Uploaded image for project: 'OpenShift Hosted Control Plane'
  1. OpenShift Hosted Control Plane
  2. HOSTEDCP-1121

Solution for existing clusters to let vpc endpoint use hypershift security group


    • Icon: Story Story
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • None
    • False
    • None
    • False
    • Hypershift Sprint 240, Hypershift Sprint 241, Hypershift Sprint 242, Hypershift Sprint 243, Hypershift Sprint 244, Hypershift Sprint 245, Hypershift Sprint 246
    • 0
    • 0
    • 0

      User Story:

      As IBM running HCs I want to upgrade an existing 4.12 HC suffering https://issues.redhat.com/browse/OCPBUGS-13639 towards 4.13 and let the private link endpoint to use the right security group.

      Acceptance Criteria:

      There's an automated/documented steps for the HC to endup with the endpoint pointing to the right SG.

      A possible semi-automated path would be to manually delete and detach the endpoint from the service, so the next reconciliation loop reset status https://github.com/openshift/hypershift/blob/7d24b30c6f79be052404bf23ede7783342f0d0e5/control-plane-operator/controllers/awsprivatelink/awsprivatelink_controller.go#L410-L444

      And the next one would recreate the new endpoint with the right security group https://github.com/openshift/hypershift/blob/7d24b30c6f79be052404bf23ede7783342f0d0e5/control-plane-operator/controllers/awsprivatelink/awsprivatelink_controller.go#L470-L525

      Note this would produce connectivity down time while reconciliation happens.

      Alternatively we could codify a path to update the endpoint SG when we detect a discrepancy with the hypershift SG.


            Unassigned Unassigned
            agarcial@redhat.com Alberto Garcia Lamela
            Jie Zhao Jie Zhao
            1 Vote for this issue
            8 Start watching this issue