Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.21.z
Component/s: Installer / openshift-installer
Labels:
- triaged,

Activity Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Critical
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

IHAC who is facing a core issue  with the current implementation of user-provisioned DNS in AWS, which is not functional in Top Secret regions that it's not available at all currently for Top Secret AWS regions

As per engineering, and available product documentation User Provisioned DNS or Custom DNS is expected to go GA in 4.22 for AWS and Azure. Currently, in v4.21 this has been added as Tech Preview feature. 

CORE ISSUE:
The installation fails in a Top Secret region with the error: "FATAL unable to handle api server override: no IP address found in lbconfig."

CAUSE:
The installer attempts to retrieve IP addresses for the API load balancer by searching for network interfaces with specific security groups. However, in Top Secret regions, network load balancers' interfaces cannot have security groups, a limitation documented by AWS. While the Cluster API handles this elsewhere, the newer code does not account for it.

SUGGESTED FIX:
Modify the installer to obtain the IP addresses for the API load balancer in the same manner as the Ingress Operator does for the ingress load balancer--by resolving its DNS name.



This feature would be extremely beneficial for them so they could utilize IPI clusters with custom/user specified DNS server since their end-customers in the intel community have extremely tight security requirements. If this feature could be added to TS/restricted AWS regions this would simplify their deployment and management.

Version-Release number of selected component (if applicable):

v4.21

How reproducible:

    Always

Steps to Reproduce:

    1. Provision the IPI cluster on AWS in specialized regions and using custom DNS following this documentation[1] and enable user managed DNS.

[1] https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html-single/installing_on_aws/index#installation-aws-provisioning-own-dns-records_installing-aws-customizations

[2] https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html-single/installing_on_aws/index#installation-aws-enabling-user-managed-DNS_installing-aws-customizations

Actual results:

    The installation would fail with the error "FATAL unable to handle api server override: no IP address found in lbconfig"

Expected results:

The installation should succeed and no errors should be observed

Additional info:

Assignee:: Sandhya Dasu

Reporter:: Mridul Markandey

QA Contact:: Gaoyun Pei

Need Info From:: None

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2026/03/10 3:34 AM

Updated:: 2026/03/10 2:17 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates