OPNET-678: Add internalDNSRecords field

[cybertron]

Adds a new field to the Infrastructure object that allows control over the behavior of the on-prem internal DNS records. It can be set to either Internal or External, where Internal is the default (and previous) behavior, and External suppresses generation of the internal records so they can be managed outside the cluster. Currently, External can only be used with a UserManaged loadbalancer.

[openshift-ci]

Hello @cybertron! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[everettraven]

AFAIK, this isn't a real marker. Let's remove this.

[cybertron]

Heh, yeah I was throwing stuff at the wall when I had trouble with the feature gate.

[everettraven]

This is essentially a duplicate of the +optional marker below. We prefer the use of the +optional marker so let's remove this one.

[everettraven]

Because this is an optional field and the zero value is invalid, this should have omitempty.

[everettraven]

Normally we try to avoid the terminology Enabled and Disabled where possible because the terms can often be overloaded and cause confusion.

What if instead of naming the field this applies to internalDNSRecords, what if we named it something like dnsRecordsPolicy (or maybe dnsRecordsType? not sure which one is better) and we had Internal and External as the options?

[everettraven]

Please include validation constraints in the GoDoc here so that this is more end-user friendly. This is the text used in our generated API documentation and what users will see when they use something like oc explain ... so we should make sure it reads appropriately as end-user documentation.

Some good guidelines for things to take into consideration for inclusion in the GoDoc are here: https://github.com/openshift/enhancements/blob/master/dev-guide/api-conventions.md#write-user-readable-documentation-in-godoc

[everettraven]

This looks like we have only added this to the BareMetalPlatformStatus type? Is this because the OpenShift installer will end up setting this value at install time?

[everettraven]

If I understand the EP correctly as well, this sounds like this should only be possible to set when loadBalancer is set to UserManaged?

Do we need some additional validation logic (maybe a CEL expression) to enforce that?

[cybertron]

Yes, this will be populated by the installer. I have a validation in the installer to ensure it isn't set when it shouldn't be, but I can move that here if it would be better.

I should also note that this is only a partial version of the change. Because these are per-platform types we'll need to apply the same change to the other on-prem platforms once we know what it should look like.

[JoelSpeed]

/test lint

[cybertron]

I think this latest revision should address all of the comments so far, except moving the validation to the api layer. If we ever make this modifiable after initial install we'll have to do that, but I'd just as soon defer that effort until/if it's needed. Willing to move it here if you'd prefer though.

[JoelSpeed]

Suggested change

	// DNSRecordsType determines whether records for api, api-int, and ingress
	// dnsRecordsType determines whether records for api, api-int, and ingress

[JoelSpeed]

Internal allows DNS resolution for components within the cluster right? It's configuring coredns?

[cybertron]

It's configuring a coredns instance on each host. This is separate from the coredns pod that is part of the dns-operator.

[everettraven]

For enum based fields we generally try to follow a pattern like:

dnsRecordsType ...
Allowed values are Internal, External, and omitted.
When set to Internal, ...
When set to External, ...
When omitted, ...

[everettraven]

Suggested change

	DNSRecordsExternal DNSRecordsType = "External"
	DNSRecordsInternal DNSRecordsType = "Internal"
	DNSRecordsTypeExternal DNSRecordsType = "External"
	DNSRecordsTypeInternal DNSRecordsType = "Internal"

[everettraven]

If we ever make this modifiable after initial install we'll have to do that, but I'd just as soon defer that effort until/if it's needed. Willing to move it here if you'd prefer though.

Is this API currently immutable? How do we enforce that?

[cybertron]

Is this API currently immutable? How do we enforce that?

This field is only part of the Infrastructure status. There's nothing in the spec to allow it to be modified.

[cybertron]

Oh shoot, I had some stale changes in my editor. I'll fix that.

[everettraven]

For the omitted scenario we have some standard terminology we've used throughout OpenShift APIs:

When omitted, this means the user has no opinion and the platform is left
to choose reasonable defaults. These defaults are subject to change over time.
The current default is {default}

[cybertron]

Rebased and marking ready for review

[everettraven]

@cybertron It looks like this needs a rebase. Could you also update the PR description to provide some additional information as to what work with PR is associated with?

Thanks!

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change

[JoelSpeed]

/lgtm

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JoelSpeed

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [JoelSpeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cybertron]

/verified by @cybertron

I've tested this by vendoring it into the affected projects in my local dev cluster.

[openshift-ci-robot]

@cybertron: This PR has been marked as verified by @cybertron.

Details

In response to this:

/verified by @cybertron

I've tested this by vendoring it into the affected projects in my local dev cluster.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 50e2ece and 2 for PR HEAD c72fe4d in total

[cybertron]

/retest-required

This should have no effect on an aws cluster. Looks like maybe a quota issue?

[cybertron]

/retest-required

As far as I can tell, this is failing on the following error:

2025-11-13T16:10:21.817654562Z I1113 16:10:21.817595       1 requests.go:294] Making HTTP GET request at: https://console.redhat.com/api/insights-results-aggregator/v2/cluster/30461bca-facb-4b6c-9cc0-eb7feda89f9b/request/5399d52611ba4030b31666bac1f43a03/status
2025-11-13T16:10:51.915983970Z I1113 16:10:51.915917       1 gather_commands.go:443] Received HTTP status code 504, retry 3/3 in 1m0s

Which appears to be a server-side issue on console.redhat.com.

[cybertron]

/retest-required

And now we're failing on rate limiting from AWS.

[cybertron]

/retest-required

I see this job finally passed last night, hopefully the issues have been fixed.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 6711368 and 1 for PR HEAD c72fe4d in total

[cybertron]

/retest-required

Failed on a totally different set of tests this time. :-/

[cybertron]

/retest-required

[openshift-ci]

@cybertron: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.