Tighten private networking validation (#281)

johnstairs · web-flow · commit c2dd05411fc7 · 2025-12-10T18:27:10.000-05:00
diff --git a/cli/internal/install/cloudinstall/validation.go b/cli/internal/install/cloudinstall/validation.go
@@ -50,6 +50,12 @@ func (envConfig *CloudEnvironmentConfig) QuickValidateConfig(ctx context.Context
 		hasCompatibilityMode := false
 		hasBuiltInDomain := false
 		for _, org := range envConfig.Organizations {
+			if _, ok := orgNames[org.Name]; ok {
+				validationError(ctx, &success, "Organization names must be unique")
+				continue
+			}
+
+			orgNames[org.Name] = nil
 			if org.SingleOrganizationCompatibilityMode {
 				if hasCompatibilityMode {
 					validationError(ctx, &success, "Only one organization can have `singleOrganizationCompatibilityMode` set to true")
@@ -76,13 +82,7 @@ func (envConfig *CloudEnvironmentConfig) QuickValidateConfig(ctx context.Context
 				hasBuiltInDomain = true
 			}
 
-			if _, ok := orgNames[org.Name]; ok {
-				validationError(ctx, &success, "Organization names must be unique")
-			}
-
-			orgNames[org.Name] = nil
-
-			if !hasBuiltInDomain && envConfig.Cloud.Compute.DnsLabel == "" {
+			if !envConfig.Cloud.PrivateNetworking && !hasBuiltInDomain && envConfig.Cloud.Compute.DnsLabel == "" {
 				validationError(ctx, &success, "`cloud.compute.dnsLabel` must be set")
 			}
 
@@ -251,6 +251,15 @@ func quickValidateComputeConfig(ctx context.Context, success *bool, cloudConfig
 			validationError(ctx, success, "The `objectId` field must be a GUID")
 		}
 	}
+
+	if cloudConfig.PrivateNetworking {
+		if cloudConfig.Compute.DnsLabel != "" {
+			validationError(ctx, success, "`cloud.compute.dnsLabel` must not be set when `cloud.privateNetworking` is enabled")
+		}
+		if cloudConfig.DnsZone != nil && cloudConfig.DnsZone.Name != "" {
+			validationError(ctx, success, "`cloud.dnsZone` must not be set when `cloud.privateNetworking` is enabled")
+		}
+	}
 }
 
 func quickValidateNodePoolConfig(ctx context.Context, success *bool, np *NodePoolConfig, minNodeCount int) {
diff --git a/deploy/config/microsoft/cloudconfig-private-link.yml b/deploy/config/microsoft/cloudconfig-private-link.yml
@@ -108,7 +108,7 @@ cloud:
     # This must be set if using a custom DNS zone and needs to be globally unique for the Azure region.
     # Each organization's domain name will have a CNAME record pointing to the domain name formed
     # by this value, which will be <dnslabel>.<region>.cloudapp.azure.com
-    dnsLabel: ${TYGER_ENVIRONMENT_NAME}-tyger
+    # dnsLabel:
 
     # Optional Helm chart overrides
     # helm:
