CNTRLPLANE-1732: feat(hcp): add HyperShift cluster command generator plugin

[jparrill]

Summary

Add HCP plugin that generates hypershift create cluster commands from natural language descriptions across 6 cloud providers.

Features

• Command: /hcp:generate <provider> <description>
• Providers: AWS, Azure, KubeVirt, OpenStack, PowerVS, Agent
• Interactive guidance with provider-specific best practices
• Security validation and network conflict prevention

Example

/hcp:generate aws "development cluster for testing with minimal cost"
/hcp:generate kubevirt "production cluster with high availability"

🤖 Generated with Claude Code

[openshift-ci-robot]

@jparrill: This pull request references CNTRLPLANE-1732 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the feature to target the "4.21.0" version, but no target version was set.

In response to this:

Summary

Add HCP plugin that generates hypershift create cluster commands from natural language descriptions across 6 cloud providers.

Features

• Command: /hcp:generate <provider> <description>
• Providers: AWS, Azure, KubeVirt, OpenStack, PowerVS, Agent
• Interactive guidance with provider-specific best practices
• Security validation and network conflict prevention

Example

/hcp:generate aws "development cluster for testing with minimal cost"
/hcp:generate kubevirt "production cluster with high availability"

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Hi @jparrill. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jparrill]

This is a sample execution of the new plugin:

> /hcp:generate is running… aws production PublicAndPrivate cluster
⏺ I'll help you generate a production-ready HyperShift cluster command for AWS with both public and private networking. Let me start by loading the AWS-specific implementation guidance.

> The "HyperShift AWS Provider" skill is loading
> The "HyperShift AWS Provider" skill is loading

⏺ Now I'll analyze your cluster description "production PublicAndPrivate cluster" to determine the requirements.
  Analysis of "production PublicAndPrivate cluster":
  - Environment Type: Production (requires high availability, robust configuration)
  - Network Configuration: PublicAndPrivate endpoint access (secure production pattern)
  - Performance: Production-grade resources needed
  - Availability: High availability expected for production workloads

⏺ Production Environment Defaults Applied:
  - Instance Type: m5.xlarge (4 vCPU, 16GB RAM) - balanced for production workloads
  - Node Pool Replicas: 3 - adequate redundancy for production
  - Control Plane: HighlyAvailable - required for production resilience
  - Endpoint Access: PublicAndPrivate - secure production networking
  - Availability Zones: 3+ zones - high availability across multiple zones
  - Auto-repair: enabled - automatic recovery for production stability
  - Root Volume: 120GB - standard production storage
 
⏺ Now I need to collect the required configuration information through interactive prompts. Let me gather the essential parameters needed for your production AWS HyperShift cluster:

⏺ User answered Claude's questions:
  ⎿  · What would you like to name your production cluster? → production-cluster
     · Which AWS region should host your production cluster? → us-east-1
     · What is the path to your AWS STS credentials file? → ~/.aws/sts-creds.json
     · What is the ARN of your IAM role for HyperShift? → arn:aws:iam::ACCOUNT:role/hypershift-operator-role

⏺ User answered Claude's questions:
  ⎿  · What base domain should be used for cluster DNS and routes? → aws.kerbeross.com
     · What is the path to your OpenShift pull secret file? → /Users/jparrill/RedHat/RedHat_Engineering/pull_secret.json
     · Which OpenShift version would you like to use? → 4.18.0

⏺ Security and Configuration Validation:
  ✅ No credentials detected in inputs - All sensitive information uses proper file references✅ IAM Role format valid - Follows proper ARN structure (user will need to replace ACCOUNT)✅ Base domain specified - Using aws.kerbeross.com for cluster DNS✅ Pull secret path valid - Points to accessible location✅ Production configuration - Using HighlyAvailable control plane and PublicAndPrivate endpoints

  Auto-selected zones for us-east-1 region:
  - us-east-1a, us-east-1b, us-east-1c (3 zones for high availability)

⏺ HyperShift AWS Production Cluster - Generated Command
  Summary

  Creating a production-grade AWS hosted cluster with high availability, secure networking (PublicAndPrivate endpoints), and robust configuration optimized for production workloads.

  Generated Command
  hypershift create cluster aws \
    --name production-cluster \
    --namespace production-cluster-ns \
    --region us-east-1 \
    --instance-type m5.xlarge \
    --pull-secret /Users/jparrill/RedHat/RedHat_Engineering/pull_secret.json \
    --node-pool-replicas 3 \
    --zones us-east-1a,us-east-1b,us-east-1c \
    --control-plane-availability-policy HighlyAvailable \
    --endpoint-access PublicAndPrivate \
    --root-volume-size 120 \
    --auto-repair \
    --sts-creds ~/.aws/sts-creds.json \
    --role-arn arn:aws:iam::ACCOUNT:role/hypershift-operator-role \
    --base-domain aws.kerbeross.com \
    --release-image quay.io/openshift-release-dev/ocp-release:4.18.0-multi

  Key Decisions
  🏗️ Production Configuration Applied:
  - HighlyAvailable control plane - Ensures resilience across multiple zones
  - PublicAndPrivate endpoints - Secure production networking pattern
  - 3 availability zones - High availability across us-east-1a, us-east-1b, us-east-1c
  - m5.xlarge instances - Production-grade compute (4 vCPU, 16GB RAM)
  - Auto-repair enabled - Automatic recovery from node failures

  🔒 Security & Isolation:
  - Unique namespace: production-cluster-ns for cluster isolation
  - Secure endpoint access - PublicAndPrivate for controlled access
  - Latest OpenShift 4.18.0 - Most recent stable release

  💡 Resource Optimization:
  - 3 worker nodes - Balanced redundancy and cost for production
  - 120GB root volumes - Standard production storage allocation

  Pre-Flight Checks

  ⚠️ IMPORTANT: Replace ACCOUNT with your actual AWS account ID in the IAM role ARN
  Before running the command, verify your setup:
  # 1. Verify AWS credentials
  aws sts get-caller-identity

  # 2. Check STS credentials file exists and is valid
  cat ~/.aws/sts-creds.json | jq .

  # 3. Verify IAM role exists (replace ACCOUNT with your account ID)
  aws iam get-role --role-name hypershift-operator-role

  # 4. Confirm Route53 hosted zone for base domain
  aws route53 list-hosted-zones --query "HostedZones[?Name=='aws.kerbeross.com.']"

  # 5. Verify instance type availability in selected zones
  aws ec2 describe-instance-type-offerings \
    --location-type availability-zone \
    --filters Name=instance-type,Values=m5.xlarge \
    --region us-east-1

  # 6. Check pull secret file exists
  ls -la /Users/jparrill/RedHat/RedHat_Engineering/pull_secret.json

  Next Steps
  1. Update the IAM Role ARN:
    - Replace ACCOUNT with your actual AWS account ID
    - Example: arn:aws:iam::123456789012:role/hypershift-operator-role

  2. Ensure Prerequisites:
    - HyperShift operator is installed in your management cluster
    - AWS credentials are configured and valid
    - Route53 hosted zone exists for aws.kerbeross.com

  3. Run the Command:
  # Copy the updated command (with real account ID) and execute
  hypershift create cluster aws --name production-cluster ...

  4. Monitor Cluster Creation:
  # Watch cluster status
  kubectl get hostedcluster -n production-cluster-ns -w

  # Watch node pool creation
  kubectl get nodepool -n production-cluster-ns -w

  # View detailed status
  kubectl describe hostedcluster production-cluster -n production-cluster-ns

  5. Access Your Cluster (when ready):
  # Generate kubeconfig
  hypershift create kubeconfig --name production-cluster --namespace production-cluster-ns

  # Use the cluster
  export KUBECONFIG=production-cluster-kubeconfig
  oc get nodes
  oc get co  # Check cluster operators

  6. Verify AWS Resources:
    - Check EC2 instances in AWS Console
    - Verify Load Balancers are created
    - Review VPC and networking resources

  Production Considerations

  🚀 Performance:
  - Cluster will span 3 availability zones for maximum uptime
  - m5.xlarge provides balanced CPU/memory for most production workloads
  - Auto-repair ensures automatic replacement of failed nodes

  🔐 Security:
  - PublicAndPrivate endpoints provide secure API access
  - Control plane is isolated from data plane
  - Consider enabling KMS encryption for additional security

  📊 Monitoring:
  - Set up CloudWatch monitoring for AWS resources
  - Configure cluster monitoring via OpenShift observability
  - Monitor costs via AWS Cost Explorer

⏺ Perfect! I've generated a complete, production-ready HyperShift cluster command for AWS with PublicAndPrivate networking. The command includes all the necessary parameters for a robust production environment with high availability across 3 zones.

  Key highlights of your generated cluster:
  - Production-grade configuration with HighlyAvailable control plane
  - Secure PublicAndPrivate endpoint access as requested
  - 3-zone deployment for maximum resilience
  - Auto-repair enabled for production stability
  Don't forget to replace ACCOUNT in the IAM role ARN with your actual AWS account ID before running the command!

[jparrill]

/ok-to-test

[openshift-ci]

@jparrill: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/ok-to-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[stbenjam]

/ok-to-test

[stbenjam]

A couple nits, but looks good otherwise. make update is needed

[stbenjam]

Nit, could we call the plugin "hypershift"? It'd be more discoverable

[jparrill]

I was doubting that too, actually my first iteration was using hypershift but hcp was smaller and easy to remember, also the users are used to use that command outside of claude (we have 2 CLIs hypershift (dev supported) hcp (fully customer supported)). I think hcp is smaller and maybe better.

It's there any way to call the plugin hypershift at marketplace level but use the command as hcp (maybe it's confusing too)?

[stbenjam]

Skill descriptions should briefly explain like "Use this skill when.... " so Claude knows when to use it, skills should be usable outside of the / commands, otherwise they don't need to be skills. This is the only text that's put into the context.

[jparrill]

Let me update. the skills :)

[stbenjam]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jparrill, stbenjam

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [stbenjam]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment