feature: Add Public API Server Address Support

[rossigee]

Add Public API Server Address Support

Overview

This PR introduces support for specifying a custom public API server address for TenantControlPlane instances. This allows using DNS hostnames in cluster-info ConfigMaps and kubeconfigs instead of LoadBalancer IPs, enabling better certificate SAN matching and avoiding x509 certificate errors.

Key Changes

API Changes

• Added PublicAPIServerAddress field to ServiceSpec in the TenantControlPlane API
• Field is optional and allows specifying a custom hostname for the API server
• Updated CRDs and generated code (deepcopy, etc.)

Implementation

• Added PublicControlPlaneAddress() method to TenantControlPlane struct
• Method returns the public address if specified, otherwise falls back to assigned address
• Optimized port handling using cmp.Or for default port (6443)
• Integrated public address usage in kubeconfig generation for controller-manager and scheduler components
• Post-processes generated kubeconfigs to replace server URLs with the public hostname

Tests

• Added comprehensive unit tests for PublicControlPlaneAddress() method
• Added E2E test validating the feature in cluster scenarios
• Tests cover various scenarios: default/custom ports, address set/unset, error cases

Documentation

• Updated API reference docs to include the new field
• Added field description with usage examples

Usage Example

apiVersion: kamaji.clastix.io/v1alpha1
kind: TenantControlPlane
spec:
  controlPlane:
    service:
      serviceType: LoadBalancer
      publicAPIServerAddress: "k8s-api.example.com"
  # ... other spec

Benefits

• Enables use of DNS names that match certificate SANs
• Prevents x509 certificate errors in control plane components
• Allows more flexible networking setups with custom hostnames

Breaking Changes

None. The field is optional and defaults to existing behavior.

Related Issues

[netlify]

✅ Deploy Preview for kamaji-documentation canceled.

Name	Link
🔨 Latest commit	2bea3f5
🔍 Latest deploy log	https://app.netlify.com/projects/kamaji-documentation/deploys/68f33d9743b68e00089341f1

[prometherion]

I'm a bit lost here: it seems the proposed public API Server address is not pushed into the kubeadm functions, such as:

kamaji/internal/resources/kubeadm_config.go

Line 106 in 99fb71e

TenantControlPlaneEndpoint: r.getControlPlaneEndpoint(tenantControlPlane.Spec.ControlPlane.Ingress, address, port),

and the following one for kubeconfig

kamaji/internal/resources/kubeconfig.go

Line 234 in 99fb71e

config.InitConfiguration.ControlPlaneEndpoint = fmt.Sprintf("%s.%s.svc:%d", tenantControlPlane.Name, tenantControlPlane.Namespace, tenantControlPlane.Spec.NetworkProfile.Port)

[prometherion]

Suggested change

	test -s $(LOCALBIN)/controller-gen || GOBIN=$(LOCALBIN) CGO_ENABLED=0 go install -ldflags="-s -w" sigs.k8s.io/controller-tools/cmd/controller-gen@v0.19.0
	test -s $(LOCALBIN)/controller-gen || GOBIN=$(LOCALBIN) CGO_ENABLED=0 go install -ldflags="-s -w" sigs.k8s.io/controller-tools/cmd/controller-gen@v0.16.1

Unless it's required, we need to stick to 0.16.1

[prometherion]

Suggested change

	// Fall back to the assigned control plane address, but use configured port
	assignedAddress, _, err := in.AssignedControlPlaneAddress()
	if err != nil {
	return "", 0, err
	}
	return assignedAddress, port, nil
	// Fall back to the assigned control plane address
	return in.AssignedControlPlaneAddress()

Unless I'm missing something, there's no need to replicate the same behavior of AssignedControlPlaneAddress.

[prometherion]

Unless I'm missing something, this is not required: Kamaji leverages the concept of using loopback to communicate with the API Server; otherwise, we would end up with extra network hops with potential egress traffic.

[prometherion]

Same discussion as we said before: Scheduler and Controller Manager must rely on the loopback address.