Router publish strategy related changes for IBM Cloud platform

When HCP contains router publish strategy for the
master services, IBM Cloud platform implementation
will take care of the proper exposure of the
services, without using the actual cluster Router
(similar implementation to Azure). That is, CPO should
not create any LoadBalancer or actual router deployment
as part of reconciling the HCP.
The current change also makes the migration from NodePort
services backward compatible, for existing clusters.
That is, the NodePort services will remain as is
(they are not converted to regular ClusterIP services,
resulting in permanently losing the reserved nodeports)
allowing existing external clients (e.g. kubelet,
master proxy) to work as before, until they are also
upgraded.

The expected behavior is to:
* Do not manage any ingress component (LB Svc, Router)
* Keep NodePort master services (if they are already existing)
* (Re)configure node agents (e.g. connectivity) to use 443 as server port

Author: libesz

control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go

@@ -1742,7 +1742,7 @@ func (r *HostedControlPlaneReconciler) reconcileOAuthServerService(ctx context.C
 	p := oauth.NewOAuthServiceParams(hcp)
 	oauthServerService := manifests.OauthServerService(hcp.Namespace)
 	if _, err := createOrUpdate(ctx, r.Client, oauthServerService, func() error {
-		return oauth.ReconcileService(oauthServerService, p.OwnerRef, serviceStrategy)
+		return oauth.ReconcileService(oauthServerService, p.OwnerRef, serviceStrategy, hcp.Spec.Platform.Type)
 	}); err != nil {
 		return fmt.Errorf("failed to reconcile OAuth service: %w", err)
 	}
@@ -1836,7 +1836,7 @@ func (r *HostedControlPlaneReconciler) reconcileOLMPackageServerService(ctx cont
 }
 
 func (r *HostedControlPlaneReconciler) reconcileHCPRouterServices(ctx context.Context, hcp *hyperv1.HostedControlPlane, createOrUpdate upsert.CreateOrUpdateFN) error {
-	if sharedingress.UseSharedIngress() {
+	if sharedingress.UseSharedIngress() || hcp.Spec.Platform.Type == hyperv1.IBMCloudPlatform {
 		return nil
 	}
 	exposeKASThroughRouter := util.IsRouteKAS(hcp)
@@ -1969,14 +1969,14 @@ func (r *HostedControlPlaneReconciler) defaultReconcileInfrastructureStatus(ctx
 }
 
 func (r *HostedControlPlaneReconciler) reconcileInternalRouterServiceStatus(ctx context.Context, hcp *hyperv1.HostedControlPlane) (host string, needed bool, message string, err error) {
-	if !util.IsPrivateHCP(hcp) {
+	if !util.IsPrivateHCP(hcp) || hcp.Spec.Platform.Type == hyperv1.IBMCloudPlatform {
 		return
 	}
 	return r.reconcileRouterServiceStatus(ctx, manifests.PrivateRouterService(hcp.Namespace), events.NewMessageCollector(ctx, r.Client))
 }
 
 func (r *HostedControlPlaneReconciler) reconcileExternalRouterServiceStatus(ctx context.Context, hcp *hyperv1.HostedControlPlane) (host string, needed bool, message string, err error) {
-	if !util.IsPublicHCP(hcp) || !util.IsRouteKAS(hcp) || sharedingress.UseSharedIngress() {
+	if !util.IsPublicHCP(hcp) || !util.IsRouteKAS(hcp) || sharedingress.UseSharedIngress() || hcp.Spec.Platform.Type == hyperv1.IBMCloudPlatform {
 		return
 	}
 	return r.reconcileRouterServiceStatus(ctx, manifests.RouterPublicService(hcp.Namespace), events.NewMessageCollector(ctx, r.Client))
@@ -2010,12 +2010,12 @@ func (r *HostedControlPlaneReconciler) reconcileAPIServerServiceStatus(ctx conte
 		return "", 0, "", errors.New("APIServer service strategy not specified")
 	}
 
-	if sharedingress.UseSharedIngress() {
+	if sharedingress.UseSharedIngress() || hcp.Spec.Platform.Type == hyperv1.IBMCloudPlatform {
 		return sharedingress.Hostname(hcp), sharedingress.ExternalDNSLBPort, "", nil
 	}
 
 	var svc *corev1.Service
-	if serviceStrategy.Type == hyperv1.Route {
+	if serviceStrategy.Type == hyperv1.Route && hcp.Spec.Platform.Type != hyperv1.IBMCloudPlatform {
 		if util.IsPublicHCP(hcp) {
 			svc = manifests.RouterPublicService(hcp.Namespace)
 		} else {
@@ -4336,6 +4336,10 @@ func (r *HostedControlPlaneReconciler) reconcileCoreIgnitionConfig(ctx context.C
 }
 
 func (r *HostedControlPlaneReconciler) reconcileRouter(ctx context.Context, hcp *hyperv1.HostedControlPlane, releaseImageProvider imageprovider.ReleaseImageProvider, createOrUpdate upsert.CreateOrUpdateFN) error {
+	if hcp.Spec.Platform.Type == hyperv1.IBMCloudPlatform {
+		return nil
+	}
+
 	routeList := &routev1.RouteList{}
 	if err := r.List(ctx, routeList, client.InNamespace(hcp.Namespace)); err != nil {
 		return fmt.Errorf("failed to list routes: %w", err)

control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller_test.go

@@ -1072,13 +1072,21 @@ func TestReconcileRouter(t *testing.T) {
 
 	testCases := []struct {
 		name                         string
+		platformType                 hyperv1.PlatformType
 		endpointAccess               hyperv1.AWSEndpointAccessType
 		exposeAPIServerThroughRouter bool
 		existingObjects              []client.Object
 		expectedDeployments          []appsv1.Deployment
 	}{
+		{
+			name:                         "IBM Cloud",
+			platformType:                 hyperv1.IBMCloudPlatform,
+			endpointAccess:               hyperv1.Public,
+			exposeAPIServerThroughRouter: true,
+		},
 		{
 			name:                         "Public HCP, uses public service host name",
+			platformType:                 hyperv1.AWSPlatform,
 			endpointAccess:               hyperv1.Public,
 			exposeAPIServerThroughRouter: true,
 			existingObjects:              []client.Object{},
@@ -1104,6 +1112,7 @@ func TestReconcileRouter(t *testing.T) {
 		},
 		{
 			name:                         "PublicPrivate HCP, deployment gets hostname from public service",
+			platformType:                 hyperv1.AWSPlatform,
 			endpointAccess:               hyperv1.PublicAndPrivate,
 			exposeAPIServerThroughRouter: true,
 			existingObjects:              []client.Object{},
@@ -1130,6 +1139,7 @@ func TestReconcileRouter(t *testing.T) {
 
 		{
 			name:                         "Private HCP, deployment gets hostname from private service",
+			platformType:                 hyperv1.AWSPlatform,
 			endpointAccess:               hyperv1.Private,
 			exposeAPIServerThroughRouter: true,
 			existingObjects:              []client.Object{},
@@ -1155,11 +1165,13 @@ func TestReconcileRouter(t *testing.T) {
 		},
 		{
 			name:                         "Public HCP apiserver not exposed through router, nothing gets created",
+			platformType:                 hyperv1.AWSPlatform,
 			endpointAccess:               hyperv1.Public,
 			exposeAPIServerThroughRouter: false,
 		},
 		{
 			name:                         "PublicPrivate HCP apiserver not exposed through router, router without custom template and private router service get created",
+			platformType:                 hyperv1.AWSPlatform,
 			endpointAccess:               hyperv1.PublicAndPrivate,
 			exposeAPIServerThroughRouter: false,
 			expectedDeployments: []appsv1.Deployment{
@@ -1184,6 +1196,7 @@ func TestReconcileRouter(t *testing.T) {
 		},
 		{
 			name:                         "Private HCP apiserver not exposed through router, router without custom template and private router service get created",
+			platformType:                 hyperv1.AWSPlatform,
 			endpointAccess:               hyperv1.Private,
 			exposeAPIServerThroughRouter: false,
 			expectedDeployments: []appsv1.Deployment{
@@ -1208,6 +1221,7 @@ func TestReconcileRouter(t *testing.T) {
 		},
 		{
 			name:                         "Old router resources get cleaned up when exposed through route",
+			platformType:                 hyperv1.AWSPlatform,
 			endpointAccess:               hyperv1.PublicAndPrivate,
 			exposeAPIServerThroughRouter: true,
 			existingObjects: []client.Object{
@@ -1238,6 +1252,7 @@ func TestReconcileRouter(t *testing.T) {
 		},
 		{
 			name:                         "Old router resources get cleaned up when exposed through LB",
+			platformType:                 hyperv1.AWSPlatform,
 			endpointAccess:               hyperv1.PublicAndPrivate,
 			exposeAPIServerThroughRouter: false,
 			existingObjects: []client.Object{
@@ -1287,7 +1302,7 @@ func TestReconcileRouter(t *testing.T) {
 				},
 				Spec: hyperv1.HostedControlPlaneSpec{
 					Platform: hyperv1.PlatformSpec{
-						Type: hyperv1.AWSPlatform,
+						Type: tc.platformType,
 						AWS: &hyperv1.AWSPlatformSpec{
 							EndpointAccess: tc.endpointAccess,
 						},

control-plane-operator/controllers/hostedcontrolplane/ignitionserver/ignitionserver.go

@@ -67,14 +67,14 @@ func ReconcileIgnitionServer(ctx context.Context,
 		}
 		ignitionServerProxyService := ignitionserver.ProxyService(controlPlaneNamespace)
 		if _, err := createOrUpdate(ctx, c, ignitionServerProxyService, func() error {
-			return reconcileIgnitionServerProxyService(ignitionServerProxyService, serviceStrategy)
+			return reconcileIgnitionServerProxyService(ignitionServerProxyService, serviceStrategy, hcp.Spec.Platform.Type)
 		}); err != nil {
 			return fmt.Errorf("failed to reconcile ignition proxy service: %w", err)
 		}
 		routeServiceName = ignitionServerProxyService.Name
 	} else {
 		if _, err := createOrUpdate(ctx, c, ignitionServerService, func() error {
-			return reconcileIgnitionServerService(ignitionServerService, serviceStrategy)
+			return reconcileIgnitionServerService(ignitionServerService, serviceStrategy, hcp.Spec.Platform.Type)
 		}); err != nil {
 			return fmt.Errorf("failed to reconcile ignition service: %w", err)
 		}
@@ -291,15 +291,15 @@ func ReconcileIgnitionServer(ctx context.Context,
 	return nil
 }
 
-func reconcileIgnitionServerService(svc *corev1.Service, strategy *hyperv1.ServicePublishingStrategy) error {
-	return reconcileIgnitionExternalService(svc, strategy, false)
+func reconcileIgnitionServerService(svc *corev1.Service, strategy *hyperv1.ServicePublishingStrategy, platformType hyperv1.PlatformType) error {
+	return reconcileIgnitionExternalService(svc, strategy, false, platformType)
 }
 
-func reconcileIgnitionServerProxyService(svc *corev1.Service, strategy *hyperv1.ServicePublishingStrategy) error {
-	return reconcileIgnitionExternalService(svc, strategy, true)
+func reconcileIgnitionServerProxyService(svc *corev1.Service, strategy *hyperv1.ServicePublishingStrategy, platformType hyperv1.PlatformType) error {
+	return reconcileIgnitionExternalService(svc, strategy, true, platformType)
 }
 
-func reconcileIgnitionExternalService(svc *corev1.Service, strategy *hyperv1.ServicePublishingStrategy, isProxy bool) error {
+func reconcileIgnitionExternalService(svc *corev1.Service, strategy *hyperv1.ServicePublishingStrategy, isProxy bool, platformType hyperv1.PlatformType) error {
 	appLabel := ignitionserver.ResourceName
 	targetPort := intstr.FromInt(9090)
 	if isProxy {
@@ -327,7 +327,9 @@ func reconcileIgnitionExternalService(svc *corev1.Service, strategy *hyperv1.Ser
 			portSpec.NodePort = strategy.NodePort.Port
 		}
 	case hyperv1.Route:
-		svc.Spec.Type = corev1.ServiceTypeClusterIP
+		if ((platformType == hyperv1.IBMCloudPlatform) && (svc.Spec.Type != corev1.ServiceTypeNodePort)) || (platformType != hyperv1.IBMCloudPlatform) {
+			svc.Spec.Type = corev1.ServiceTypeClusterIP
+		}
 	default:
 		return fmt.Errorf("invalid publishing strategy for Ignition service: %s", strategy.Type)
 	}

control-plane-operator/controllers/hostedcontrolplane/ignitionserver/ignitionserver_test.go

@@ -13,18 +13,21 @@ import (
 func TestReconcileIgnitionServerServiceNodePortFreshInitialization(t *testing.T) {
 	tests := []struct {
 		name                           string
+		platformType                   hyperv1.PlatformType
 		inputIgnitionServerService     *corev1.Service
 		inputServicePublishingStrategy *hyperv1.ServicePublishingStrategy
 	}{
 		{
 			name:                       "fresh service initialization",
+			platformType:               hyperv1.AWSPlatform,
 			inputIgnitionServerService: ignitionserver.Service("default"),
 			inputServicePublishingStrategy: &hyperv1.ServicePublishingStrategy{
 				Type: hyperv1.NodePort,
 			},
 		},
 		{
 			name:                       "fresh service with node port specified",
+			platformType:               hyperv1.AWSPlatform,
 			inputIgnitionServerService: ignitionserver.Service("default"),
 			inputServicePublishingStrategy: &hyperv1.ServicePublishingStrategy{
 				Type: hyperv1.NodePort,
@@ -36,7 +39,7 @@ func TestReconcileIgnitionServerServiceNodePortFreshInitialization(t *testing.T)
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			reconcileIgnitionServerService(test.inputIgnitionServerService, test.inputServicePublishingStrategy)
+			reconcileIgnitionServerService(test.inputIgnitionServerService, test.inputServicePublishingStrategy, test.platformType)
 			g := NewGomegaWithT(t)
 			g.Expect(len(test.inputIgnitionServerService.Spec.Ports)).To(Equal(1))
 			g.Expect(test.inputIgnitionServerService.Spec.Type).To(Equal(corev1.ServiceTypeNodePort))
@@ -54,11 +57,13 @@ func TestReconcileIgnitionServerServiceNodePortFreshInitialization(t *testing.T)
 func TestReconcileIgnitionServerServiceNodePortExistingService(t *testing.T) {
 	tests := []struct {
 		name                           string
+		platformType                   hyperv1.PlatformType
 		inputIgnitionServerService     *corev1.Service
 		inputServicePublishingStrategy *hyperv1.ServicePublishingStrategy
 	}{
 		{
-			name: "existing service keeps nodeport",
+			name:         "existing service keeps nodeport",
+			platformType: hyperv1.AWSPlatform,
 			inputIgnitionServerService: &corev1.Service{
 				ObjectMeta: ignitionserver.Service("default").ObjectMeta,
 				Spec: corev1.ServiceSpec{
@@ -81,7 +86,7 @@ func TestReconcileIgnitionServerServiceNodePortExistingService(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			initialNodePort := test.inputIgnitionServerService.Spec.Ports[0].NodePort
-			reconcileIgnitionServerService(test.inputIgnitionServerService, test.inputServicePublishingStrategy)
+			reconcileIgnitionServerService(test.inputIgnitionServerService, test.inputServicePublishingStrategy, test.platformType)
 			g := NewGomegaWithT(t)
 			g.Expect(len(test.inputIgnitionServerService.Spec.Ports)).To(Equal(1))
 			g.Expect(test.inputIgnitionServerService.Spec.Type).To(Equal(corev1.ServiceTypeNodePort))
@@ -97,18 +102,21 @@ func TestReconcileIgnitionServerServiceNodePortExistingService(t *testing.T) {
 func TestReconcileIgnitionServerServiceRoute(t *testing.T) {
 	tests := []struct {
 		name                           string
+		platformType                   hyperv1.PlatformType
 		inputIgnitionServerService     *corev1.Service
 		inputServicePublishingStrategy *hyperv1.ServicePublishingStrategy
 	}{
 		{
 			name:                       "fresh service initialization",
+			platformType:               hyperv1.AWSPlatform,
 			inputIgnitionServerService: ignitionserver.Service("default"),
 			inputServicePublishingStrategy: &hyperv1.ServicePublishingStrategy{
 				Type: hyperv1.Route,
 			},
 		},
 		{
-			name: "existing service",
+			name:         "existing service",
+			platformType: hyperv1.AWSPlatform,
 			inputIgnitionServerService: &corev1.Service{
 				ObjectMeta: ignitionserver.Service("default").ObjectMeta,
 				Spec: corev1.ServiceSpec{
@@ -126,17 +134,42 @@ func TestReconcileIgnitionServerServiceRoute(t *testing.T) {
 				Type: hyperv1.Route,
 			},
 		},
+		{
+			name:         "existing service, IBM Cloud",
+			platformType: hyperv1.AWSPlatform,
+			inputIgnitionServerService: &corev1.Service{
+				ObjectMeta: ignitionserver.Service("default").ObjectMeta,
+				Spec: corev1.ServiceSpec{
+					Type: corev1.ServiceTypeNodePort,
+					Ports: []corev1.ServicePort{
+						{
+							Name:       "https",
+							Port:       9090,
+							TargetPort: intstr.FromInt(9090),
+							Protocol:   corev1.ProtocolTCP,
+							NodePort:   30000,
+						},
+					},
+				},
+			},
+			inputServicePublishingStrategy: &hyperv1.ServicePublishingStrategy{
+				Type: hyperv1.Route,
+			},
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			reconcileIgnitionServerService(test.inputIgnitionServerService, test.inputServicePublishingStrategy)
+			reconcileIgnitionServerService(test.inputIgnitionServerService, test.inputServicePublishingStrategy, test.platformType)
 			g := NewGomegaWithT(t)
 			g.Expect(len(test.inputIgnitionServerService.Spec.Ports)).To(Equal(1))
 			g.Expect(test.inputIgnitionServerService.Spec.Type).To(Equal(corev1.ServiceTypeClusterIP))
 			g.Expect(test.inputIgnitionServerService.Spec.Ports[0].TargetPort).To(Equal(intstr.FromInt(9090)))
 			g.Expect(test.inputIgnitionServerService.Spec.Ports[0].Port).To(Equal(int32(443)))
 			g.Expect(test.inputIgnitionServerService.Spec.Ports[0].Name).To(Equal("https"))
 			g.Expect(test.inputIgnitionServerService.Spec.Ports[0].Protocol).To(Equal(corev1.ProtocolTCP))
+			if test.platformType == hyperv1.IBMCloudPlatform {
+				g.Expect(test.inputIgnitionServerService.Spec.Type).To(Equal(corev1.ServiceTypeNodePort))
+			}
 		})
 	}
 }

control-plane-operator/controllers/hostedcontrolplane/kas/service.go

@@ -79,7 +79,9 @@ func ReconcileService(svc *corev1.Service, strategy *hyperv1.ServicePublishingSt
 			portSpec.NodePort = strategy.NodePort.Port
 		}
 	case hyperv1.Route:
-		svc.Spec.Type = corev1.ServiceTypeClusterIP
+		if ((hcp.Spec.Platform.Type == hyperv1.IBMCloudPlatform) && (svc.Spec.Type != corev1.ServiceTypeNodePort)) || (hcp.Spec.Platform.Type != hyperv1.IBMCloudPlatform) {
+			svc.Spec.Type = corev1.ServiceTypeClusterIP
+		}
 	default:
 		return fmt.Errorf("invalid publishing strategy for Kube API server service: %s", strategy.Type)
 	}
@@ -279,7 +281,9 @@ func ReconcileKonnectivityServerService(svc *corev1.Service, ownerRef config.Own
 			portSpec.NodePort = strategy.NodePort.Port
 		}
 	case hyperv1.Route:
-		svc.Spec.Type = corev1.ServiceTypeClusterIP
+		if ((hcp.Spec.Platform.Type == hyperv1.IBMCloudPlatform) && (svc.Spec.Type != corev1.ServiceTypeNodePort)) || (hcp.Spec.Platform.Type != hyperv1.IBMCloudPlatform) {
+			svc.Spec.Type = corev1.ServiceTypeClusterIP
+		}
 	default:
 		return fmt.Errorf("invalid publishing strategy for Konnectivity service: %s", strategy.Type)
 	}

control-plane-operator/controllers/hostedcontrolplane/oauth/service.go

@@ -25,7 +25,7 @@ var (
 	}
 )
 
-func ReconcileService(svc *corev1.Service, ownerRef config.OwnerRef, strategy *hyperv1.ServicePublishingStrategy) error {
+func ReconcileService(svc *corev1.Service, ownerRef config.OwnerRef, strategy *hyperv1.ServicePublishingStrategy, platformType hyperv1.PlatformType) error {
 	ownerRef.ApplyTo(svc)
 	if svc.Spec.Selector == nil {
 		svc.Spec.Selector = oauthServerLabels
@@ -51,7 +51,9 @@ func ReconcileService(svc *corev1.Service, ownerRef config.OwnerRef, strategy *h
 			portSpec.NodePort = strategy.NodePort.Port
 		}
 	case hyperv1.Route:
-		svc.Spec.Type = corev1.ServiceTypeClusterIP
+		if ((platformType == hyperv1.IBMCloudPlatform) && (svc.Spec.Type != corev1.ServiceTypeNodePort)) || (platformType != hyperv1.IBMCloudPlatform) {
+			svc.Spec.Type = corev1.ServiceTypeClusterIP
+		}
 	default:
 		return fmt.Errorf("invalid publishing strategy for OAuth service: %s", strategy.Type)
 	}