[OSDOCS-19926]: Private hosted clusters on Azure

[lahinson]

Version(s): 4.22+

Issue: https://redhat.atlassian.net/browse/OSDOCS-19926

Link to docs preview: https://113083--ocpdocs-pr.netlify.app/openshift-enterprise/latest/hosted_control_planes/hcp-deploy/hcp-deploy-azure.html#hcp-azure-private_hcp-deploy-azure

QE review: In lieu of QE review, the self-managed HCP on Azure docs has 2 SME reviews.

• SME review 1 (Bryan)
• SME review 2 (Alessandro)

Additional information:

[ocpdocs-previewbot]

🤖 Fri Jun 12 20:10:27 - Prow CI generated the docs preview:

https://113083--ocpdocs-pr.netlify.app/openshift-enterprise/latest/hosted_control_planes/hcp-deploy/hcp-deploy-azure.html

[lahinson]

@bryan-cox / @Nirshal - I'm not sure what "guest subscription" is referring to here. I got this wording from the upstream docs. Can you clarify?

[Nirshal]

"Guest subscription" refers to the Azure subscription where the hosted cluster's infrastructure resources (VNet, subnet, VMs) are deployed. In many setups this is the same subscription as the management cluster, but it can be different. The CPO identity needs permissions in that subscription to create and manage private DNS zones and records. @bryan-cox can you confirm?

[lahinson]

Thanks for the explanation, @Nirshal. One reason I asked is because I sometimes see "guest cluster" to mean "hosted cluster" in the upstream docs, and in the official docs, we try to consistently use "hosted cluster".

I wonder if this revision would be accurate?

The DNS zone or record creation failed. In the {azure-short} subscription that stores the infrastructure resources for the hosted cluster, check the Control Plane Operator identity permissions.

[Nirshal]

That revision looks accurate and clearer. It avoids the "guest" terminology ambiguity while keeping the meaning. Looks good to me.

[bryan-cox]

SME review (Bryan) — technical accuracy review against the HyperShift codebase. 3 blocking issues and 4 suggestions below.

[bryan-cox]

[blocking] Broken cross-reference — this links to #hcp-azure-infra_hcp-deploy-azure, which is the public infrastructure module. The private infrastructure module has the ID hcp-azure-private-infra_{context}, so this should be:

* xref:../../hosted_control_planes/hcp-deploy/hcp-deploy-azure.adoc#hcp-azure-private-infra_hcp-deploy-azure[Creating infrastructure for a private hosted cluster]

As written, clicking this link takes users to the public infra section instead of the private one.

[lahinson]

Good catch! Fixing.

[bryan-cox]

[blocking] Condition name typo — the codebase defines this as AzurePrivateEndpointAvailable (lowercase 'p' in "point"), but the doc writes AzurePrivateEndPointAvailable (capital 'P'). Users who grep their YAML output for this condition will get no matches.

Ref: api/hypershift/v1beta1/azureprivatelinkservice_types.go

[lahinson]

Fixed

[bryan-cox]

[blocking] Missing \ line continuation — this line needs a trailing backslash after ${MANAGED_RG_NAME}. Without it, --dns-zone-rg-name on the next line is not passed to the command, and users will get a "dns-zone-rg-name is required" error.

Suggested change

	--resource-group-name ${MANAGED_RG_NAME}
	--resource-group-name ${MANAGED_RG_NAME} \

[lahinson]

Fixed

[bryan-cox]

[suggestion] The "8 Workload Identities" count is accurate, but the phrasing implies these are specific to private clusters. The same hcp create iam azure command creates the same 8 identities regardless of topology — the CPO identity is simply unused for public clusters. Consider clarifying, e.g.:

The command creates 8 Workload Identities. For private and PublicAndPrivate clusters, the Control Plane Operator identity allows the Operator to create and manage private endpoints, private DNS zones, VNet links, and DNS A records.

[lahinson]

Nice revision. I'll update the text.

[bryan-cox]

[suggestion] The NAT subnet creation is actually optional. If --endpoint-access-private-nat-subnet-id is omitted from the cluster creation command, the HyperShift Operator controller auto-creates a NAT subnet named {infraID}-pls-nat. Consider adding a note explaining this tradeoff: manually creating the subnet gives control over CIDR allocation and naming, while omitting it lets the controller handle it automatically.

[lahinson]

Didn't know that! Will add a note.

[bryan-cox]

[suggestion] The deletion flow described is accurate for Private Link resource cleanup, but it's worth noting that hcp destroy cluster azure also cleans up RBAC role assignments before deleting infrastructure. This is why the --azure-creds flag is required for the destroy command.

[lahinson]

Added a statement about that.

[bryan-cox]

[suggestion] The --azure-private-secret flag has a companion flag --azure-private-secret-key that defaults to credentials but can be customized for secrets with non-standard key names. Consider mentioning it here for completeness.

[lahinson]

will do

[Nirshal]

The procedure uses yq to parse the infrastructure output (step 3), but yq is not listed in the prerequisites — jq is listed instead but doesn't appear to be used in this module.

[lahinson]

@Nirshal I can change the instances of yq in the steps to be jq. Is that okay? Or should I remove the jq prereq and add a yq prereq?

[Nirshal]

The infrastructure output from hcp create infra azure is YAML, so yq is the right tool in the steps. I'd suggest removing the jq prerequisite and adding yq instead.

[lahinson]

Done

[Nirshal]

Nit: trailing space after the period on this line.

[lahinson]

fixed

[Nirshal]

When choosing the --external-dns-domain value, the user must be aware that if it matches {cluster-name}.{base-domain}, the CPO creates a private DNS zone that can shadow the *.apps domain, causing console and ingress to become unreachable.

For reference:

• OCPBUGS-83730 — original bug report
• hypershift#8480 — fix merged on 2026-05-21
• hypershift#8585 — fix reverted on 2026-05-26 due to CEL validation impact on ARO-HCP

As far as I know, the issue is still present. It might be worth adding a note to help users avoid this condition when picking their DNS zone name. @bryan-cox any additional context on the current state?

[lahinson]

I added a note below the command.

[bryan-cox]

SME review 2 (Bryan) — second-pass technical accuracy review. All 3 blocking issues from review 1 and all of Alessandro's findings are confirmed fixed. No new blocking issues found. 4 non-blocking suggestions below.

[bryan-cox]

[non-blocking] --diagnostics-storage-account-type Managed is not specific to private clusters — it is a general VM diagnostics option. Including it here without explanation implies it is required for private connectivity. Consider either removing it (it is optional and unrelated to Private Link) or adding a note that it is a general configuration option, not a private-cluster requirement.

[lahinson]

removed

[bryan-cox]

[non-blocking] The cleanup order is slightly simplified. The hcp destroy cluster azure command also cleans up RBAC role assignments before deleting infrastructure — the --azure-creds flag description below already mentions this. Consider adding a bullet for RBAC cleanup between steps 1 and 2 for consistency, e.g.:

1. The Control Plane Operator removes the private endpoint, private DNS zones, VNet links, and A records.
2. The hcp destroy command removes RBAC role assignments.
3. The HyperShift Operator removes Private Link.

[lahinson]

added step

[bryan-cox]

[non-blocking] The NOTE block covers alternative auth methods for Private Link credentials (--azure-private-secret, --azure-pls-managed-identity-client-id). For completeness, there is a parallel alternative for external DNS credentials: --external-dns-secret can be used instead of --external-dns-credentials to reference an existing Kubernetes secret. Minor omission since users typically follow one path.

[lahinson]

added a note

[bryan-cox]

[non-blocking] Minor wording suggestion — "The command creates 8 Workload Identities" is technically correct (the hcp create iam azure command always creates 8 regardless of topology), but the next sentence about the CPO identity could be slightly clearer. Consider leading with the private-cluster context, e.g.:

The command creates 8 Workload Identities. For Private and PublicAndPrivate clusters, the Control Plane Operator identity is used to create and manage private endpoints, private DNS zones, VNet links, and DNS A records.

[lahinson]

fixed

[bryan-cox]

/lgtm

[bscott-rh]

Nice work! This mostly looks good to me. I left a couple of formatting comments, and a batch of comments around environment variables.

[bscott-rh]

same comment about this block of environment variables.

[lahinson]

Fixed

[bscott-rh]

Since this procedure seems to rely on all of the environment variables from the previous steps, you might want to add an explicit prerequisite stating this. If a user completes the previous steps in a separate terminal, or they completed the steps on a prior day and then closed their terminal, the environment variables would be lost.

[lahinson]

Good point. I'll mention the environment variables in the prereqs.

[bscott-rh]

Suggested change

	KUBECONFIG=${CLUSTER_NAME}-kubeconfig oc get nodes
	$ KUBECONFIG=${CLUSTER_NAME}-kubeconfig oc get nodes

[bscott-rh]

Suggested change

	PEERED_VNET_ID="/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/<vnet>"
	$ PEERED_VNET_ID="/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/<vnet>"

[bscott-rh]

Suggested change

	KUBECONFIG=${CLUSTER_NAME}-kubeconfig oc get nodes
	$ KUBECONFIG=${CLUSTER_NAME}-kubeconfig oc get nodes

[bscott-rh]

Suggested change

	AZURE_PRIVATE_CREDS="/path/to/azure-private-credentials.json"
	$ AZURE_PRIVATE_CREDS="/path/to/azure-private-credentials.json"

[bscott-rh]

Suggested change

	MGMT_INFRA_RG=$(oc get infrastructure cluster -o jsonpath='{.status.platformStatus.azure.resourceGroupName}')
	$ MGMT_INFRA_RG=$(oc get infrastructure cluster -o jsonpath='{.status.platformStatus.azure.resourceGroupName}')

[bscott-rh]

same comment about this block of environment variables.

[bscott-rh]

Suggested change

	MGMT_INFRA_RG=$(oc get infrastructure cluster -o jsonpath='{.status.platformStatus.azure.resourceGroupName}')
	$ MGMT_INFRA_RG=$(oc get infrastructure cluster -o jsonpath='{.status.platformStatus.azure.resourceGroupName}')

[bscott-rh]

Suggested change

	NAT_SUBNET_ID=$(az network vnet subnet show \
	$ NAT_SUBNET_ID=$(az network vnet subnet show \

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

@lahinson: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[lahinson]

/cherrypick enterprise-4.22

[lahinson]

/cherrypick enterprise-5.0

[openshift-cherrypick-robot]

@lahinson: new pull request created: #113292

Details

In response to this:

/cherrypick enterprise-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-cherrypick-robot]

@lahinson: new pull request created: #113293

Details

In response to this:

/cherrypick enterprise-5.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.