Summary

Implement the endpoint-resolver component that runs as an internal (non-routable) deployment in the HCP namespace on the management cluster. This component discovers and resolves control plane pod endpoints for the metrics proxy.

Scope

• Create the endpoint-resolver Deployment managed by the control-plane-operator (CPO) as a new ControlPlaneComponent
• Set up a ServiceAccount with RBAC permissions to list/watch Pods in the HCP namespace
• Implement informer-based watches using label selectors derived from ServiceMonitor and PodMonitor specs
• Maintain in-memory caches for fast lookups
• Serve pod IP and name resolution requests over HTTPS
• Generate and manage TLS certificates for secure communication with the metrics proxy
• Register the endpoint-resolver in the CPO component registry with reconciliation for Deployment, Service, ServiceAccount, Role, RoleBinding, and TLS secrets
• Dynamically read ServiceMonitor/PodMonitor resources to build component-to-label-selector mappings

Design Notes

• This component holds all management cluster RBAC for listing Pods, keeping the externally-exposed metrics proxy free of direct API server access (security boundary)
• Uses informer caches rather than direct API calls for performance
• Must handle dynamic addition/removal of ServiceMonitors/PodMonitors for day-2 operations
• Internal-only (ClusterIP service, not exposed via Route)

Acceptance Criteria

• endpoint-resolver Deployment is created and managed by the CPO
• Pod discovery works correctly using label selectors from ServiceMonitor/PodMonitor resources
• HTTPS API serves pod endpoint resolution requests
• Proper RBAC is configured (minimal permissions: list/watch Pods)
• Component is registered in the CPO control plane component registry
• Unit tests cover core discovery and resolution logic

Reference

Enhancement