For the managed use case, HyperShift management clusters will make use of an additional router shard to expose endpoints publicly. For PublicAndPrivate clusters the one route that needs to be exposed publicly is the OAuth route. It should include a label that can be used in a router shard selector to have it served through that shard.

For private clusters, the OAuth route should not be public. It should be exposed through the private router to the customer's VPC. If the customer wants to expose the route externally, they will need to setup a proxy/lb to serve the endpoint externally.