse-azure-aks-hypershift-base-provision + - ref: hypershift-azure-kas-dns-update - ref: cucushift-hypershift-extended-enable-guest - chain: cert-manager-install - ref: cert-manager-clusterissuer-hypershift diff --git a/ci-operator/step-registry/hypershift/azure/create/hypershift-azure-create-chain.yaml b/ci-operator/step-registry/hypershift/azure/create/hypershift-azure-create-chain.yaml index a84de9503e01c..7bf9fbd544c2a 100644 --- a/ci-operator/step-registry/hypershift/azure/create/hypershift-azure-create-chain.yaml +++ b/ci-operator/step-registry/hypershift/azure/create/hypershift-azure-create-chain.yaml @@ -21,6 +21,13 @@ chain: - name: HYPERSHIFT_EXTERNAL_DNS_DOMAIN default: "" documentation: "Specifies the external DNS domain. If left empty, external DNS is assumed to be disabled." + - name: HYPERSHIFT_DYNAMIC_DNS + default: "" + documentation: |- + Set custom DNS name for kube-apiserver. Must be a pre-existing DNS record in Azure DNS. + Example: 'hypershift-kas-dns.qe1.azure.devcluster.openshift.com' + The DNS record will be automatically updated to point to the cluster's Route after creation. + Leave empty to disable custom KAS DNS. - name: ENABLE_ICSP default: "false" documentation: "If true, add image content sources config(path=${SHARED_DIR}/mgmt_icsp.yaml)" @@ -140,7 +147,7 @@ chain: CLUSTER_NAME="$(echo -n $PROW_JOB_ID|sha256sum|cut -c-20)" echo "$(date) Creating HyperShift cluster ${CLUSTER_NAME}" - + RELEASE_IMAGE=${HYPERSHIFT_HC_RELEASE_IMAGE:-$RELEASE_IMAGE_LATEST} AZURE_CREDS=${CLUSTER_PROFILE_DIR}/osServicePrincipal.json @@ -284,6 +291,12 @@ chain: EXTRA_ARGS+=" --network-type=${HYPERSHIFT_NETWORK_TYPE}" fi + # Add --kas-dns-name flag when HYPERSHIFT_DYNAMIC_DNS is set + # This enables dynamic external DNS name management and auto-generated custom kubeconfig + if [[ -n $HYPERSHIFT_DYNAMIC_DNS ]]; then + EXTRA_ARGS+=" --kas-dns-name=${HYPERSHIFT_DYNAMIC_DNS}" + fi + if [[ -n $HYPERSHIFT_AZURE_DIAGNOSTICS_STORAGE_ACCOUNT_TYPE ]]; then EXTRA_ARGS+=" --diagnostics-storage-account-type=${HYPERSHIFT_AZURE_DIAGNOSTICS_STORAGE_ACCOUNT_TYPE}" if [[ $HYPERSHIFT_AZURE_DIAGNOSTICS_STORAGE_ACCOUNT_TYPE == "UserManaged" ]]; then diff --git a/ci-operator/step-registry/hypershift/azure/kas-dns-update/OWNERS b/ci-operator/step-registry/hypershift/azure/kas-dns-update/OWNERS new file mode 100644 index 0000000000000..4ba52363650bc --- /dev/null +++ b/ci-operator/step-registry/hypershift/azure/kas-dns-update/OWNERS @@ -0,0 +1,8 @@ +approvers: +- heliubj18 +- LiangquanLi930 +- xiuwang +reviewers: +- heliubj18 +- LiangquanLi930 +- xiuwang diff --git a/ci-operator/step-registry/hypershift/azure/kas-dns-update/hypershift-azure-kas-dns-update-commands.sh b/ci-operator/step-registry/hypershift/azure/kas-dns-update/hypershift-azure-kas-dns-update-commands.sh new file mode 100755 index 0000000000000..cf0924786860b --- /dev/null +++ b/ci-operator/step-registry/hypershift/azure/kas-dns-update/hypershift-azure-kas-dns-update-commands.sh @@ -0,0 +1,101 @@ +#!/bin/bash +set -euo pipefail +set -x + +if [[ -z "${HYPERSHIFT_DYNAMIC_DNS:-}" ]]; then + echo "HYPERSHIFT_DYNAMIC_DNS not set, skipping KAS DNS update" + exit 0 +fi + +AZURE_AUTH_LOCATION="${CLUSTER_PROFILE_DIR}/osServicePrincipal.json" +if [[ "${USE_HYPERSHIFT_AZURE_CREDS}" == "true" ]]; then + AZURE_AUTH_LOCATION="/etc/hypershift-ci-jobs-azurecreds/credentials.json" +fi + +export KUBECONFIG="${SHARED_DIR}/kubeconfig" + +# Get cluster name +CLUSTER_NAME=$(oc get hostedclusters -n clusters -o jsonpath='{.items[0].metadata.name}') +echo "Cluster name: ${CLUSTER_NAME}" + +# Get KAS DNS name from HostedCluster spec +KAS_DNS_NAME=$(oc get hc/${CLUSTER_NAME} -n clusters -o jsonpath='{.spec.kubeAPIServerDNSName}') +if [[ -z "${KAS_DNS_NAME}" ]]; then + echo "INFO: KubeAPI Server DNS name not configured for '${CLUSTER_NAME}'" + exit 0 +fi +echo "KAS DNS Name: ${KAS_DNS_NAME}" + +# Wait for KAS Route to be ready +echo "Waiting for KAS Route to be ready..." +KAS_ROUTE="" +for i in {1..30}; do + KAS_ROUTE=$(oc get route -n clusters-${CLUSTER_NAME} kube-apiserver -o jsonpath='{.status.ingress[0].host}' 2>/dev/null || echo "") + if [[ -n "${KAS_ROUTE}" ]]; then + break + fi + echo "Waiting for KAS Route... (attempt $i/30)" + sleep 10 +done + +if [[ -z "${KAS_ROUTE}" ]]; then + echo "ERROR: KAS Route not found after waiting" + exit 1 +fi + +echo "KAS Route: ${KAS_ROUTE}" +echo "Updating KAS DNS CNAME: ${KAS_DNS_NAME} -> ${KAS_ROUTE}" + +# Azure login +AZURE_AUTH_CLIENT_ID="$(<"${AZURE_AUTH_LOCATION}" jq -r .clientId)" +AZURE_AUTH_CLIENT_SECRET="$(<"${AZURE_AUTH_LOCATION}" jq -r .clientSecret)" +AZURE_AUTH_TENANT_ID="$(<"${AZURE_AUTH_LOCATION}" jq -r .tenantId)" +AZURE_AUTH_SUBSCRIPTION_ID="$(<"${AZURE_AUTH_LOCATION}" jq -r .subscriptionId)" + +az --version +az cloud set --name AzureCloud +az login --service-principal -u "${AZURE_AUTH_CLIENT_ID}" -p "${AZURE_AUTH_CLIENT_SECRET}" --tenant "${AZURE_AUTH_TENANT_ID}" --output none +az account set --subscription ${AZURE_AUTH_SUBSCRIPTION_ID} + +# Extract DNS components +RECORD_NAME="${KAS_DNS_NAME%%.*}" +DNS_ZONE="${KAS_DNS_NAME#*.}" + +echo "Updating DNS record:" +echo " Record Name: ${RECORD_NAME}" +echo " DNS Zone: ${DNS_ZONE}" +echo " Target: ${KAS_ROUTE}" + +# Update CNAME record +az network dns record-set cname set-record \ + --resource-group "$DNS_ZONE_RG_NAME" \ + --zone-name "${DNS_ZONE}" \ + --record-set-name "${RECORD_NAME}" \ + --cname "${KAS_ROUTE}" + +echo "✓ KAS DNS record updated successfully" + +# Verify DNS record +az network dns record-set cname show \ + --resource-group "$DNS_ZONE_RG_NAME" \ + --zone-name "${DNS_ZONE}" \ + --name "${RECORD_NAME}" \ + --query "{Name:name, CNAME:cnameRecord.cname}" -o table + +echo "Testing DNS resolution..." +sleep 10 + +# Try to resolve DNS (may take time to propagate) +for i in {1..30}; do + if nslookup "${KAS_DNS_NAME}" > /dev/null 2>&1; then + RESOLVED_IP=$(nslookup "${KAS_DNS_NAME}" | grep -A1 "Name:" | tail -1 | awk '{print $2}') + echo "✓ DNS resolution successful: ${KAS_DNS_NAME} -> ${RESOLVED_IP}" + exit 0 + fi + echo "Waiting for DNS propagation... (attempt $i/30)" + sleep 10 +done + +echo "WARNING: DNS not fully propagated yet, but CNAME record was updated" +echo "This is normal for DNS propagation delays. The record is configured correctly." +exit 0 diff --git a/ci-operator/step-registry/hypershift/azure/kas-dns-update/hypershift-azure-kas-dns-update-ref.metadata.json b/ci-operator/step-registry/hypershift/azure/kas-dns-update/hypershift-azure-kas-dns-update-ref.metadata.json new file mode 100644 index 0000000000000..be35ace59cbd9 --- /dev/null +++ b/ci-operator/step-registry/hypershift/azure/kas-dns-update/hypershift-azure-kas-dns-update-ref.metadata.json @@ -0,0 +1,15 @@ +{ + "path": "hypershift/azure/kas-dns-update/hypershift-azure-kas-dns-update-ref.yaml", + "owners": { + "approvers": [ + "heliubj18", + "LiangquanLi930", + "xiuwang" + ], + "reviewers": [ + "heliubj18", + "LiangquanLi930", + "xiuwang" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/hypershift/azure/kas-dns-update/hypershift-azure-kas-dns-update-ref.yaml b/ci-operator/step-registry/hypershift/azure/kas-dns-update/hypershift-azure-kas-dns-update-ref.yaml new file mode 100644 index 0000000000000..3e942eff7a101 --- /dev/null +++ b/ci-operator/step-registry/hypershift/azure/kas-dns-update/hypershift-azure-kas-dns-update-ref.yaml @@ -0,0 +1,34 @@ +ref: + as: hypershift-azure-kas-dns-update + from_image: + namespace: ocp + name: "4.19" + tag: upi-installer + timeout: 15m + grace_period: 5m + commands: hypershift-azure-kas-dns-update-commands.sh + resources: + requests: + cpu: 100m + memory: 100Mi + env: + - name: DNS_ZONE_RG_NAME + default: "os4-common" + documentation: "dns zone resource group" + - name: HYPERSHIFT_DYNAMIC_DNS + default: "" + documentation: |- + Set custom DNS name for kube-apiserver. + - name: USE_HYPERSHIFT_AZURE_CREDS + default: "false" + documentation: If true, use hypershift azure credentials. + credentials: + - mount_path: /etc/hypershift-ci-jobs-azurecreds + name: hypershift-ci-jobs-azurecreds + namespace: test-credentials + - mount_path: /etc/hypershift-aro-azurecreds + name: hypershift-aro-azurecreds + namespace: test-credentials + documentation: |- + Updates Azure DNS CNAME record to point custom KAS DNS name to the actual Route hostname. + This step should run after cluster creation when using --kas-dns-name with pre-existing DNS records.