Enable private topology support for self-managed Azure HyperShift clusters using Azure Private Link Service (PLS), allowing customers to access hosted control plane endpoints via private connectivity.

Currently, self-managed Azure clusters only support public endpoint access. This epic delivers three endpoint access modes (Public, PublicAndPrivate, Private) using Azure Private Link Service for private node and API server communication.

Epic Acceptance Criteria

• Customers can create self-managed Azure HyperShift clusters with private endpoint access
• Three endpoint access modes are supported: Public (default), PublicAndPrivate, and Private
• Private connectivity is automatically provisioned when private endpoint access is configured
• Worker nodes communicate with the control plane over private network when private mode is enabled
• Private DNS resolution is automatically configured for API server access
• CLI provides flags to configure endpoint access mode and Private Link Service settings
• Documentation covers private cluster creation workflow

Scope

In Scope

• API changes to support endpoint access configuration
• HyperShift Operator changes for private topology management
• Control Plane Operator changes for Private Link Service and DNS provisioning
• CLI flags for private topology configuration
• E2E tests for private topology
• Documentation updates

Out of Scope

• ARO HCP (managed service has separate implementation)
• Bring-your-own Private Endpoint (future enhancement)
• Customer-managed Private DNS Zones

Timeline

• Target: OpenShift 4.22

Target Users

• Enterprise customers requiring private network connectivity on Azure
• Organizations with security/compliance requirements prohibiting public endpoints

Dependencies

• Azure SDK packages for network and private DNS management
• Existing Azure credential provider infrastructure