Add feature flag to secure cluster connections #621
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a new SecureClusterTransports feature flag to enforce secure transport configurations across the YTsaurus cluster, validating that mTLS is used for native transport, HTTPS-only for HTTP proxies, and TLS-only for RPC proxies during spec validation.
- Adds
SecureClusterTransportsboolean field toClusterFeaturestype - Implements webhook validation to enforce TLS requirements when the feature is enabled
- Adds comprehensive test coverage for the new security validations
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| api/v1/ytsaurus_types.go | Adds SecureClusterTransports field to ClusterFeatures struct |
| api/v1/ytsaurus_webhook.go | Implements validation logic for secure transports including native transport, HTTP proxies, and RPC proxies |
| config/crd/bases/*.yaml | Updates CRD schemas to include the new secureClusterTransports field for all resource types |
| ytop-chart/templates/crds/*.yaml | Updates Helm chart CRD templates with the new field definition |
| test/webhooks/ytsaurus_webhooks_test.go | Adds comprehensive test cases covering successful and failure scenarios for the feature |
| pkg/testutil/spec_builders.go | Sets SecureClusterTransports to false in test builder to increase coverage |
| docs/api.md | Documents the new secureClusterTransports field in API documentation |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
koct9i
force-pushed
the
khlebnikov/flag-secure-cluster
branch
from
fa7b238 to
cac8548
Compare
This feature allows to validate that only secure transports are allowed: - mTLS for native transport - HTTPS-only HTTP proxies - TLS-only RPC proxies One feature to rule them all. It has effect only during spec validation. Signed-off-by: Konstantin Khlebnikov <[email protected]>
koct9i
force-pushed
the
khlebnikov/flag-secure-cluster
branch
from
cac8548 to
4fd358c
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 15 out of 15 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This feature allows to validate that only secure transports are allowed:
One feature to rule them all. It has effect only during spec validation.
Signed-off-by: Konstantin Khlebnikov [email protected]