openshift
diff --git a/‎docs/content/how-to/azure/create-self-managed-azure-cluster-without-external-dns.md‎
Lines changed: 270 additions & 0 deletions b/‎docs/content/how-to/azure/create-self-managed-azure-cluster-without-external-dns.md‎
Lines changed: 270 additions & 0 deletions
@@ -0,0 +1,270 @@
+# Create a Self-Managed Azure HostedCluster Without External DNS
+
+!!! note "Developer Preview in OCP 4.21"
+
+    Self-managed Azure HostedClusters are available as a Developer Preview feature in OpenShift Container Platform 4.21.
+
+This document describes how to create a self-managed Azure HostedCluster without using External DNS for automatic DNS record management.
+
+## Prerequisites
+
+Before creating a hosted cluster, ensure you have completed:
+
+1. **[Azure Workload Identity Setup](azure-workload-identity-setup.md)** - Created workload identities and OIDC issuer
+2. **[Management Cluster Setup Without External DNS](setup-management-cluster-without-external-dns.md)** - Installed HyperShift operator
+
+Additionally, you need:
+
+- Azure CLI (`az`) configured with appropriate permissions
+- HyperShift CLI binary
+- OpenShift pull secret
+- SSH key (or use `--generate-ssh`)
+- `workload-identities.json` file from Phase 1
+
+## Environment Setup
+
+Set the required environment variables:
+
+```bash
+# Cluster configuration
+CLUSTER_NAME="my-hosted-cluster"
+LOCATION="eastus"
+BASE_DOMAIN="example.com"
+PULL_SECRET="/path/to/pull-secret.json"
+
+# Azure subscription and resource groups
+SUBSCRIPTION_ID=$(az account show --query id -o tsv)
+TENANT_ID=$(az account show --query tenantId -o tsv)
+PERSISTENT_RG_NAME="os4-common"  # From Phase 1
+MANAGED_RG_NAME="${CLUSTER_NAME}-rg"
+
+# Workload Identity configuration (from Phase 1)
+WORKLOAD_IDENTITIES_FILE="/path/to/workload-identities.json"
+OIDC_ISSUER_URL="https://yourstorageaccount.blob.core.windows.net/oidc-issuer"
+
+# Networking (optional - will be created if not specified)
+VNET_ID=""  # Leave empty to create new VNet
+SUBNET_ID=""  # Leave empty to create new subnet
+NSG_ID=""  # Leave empty to create new NSG
+
+# DNS Zone (optional - for custom ingress domain)
+DNS_ZONE_RG_NAME=""  # Leave empty if not using custom DNS zone
+
+# Release configuration
+RELEASE_IMAGE="quay.io/openshift-release-dev/ocp-release:4.21.0-x86_64"
+```
+
+## Create the HostedCluster
+
+### Basic Cluster Creation (Without Custom DNS)
+
+Create a hosted cluster using default DNS provided by Azure LoadBalancers:
+
+```bash
+hypershift create cluster azure \
+  --name "${CLUSTER_NAME}" \
+  --location "${LOCATION}" \
+  --base-domain "${BASE_DOMAIN}" \
+  --pull-secret "${PULL_SECRET}" \
+  --release-image "${RELEASE_IMAGE}" \
+  --node-pool-replicas 2 \
+  --generate-ssh \
+  --workload-identities-file "${WORKLOAD_IDENTITIES_FILE}" \
+  --oidc-issuer-url "${OIDC_ISSUER_URL}" \
+  --resource-group-name "${MANAGED_RG_NAME}"
+```
+
+!!! note "No External DNS Domain Flag"
+
+    Notice that we **do not** specify the `--external-dns-domain` flag. This tells HyperShift to:
+
+    - Use a LoadBalancer for the API server (gets Azure-provided DNS automatically)
+    - Use Routes for OAuth, Konnectivity, and Ignition services
+    - Not create any custom hostname annotations for External DNS
+
+### With Custom Networking
+
+If you have pre-created VNet, Subnet, and NSG resources:
+
+```bash
+hypershift create cluster azure \
+  --name "${CLUSTER_NAME}" \
+  --location "${LOCATION}" \
+  --base-domain "${BASE_DOMAIN}" \
+  --pull-secret "${PULL_SECRET}" \
+  --release-image "${RELEASE_IMAGE}" \
+  --node-pool-replicas 2 \
+  --generate-ssh \
+  --workload-identities-file "${WORKLOAD_IDENTITIES_FILE}" \
+  --oidc-issuer-url "${OIDC_ISSUER_URL}" \
+  --resource-group-name "${MANAGED_RG_NAME}" \
+  --vnet-id "${VNET_ID}" \
+  --subnet-id "${SUBNET_ID}" \
+  --network-security-group-id "${NSG_ID}"
+```
+
+### With Custom DNS Zone for Ingress
+
+If you want to use a custom DNS zone for the ingress domain (*.apps):
+
+```bash
+hypershift create cluster azure \
+  --name "${CLUSTER_NAME}" \
+  --location "${LOCATION}" \
+  --base-domain "${BASE_DOMAIN}" \
+  --pull-secret "${PULL_SECRET}" \
+  --release-image "${RELEASE_IMAGE}" \
+  --node-pool-replicas 2 \
+  --generate-ssh \
+  --workload-identities-file "${WORKLOAD_IDENTITIES_FILE}" \
+  --oidc-issuer-url "${OIDC_ISSUER_URL}" \
+  --resource-group-name "${MANAGED_RG_NAME}" \
+  --dns-zone-rg-name "${DNS_ZONE_RG_NAME}"
+```
+
+!!! info "DNS Zone Resource Group"
+
+    The `--dns-zone-rg-name` flag specifies where your Azure DNS zone for the ingress domain resides. This is required by the ingress controller to manage DNS records for `*.apps.${CLUSTER_NAME}.${BASE_DOMAIN}`.
+
+    This is **different** from External DNS - it's used by the hosted cluster's own ingress controller.
+
+## Verify Cluster Creation
+
+Monitor the hosted cluster deployment:
+
+```bash
+# Watch the HostedCluster resource
+oc get hostedcluster -n clusters -w
+
+# Check the hosted control plane pods
+oc get pods -n clusters-${CLUSTER_NAME}
+
+# Get the cluster status
+oc get hostedcluster ${CLUSTER_NAME} -n clusters -o jsonpath='{.status.conditions[?(@.type=="Available")].status}'
+```
+
+## Get Cluster Access Information
+
+### API Server Endpoint
+
+Without External DNS, the API server uses an Azure LoadBalancer with an Azure-provided DNS name:
+
+```bash
+# Get the API server LoadBalancer service
+API_LB_SERVICE=$(oc get svc -n clusters-${CLUSTER_NAME} kube-apiserver -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
+echo "API Server: https://${API_LB_SERVICE}:6443"
+
+# Or get the IP address
+API_LB_IP=$(oc get svc -n clusters-${CLUSTER_NAME} kube-apiserver -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+echo "API Server IP: ${API_LB_IP}"
+```
+
+### Get Kubeconfig
+
+Retrieve the kubeconfig for the hosted cluster:
+
+```bash
+hypershift create kubeconfig --name ${CLUSTER_NAME} > ${CLUSTER_NAME}-kubeconfig
+```
+
+The kubeconfig will use the Azure LoadBalancer DNS name for the API server endpoint.
+
+### Get Admin Password
+
+```bash
+oc get secret -n clusters ${CLUSTER_NAME}-kubeadmin-password \
+  -o jsonpath='{.data.password}' | base64 -d
+```
+
+## Optional: Create Custom DNS Records
+
+If you want to use a custom domain name for the API server instead of the Azure-provided name:
+
+### Create DNS A Record for API Server
+
+```bash
+# Get the LoadBalancer public IP
+API_LB_IP=$(oc get svc -n clusters-${CLUSTER_NAME} kube-apiserver \
+  -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+
+# Create DNS A record (example using Azure DNS)
+az network dns record-set a add-record \
+  --resource-group YOUR_DNS_ZONE_RG \
+  --zone-name ${BASE_DOMAIN} \
+  --record-set-name api.${CLUSTER_NAME} \
+  --ipv4-address ${API_LB_IP}
+
+echo "Custom API endpoint: https://api.${CLUSTER_NAME}.${BASE_DOMAIN}:6443"
+```
+
+### Update Kubeconfig with Custom DNS
+
+If you created a custom DNS record, you can manually edit the kubeconfig to use your custom domain:
+
+```bash
+# Edit the kubeconfig server field
+sed -i "s|https://.*:6443|https://api.${CLUSTER_NAME}.${BASE_DOMAIN}:6443|" ${CLUSTER_NAME}-kubeconfig
+```
+
+## DNS Architecture Without External DNS
+
+Understanding how DNS works in this setup:
+
+| Service | Publishing Type | DNS Handling |
+|---------|----------------|--------------|
+| **API Server** | LoadBalancer | Azure-provided DNS (e.g., `abc123.eastus.cloudapp.azure.com`)<br>Or manually created DNS A record |
+| **OAuth** | Route | Management cluster ingress (e.g., `oauth-clustername.apps.mgmt-cluster.com`) |
+| **Konnectivity** | Route | Management cluster ingress |
+| **Ignition** | Route | Management cluster ingress |
+| **Ingress (*.apps)** | Managed by hosted cluster | Uses DNS zone specified in `--dns-zone-rg-name`<br>Or manual DNS configuration |
+
+## Comparison: With vs Without External DNS
+
+| Aspect | With External DNS | Without External DNS |
+|--------|------------------|---------------------|
+| **API Server** | Route with custom hostname<br>`api-cluster.external-domain.com` | LoadBalancer with Azure DNS<br>`abc123.region.cloudapp.azure.com` |
+| **Setup Complexity** | Higher (service principal, DNS zones, external-dns operator) | Lower (no additional operator) |
+| **DNS Management** | Automatic via external-dns | Manual or Azure-provided |
+| **Custom Domains** | Built-in | Manual DNS record creation |
+| **Best For** | Production, multi-cluster, custom branding | Development, testing, simpler setups |
+
+## Troubleshooting
+
+### API Server Not Accessible
+
+```bash
+# Check LoadBalancer service status
+oc get svc -n clusters-${CLUSTER_NAME} kube-apiserver
+
+# Check if LoadBalancer has external IP/hostname
+oc describe svc -n clusters-${CLUSTER_NAME} kube-apiserver
+
+# Verify network security group allows traffic on port 6443
+az network nsg rule list \
+  --resource-group ${MANAGED_RG_NAME} \
+  --nsg-name ${CLUSTER_NAME}-nsg \
+  --query "[?destinationPortRange=='6443']"
+```
+
+### Ingress Controller Issues
+
+```bash
+# Check ingress controller pods in hosted cluster
+oc --kubeconfig ${CLUSTER_NAME}-kubeconfig get pods -n openshift-ingress
+
+# Check ingress controller configuration
+oc --kubeconfig ${CLUSTER_NAME}-kubeconfig get ingresscontroller -n openshift-ingress-operator
+```
+
+## Next Steps
+
+- [Configure Additional NodePools](../automated-machine-management/nodepool-lifecycle.md)
+- [Upgrade Your Hosted Cluster](../upgrades.md)
+- [Monitor Your Hosted Cluster](../per-hostedcluster-dashboard.md)
+
+## Related Documentation
+
+- [Azure Workload Identity Setup](azure-workload-identity-setup.md) - Phase 1 prerequisites
+- [Management Cluster Setup Without External DNS](setup-management-cluster-without-external-dns.md) - Phase 2
+- [Self-Managed Azure Overview](self-managed-azure-index.md) - Architecture and prerequisites
+- [With External DNS](create-azure-cluster-on-aks.md) - Alternative setup with automatic DNS