WHAT

The MVP solution to creating DNS entries for the customer end points for a private kafka still involve our public route 53. Ideally these entries should be created for just the customer private hosted zone.

WHY

While the target endpoints are not usable outside of the private zone, it is best to not leak any details of the private instance publicly.

HOW

The strategy for creating the DNS entries will need to change. The ideal scenario is that fleetshard would be allowed to create DNSRecords on cluster, which would then get turned into the appropriate DNS entries (although if the cluster is configured for public DNS, they will end up there as well).

If we are not allowed to do that, which is likely, then we'll need similar logic as what is owned by the openshift ingress cluster operator - https://github.com/openshift/cluster-ingress-operator/tree/master/pkg/dns to create dns entries in a platform specific way. More than likely this would exist on the fleetshard and could use a CredentialsRequest like https://github.com/openshift/aws-load-balancer-operator/blob/main/hack/operator-credentials-request.yaml to declare what permissions were needed from the underlying platform to manage DNS entries.

cc gryan@redhat.com keithbwall rhn-engineering-rareddy mchitimb-1