feat: use HostAliases for api-int DNS resolution in Holmes pod

Replace the dev-mode MakeExternalKubeconfig() workaround with
pod-level HostAliases that map api-int.* to the cluster's
APIServerPrivateEndpointIP. This bypasses DNS entirely while
preserving TLS certificate validation, since the cert is issued
for the api-int.* hostname.

This mirrors the portal's DialContext pattern and Hive's
APIServerIPOverride, and works in all environments (dev, staging,
production) without depending on Private DNS zone linking.

Author: wanghaoran1988

pkg/frontend/admin_openshiftcluster_investigate.go

@@ -144,13 +144,15 @@ func (f *frontend) _postAdminOpenShiftClusterInvestigate(ctx context.Context, r
 		return fmt.Errorf("failed to generate diagnostics kubeconfig: %w", err)
 	}
 
+	apiServerIP := doc.OpenShiftCluster.Properties.NetworkProfile.APIServerPrivateEndpointIP
+
 	log.Infof("starting Holmes investigation for cluster %s (question_length=%d)", resourceID, len(req.Question))
 
 	// Set Content-Type before streaming begins. Once bytes are written to w,
 	// the response is committed and errors cannot be reported via adminReply.
 	w.Header().Set("Content-Type", "text/plain")
 
-	err = f.hiveClusterManager.InvestigateCluster(ctx, hiveNamespace, kubeconfig, f.holmesConfig, req.Question, w)
+	err = f.hiveClusterManager.InvestigateCluster(ctx, hiveNamespace, kubeconfig, f.holmesConfig, apiServerIP, req.Question, w)
 	if err != nil {
 		return fmt.Errorf("failed to investigate cluster: %w", err)
 	}

pkg/frontend/admin_openshiftcluster_investigate_kubeconfig.go

@@ -15,7 +15,6 @@ import (
 	"github.com/Azure/ARO-RP/pkg/cluster/graph"
 	"github.com/Azure/ARO-RP/pkg/env"
 	"github.com/Azure/ARO-RP/pkg/util/encryption"
-	"github.com/Azure/ARO-RP/pkg/util/holmes"
 	"github.com/Azure/ARO-RP/pkg/util/storage"
 	"github.com/Azure/ARO-RP/pkg/util/stringutils"
 )
@@ -66,15 +65,5 @@ func (f *frontend) generateDiagnosticsKubeconfig(ctx context.Context, log *logru
 		return nil, fmt.Errorf("failed to generate diagnostics kubeconfig: %w", err)
 	}
 
-	// In development mode, the Hive cluster cannot resolve api-int.* private DNS
-	// names, so we rewrite to the external api.* endpoint. In production, the
-	// Hive cluster has proper network connectivity and should use api-int.* directly.
-	if f.env.IsLocalDevelopmentMode() {
-		kubeconfig, err = holmes.MakeExternalKubeconfig(kubeconfig)
-		if err != nil {
-			return nil, fmt.Errorf("failed to convert to external kubeconfig: %w", err)
-		}
-	}
-
 	return kubeconfig, nil
 }

pkg/hive/investigate.go

@@ -7,6 +7,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"net/url"
 	"time"
 
 	_ "embed"
@@ -17,6 +18,9 @@ import (
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
+	clientcmdv1 "k8s.io/client-go/tools/clientcmd/api/v1"
+
+	"sigs.k8s.io/yaml"
 
 	"github.com/Azure/ARO-RP/pkg/util/holmes"
 	"github.com/Azure/ARO-RP/pkg/util/pointerutils"
@@ -28,7 +32,7 @@ var holmesConfigYAML string
 // InvestigateCluster creates an investigation pod on the Hive cluster, streams its logs, and cleans up.
 // It accepts kubeconfig bytes, creates a temporary secret to hold them, and removes
 // the secret (along with the pod and configmap) when the investigation completes.
-func (hr *clusterManager) InvestigateCluster(ctx context.Context, hiveNamespace string, kubeconfig []byte, holmesConfig *holmes.HolmesConfig, question string, w io.Writer) error {
+func (hr *clusterManager) InvestigateCluster(ctx context.Context, hiveNamespace string, kubeconfig []byte, holmesConfig *holmes.HolmesConfig, apiServerIP string, question string, w io.Writer) error {
 	id := uuid.New().String()[:8]
 	configMapName := "holmes-config-" + id
 	podName := "holmes-investigate-" + id
@@ -98,6 +102,12 @@ func (hr *clusterManager) InvestigateCluster(ctx context.Context, hiveNamespace
 	// 2. Create the investigation pod.
 	activeDeadlineSeconds := int64(holmesConfig.DefaultTimeout)
 	runAsUser := int64(1000)
+
+	apiHostname, err := apiServerHostname(kubeconfig)
+	if err != nil {
+		return fmt.Errorf("failed to extract API server hostname from kubeconfig: %w", err)
+	}
+
 	pod := &corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      podName,
@@ -107,6 +117,12 @@ func (hr *clusterManager) InvestigateCluster(ctx context.Context, hiveNamespace
 			AutomountServiceAccountToken: pointerutils.ToPtr(false),
 			ActiveDeadlineSeconds:        &activeDeadlineSeconds,
 			RestartPolicy:                corev1.RestartPolicyNever,
+			HostAliases: []corev1.HostAlias{
+				{
+					IP:        apiServerIP,
+					Hostnames: []string{apiHostname},
+				},
+			},
 			SecurityContext: &corev1.PodSecurityContext{
 				RunAsUser:  &runAsUser,
 				RunAsGroup: &runAsUser,
@@ -325,3 +341,20 @@ func (hr *clusterManager) streamPodLogs(ctx context.Context, namespace, name str
 
 	return nil
 }
+
+func apiServerHostname(kubeconfig []byte) (string, error) {
+	var cfg clientcmdv1.Config
+	if err := yaml.Unmarshal(kubeconfig, &cfg); err != nil {
+		return "", fmt.Errorf("failed to unmarshal kubeconfig: %w", err)
+	}
+	if len(cfg.Clusters) == 0 {
+		return "", fmt.Errorf("kubeconfig has no clusters")
+	}
+
+	u, err := url.Parse(cfg.Clusters[0].Cluster.Server)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse server URL: %w", err)
+	}
+
+	return u.Hostname(), nil
+}

pkg/hive/manager.go

@@ -55,7 +55,7 @@ type ClusterManager interface {
 	GetClusterSync(ctx context.Context, oc *api.OpenShiftCluster) (*hivev1alpha1.ClusterSync, error)
 	ListHiveK8sObjects(ctx context.Context, resource, namespace string) ([]byte, error)
 	GetHiveK8sObject(ctx context.Context, resource, namespace, name string) ([]byte, error)
-	InvestigateCluster(ctx context.Context, hiveNamespace string, kubeconfig []byte, holmesConfig *holmes.HolmesConfig, question string, w io.Writer) error
+	InvestigateCluster(ctx context.Context, hiveNamespace string, kubeconfig []byte, holmesConfig *holmes.HolmesConfig, apiServerIP string, question string, w io.Writer) error
 }
 
 type clusterManager struct {