OCPQE-31342: Update aggregated-cert post check

ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly.yaml

@@ -1804,6 +1804,7 @@ tests:
       HYPERSHIFT_AZURE_MARKETPLACE_IMAGE_PUBLISHER: azureopenshift
       HYPERSHIFT_AZURE_MARKETPLACE_IMAGE_SKU: aro_419
       HYPERSHIFT_AZURE_MARKETPLACE_IMAGE_VERSION: 419.6.20250523
+      HYPERSHIFT_DYNAMIC_DNS: auto
       TEST_FILTERS: ~ChkUpgrade&;~DisconnectedOnly&;~NonPreRelease&;~HyperShiftMGMT&;~MicroShiftOnly&;~NonHyperShiftHOST&;~Serial&;~Disruptive&
       TEST_TIMEOUT: "30"
     test:

ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.20__amd64-nightly.yaml

@@ -1968,6 +1968,7 @@ tests:
       HYPERSHIFT_AZURE_MARKETPLACE_IMAGE_PUBLISHER: azureopenshift
       HYPERSHIFT_AZURE_MARKETPLACE_IMAGE_SKU: aro_419
       HYPERSHIFT_AZURE_MARKETPLACE_IMAGE_VERSION: 419.6.20250523
+      HYPERSHIFT_DYNAMIC_DNS: auto
       TEST_FILTERS: ~ChkUpgrade&;~DisconnectedOnly&;~NonPreRelease&;~HyperShiftMGMT&;~MicroShiftOnly&;~NonHyperShiftHOST&;~Serial&;~Disruptive&
       TEST_TIMEOUT: "30"
     test:

ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.21__amd64-nightly.yaml

@@ -2035,6 +2035,7 @@ tests:
   steps:
     cluster_profile: azure-qe
     env:
+      HYPERSHIFT_DYNAMIC_DNS: auto
       TEST_FILTERS: ~ChkUpgrade&;~DisconnectedOnly&;~NonPreRelease&;~HyperShiftMGMT&;~MicroShiftOnly&;~NonHyperShiftHOST&;~Serial&;~Disruptive&
       TEST_TIMEOUT: "30"
     test:

ci-operator/step-registry/cert-manager/custom-aggregated-cert/hypershift/cert-manager-custom-aggregated-cert-hypershift-commands.sh

@@ -64,7 +64,7 @@ spec:
   duration: 2h
   renewBefore: 1h30m
 EOF
-    oc wait certificate "$AGGREGATED_CERT_NAME" -n openshift-ingress --for=condition=Ready=True --timeout=5m
+    oc wait certificate "$AGGREGATED_CERT_NAME" -n openshift-ingress --for=condition=Ready=True --timeout=10m
 }
 
 function configure_default_ic_cert() {
@@ -103,24 +103,6 @@ spec:
     mgmt oc rollout status deployment -n "$HCP_NS" oauth-openshift --timeout=6m
 }
 
-function remove_kubelet_kubeconfig_cluster_ca() {
-    local pids_to_wait=()
-
-    for node in $(oc get node -o jsonpath='{.items[*].metadata.name}'); do
-        { timeout 90s oc debug node/"$node" -- chroot /host bash -c '
-# Wait for the debug pod to be ready
-sleep 60
-sed "/certificate-authority-data/d" /var/lib/kubelet/kubeconfig > /var/lib/kubelet/kubeconfig.tmp
-mv /var/lib/kubelet/kubeconfig.tmp /var/lib/kubelet/kubeconfig
-systemctl restart kubelet' || true; } &
-        pids_to_wait+=($!)
-    done
-    wait "${pids_to_wait[@]}"
-
-    # Nodes become unreachable
-    oc wait node --all --for=condition=Ready=Unknown --timeout=5m
-}
-
 function check_cert_issuer() {
     local fqdn="$1"
     local port="$2"
@@ -163,6 +145,13 @@ AGGREGATED_CERT_SECRET_NAME=cert-manager-managed-aggregated-cert-tls
 INGRESS_DOMAIN=$(oc get ingress.config cluster -o jsonpath='{.spec.domain}')
 HC_NAME="$(cut -d '.' -f 2 <<< "$INGRESS_DOMAIN")"
 HCP_NS="clusters-$HC_NAME"
+
+# Add annotation to skip KAS certificate SAN conflict validation
+# This is needed because the test configures a custom serving certificate with DNS names
+# that HyperShift automatically adds to the default KAS certificate will cause conflict.
+# https://issues.redhat.com/browse/OCPBUGS-53261
+mgmt oc annotate hc -n clusters "$HC_NAME" hypershift.openshift.io/skip-kas-conflict-san-validation=true --overwrite
+
 create_aggregated_cert
 
 # Configure ic cert
@@ -180,39 +169,77 @@ pushd "$TMP_DIR"
 oc extract secret/"$AGGREGATED_CERT_SECRET_NAME" -n openshift-ingress
 mgmt oc create secret tls "$AGGREGATED_CERT_SECRET_NAME" --cert=tls.crt --key=tls.key -n clusters
 
-# Get kubeconfig cluster ca data before configuring kas serving cert
-BACKUP_KUBECONFIG_CA_DATA="$(grep certificate-authority-data "$KUBECONFIG" | awk '{print $2}')"
-
-# Update KUBECONFIG to allow secure communication between kubelets and the external KAS endpoint
-# TODO: remove this workaround once https://issues.redhat.com/browse/OCPBUGS-41853 is resolved
-remove_kubelet_kubeconfig_cluster_ca
-
 # Configure kas & oauth serving cert
 configure_kas_oauth_serving_cert
 
 # Check kas & oauth cert
 check_cert_issuer "$KAS_ROUTE_HOSTNAME" 443 "Let's Encrypt"
 check_cert_issuer "$OAUTH_ROUTE_HOSTNAME" 443 "Let's Encrypt"
 
-# Download the updated KUBECONFIG after it's reconciled to include the default ingress certificate
+# Use auto-generated custom kubeconfig
+# When spec.kubeAPIServerDNSName is set (via --kas-dns-name flag during cluster creation),
+# HyperShift automatically generates a custom kubeconfig with the proper CA bundle and
+# external DNS name configured.
 (
     set +x
-    CURRENT_KUBECONFIG_CONTENT="$(mgmt oc extract secret/"${HC_NAME}-admin-kubeconfig" -n clusters --to -)"
-    CURRENT_KUBECONFIG_CA_DATA="$(grep certificate-authority-data <<< "$CURRENT_KUBECONFIG_CONTENT" | awk '{print $2}')"
-    until [[ "$CURRENT_KUBECONFIG_CA_DATA" != "$BACKUP_KUBECONFIG_CA_DATA" ]]; do
-        CURRENT_KUBECONFIG_CONTENT="$(mgmt oc extract secret/"${HC_NAME}-admin-kubeconfig" -n clusters --to -)"
-        CURRENT_KUBECONFIG_CA_DATA="$(grep certificate-authority-data <<< "$CURRENT_KUBECONFIG_CONTENT" | awk '{print $2}')"
-        sleep 15
+    echo "Waiting for custom kubeconfig to be generated..."
+
+    # Wait for customKubeconfig to be available
+    CUSTOM_KUBECONFIG_SECRET=""
+    RETRY_COUNT=0
+    MAX_RETRIES=30
+    while [[ -z "$CUSTOM_KUBECONFIG_SECRET" && $RETRY_COUNT -lt $MAX_RETRIES ]]; do
+        CUSTOM_KUBECONFIG_SECRET=$(mgmt oc get hc -n clusters "$HC_NAME" -o jsonpath='{.status.customKubeconfig.name}' 2>/dev/null || echo "")
+        if [[ -z "$CUSTOM_KUBECONFIG_SECRET" ]]; then
+            echo "Waiting for status.customKubeconfig to be set... (attempt $((RETRY_COUNT+1))/$MAX_RETRIES)"
+            sleep 10
+            RETRY_COUNT=$((RETRY_COUNT+1))
+        fi
     done
-    tee "$KUBECONFIG" "${SHARED_DIR}/kubeconfig" "${SHARED_DIR}/nested_kubeconfig" <<< "$CURRENT_KUBECONFIG_CONTENT" >/dev/null
+
+    if [[ -z "$CUSTOM_KUBECONFIG_SECRET" ]]; then
+        echo "ERROR: Custom kubeconfig not generated. spec.kubeAPIServerDNSName may not be set."
+        echo "This test requires the cluster to be created with --kas-dns-name flag."
+        exit 1
+    fi
+
+    echo "✓ Custom kubeconfig generated: ${CUSTOM_KUBECONFIG_SECRET}"
+
+    # Extract the auto-generated custom kubeconfig
+    CUSTOM_KUBECONFIG_CONTENT="$(mgmt oc extract secret/"${CUSTOM_KUBECONFIG_SECRET}" -n clusters --to -)"
+
+    # Write custom kubeconfig to all required locations
+    tee "$KUBECONFIG" "${SHARED_DIR}/kubeconfig" "${SHARED_DIR}/nested_kubeconfig" <<< "$CUSTOM_KUBECONFIG_CONTENT" >/dev/null
+
+    echo "✓ Custom kubeconfig deployed successfully"
+    echo "Performing health check on KAS endpoint..."
+
+    # Health check with retries to ensure KAS endpoint is fully ready
+    # This prevents "connection reset by peer" errors when KAS is still stabilizing
+    HEALTH_CHECK_RETRIES=0
+    MAX_HEALTH_CHECK_RETRIES=20
+    HEALTH_CHECK_SUCCESS=false
+
+    while [[ $HEALTH_CHECK_RETRIES -lt $MAX_HEALTH_CHECK_RETRIES ]]; do
+        if oc cluster-info >/dev/null 2>&1; then
+            echo "✓ KAS endpoint is healthy and ready"
+            HEALTH_CHECK_SUCCESS=true
+            break
+        fi
+        HEALTH_CHECK_RETRIES=$((HEALTH_CHECK_RETRIES+1))
+        echo "KAS endpoint not ready yet, retrying... (attempt $HEALTH_CHECK_RETRIES/$MAX_HEALTH_CHECK_RETRIES)"
+        sleep 10
+    done
+
+    if [[ "$HEALTH_CHECK_SUCCESS" != "true" ]]; then
+        echo "ERROR: KAS endpoint failed health check after $MAX_HEALTH_CHECK_RETRIES attempts"
+        echo "Connection may still be unstable. Proceeding with caution..."
+    fi
 )
 
 # Perform oc login test if possible
 if mgmt oc get secret/"${HC_NAME}-kubeadmin-password" -n clusters >/dev/null; then
     oc_login_kubeadmin_passwd
 fi
 
-# Restart ovnkube-node
-oc delete po -n openshift-ovn-kubernetes --all
-
 wait_for_hc_readiness

ci-operator/step-registry/hypershift/azure/create/hypershift-azure-create-chain.yaml

@@ -21,6 +21,12 @@ chain:
     - name: HYPERSHIFT_EXTERNAL_DNS_DOMAIN
       default: ""
       documentation: "Specifies the external DNS domain. If left empty, external DNS is assumed to be disabled."
+    - name: HYPERSHIFT_DYNAMIC_DNS
+      default: ""
+      documentation: |-
+        Set dynamic dns for kube-apiserver. Use 'auto' to auto-construct as api-${CLUSTER_NAME}.${DNS_DOMAIN}
+        where DNS_DOMAIN is HYPERSHIFT_EXTERNAL_DNS_DOMAIN (if set) or HYPERSHIFT_BASE_DOMAIN (as fallback).
+        Or provide explicit DNS name (e.g., 'api-cluster.example.com'). Leave empty to disable.
     - name: ENABLE_ICSP
       default: "false"
       documentation: "If true, add image content sources config(path=${SHARED_DIR}/mgmt_icsp.yaml)"
@@ -140,7 +146,19 @@ chain:
 
       CLUSTER_NAME="$(echo -n $PROW_JOB_ID|sha256sum|cut -c-20)"
       echo "$(date) Creating HyperShift cluster ${CLUSTER_NAME}"
-      
+
+      # Auto-construct dynamic DNS name when set to "auto"
+      if [[ $HYPERSHIFT_DYNAMIC_DNS == "auto" ]]; then
+        DNS_DOMAIN="${HYPERSHIFT_EXTERNAL_DNS_DOMAIN:-$HYPERSHIFT_BASE_DOMAIN}"
+        if [[ -n $DNS_DOMAIN ]]; then
+          HYPERSHIFT_DYNAMIC_DNS="api-${CLUSTER_NAME}.${DNS_DOMAIN}"
+          echo "Auto-constructed HYPERSHIFT_DYNAMIC_DNS: ${HYPERSHIFT_DYNAMIC_DNS}"
+        else
+          echo "ERROR: HYPERSHIFT_DYNAMIC_DNS=auto but neither HYPERSHIFT_EXTERNAL_DNS_DOMAIN nor HYPERSHIFT_BASE_DOMAIN is set"
+          exit 1
+        fi
+      fi
+
       RELEASE_IMAGE=${HYPERSHIFT_HC_RELEASE_IMAGE:-$RELEASE_IMAGE_LATEST}
       
       AZURE_CREDS=${CLUSTER_PROFILE_DIR}/osServicePrincipal.json
@@ -284,6 +302,12 @@ chain:
         EXTRA_ARGS+=" --network-type=${HYPERSHIFT_NETWORK_TYPE}"
       fi
 
+      # Add --kas-dns-name flag when HYPERSHIFT_DYNAMIC_DNS is set
+      # This enables dynamic external DNS name management and auto-generated custom kubeconfig
+      if [[ -n $HYPERSHIFT_DYNAMIC_DNS ]]; then
+        EXTRA_ARGS+=" --kas-dns-name=${HYPERSHIFT_DYNAMIC_DNS}"
+      fi
+
       if [[ -n $HYPERSHIFT_AZURE_DIAGNOSTICS_STORAGE_ACCOUNT_TYPE ]]; then
         EXTRA_ARGS+=" --diagnostics-storage-account-type=${HYPERSHIFT_AZURE_DIAGNOSTICS_STORAGE_ACCOUNT_TYPE}"
         if [[ $HYPERSHIFT_AZURE_DIAGNOSTICS_STORAGE_ACCOUNT_TYPE == "UserManaged" ]]; then