"HostedCluster.endpointAccess: Private" configures AWS Privatelink for accessing AWS services and avoiding VPC peering not taking into account a customer may want to configure a Private installation but using a different configuration AWS wise, for instance VPC peering together with private and public subnets with NATGW, also when it comes to Route53 you could still have a fully private installation by only using a Private Route53 zone and Inbound resolvers with DNS delegations configured on the intranet authoritative zones. On top of this while discussing this specific topic in the HCP forum it appears AWS_SHARED_CREDENTIALS_FILE is required to set up the OIDC bucket (there's already a separate secret for that to happen as per https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.10/html-single/clusters/index#hosted-create-aws-secret) and set up AWS PrivateLink, making this setup less opinionated would also avoid the requirement of setting up these credentials which are mandatory right now as per https://github.com/openshift/hypershift/blob/main/hypershift-operator/controllers/platform/aws/controller.go#L125.

OCP 4.16 with MCE 2.6

100%    

1. Define "HostedCluster.spec.endpoingAccess: Private"
    

1. Hypershift operator will fail to create the resource because of a missing AWS_SHARED_CREDENTIALS_FILE and AWS_REGION env variables on top of the hypershift operator deployment

2. No DNS records are created on the spoke cluster private DNS zone as this installation expects the hypershift.local zone to be used not taking into account other AWS infrastructure architectures may be in use (i.e Inbound Route53 resolvers, VPC peerings, Transit Gateway etc)

A less opinionated setup where the customer is free to define endpointAccess to Private and be able to bring their own AWS infrastructure.