Skip to content

Add feature flag to secure cluster connections #621

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
koct9i merged 1 commit into from
Jan 20, 2026
Merged

Add feature flag to secure cluster connections #621

koct9i merged 1 commit into from
Jan 20, 2026

Conversation

@koct9i
Copy link
Collaborator

@koct9i koct9i commented Dec 10, 2025

This feature allows to validate that only secure transports are allowed:

  • mTLS for native transport
  • HTTPS-only HTTP proxies
  • TLS-only RPC proxies

One feature to rule them all. It has effect only during spec validation.

Signed-off-by: Konstantin Khlebnikov [email protected]

@koct9i koct9i requested a review from Copilot December 10, 2025 16:26
Copilot AI reviewed Dec 10, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a new SecureClusterTransports feature flag to enforce secure transport configurations across the YTsaurus cluster, validating that mTLS is used for native transport, HTTPS-only for HTTP proxies, and TLS-only for RPC proxies during spec validation.

  • Adds SecureClusterTransports boolean field to ClusterFeatures type
  • Implements webhook validation to enforce TLS requirements when the feature is enabled
  • Adds comprehensive test coverage for the new security validations

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
api/v1/ytsaurus_types.go Adds SecureClusterTransports field to ClusterFeatures struct
api/v1/ytsaurus_webhook.go Implements validation logic for secure transports including native transport, HTTP proxies, and RPC proxies
config/crd/bases/*.yaml Updates CRD schemas to include the new secureClusterTransports field for all resource types
ytop-chart/templates/crds/*.yaml Updates Helm chart CRD templates with the new field definition
test/webhooks/ytsaurus_webhooks_test.go Adds comprehensive test cases covering successful and failure scenarios for the feature
pkg/testutil/spec_builders.go Sets SecureClusterTransports to false in test builder to increase coverage
docs/api.md Documents the new secureClusterTransports field in API documentation

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@koct9i koct9i force-pushed the khlebnikov/flag-secure-cluster branch from fa7b238 to cac8548 Compare December 12, 2025 13:39
@koct9i koct9i requested a review from Copilot December 12, 2025 13:39
@koct9i koct9i force-pushed the khlebnikov/flag-secure-cluster branch from cac8548 to 4fd358c Compare December 12, 2025 13:42
Copilot AI reviewed Dec 12, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 15 out of 15 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@koct9i koct9i force-pushed the khlebnikov/flag-secure-cluster branch from 4fd358c to 44c56f2 Compare January 20, 2026 09:22
@koct9i
Add feature flag to secure cluster connections
3d75cd6 
This feature allows to validate that only secure transports are allowed:
- mTLS for native transport
- HTTPS-only HTTP proxies
- TLS-only RPC proxies

One feature to rule them all. It has effect only during spec validation.

Signed-off-by: Konstantin Khlebnikov <[email protected]>
@koct9i koct9i force-pushed the khlebnikov/flag-secure-cluster branch from 44c56f2 to 3d75cd6 Compare January 20, 2026 09:23
@koct9i koct9i requested a review from Copilot January 20, 2026 09:24
@koct9i koct9i requested a review from qurname2 January 20, 2026 09:29
Copilot AI reviewed Jan 20, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 20 out of 20 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

qurname2
qurname2 approved these changes Jan 20, 2026
View reviewed changes
Copy link
Collaborator

@qurname2 qurname2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@koct9i koct9i merged commit 4af140e into main Jan 20, 2026
14 of 15 checks passed
@koct9i koct9i deleted the khlebnikov/flag-secure-cluster branch January 20, 2026 17:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@qurname2 qurname2 qurname2 approved these changes

Assignees

No one assigned

Labels

TLS

Projects

yt-k8s-operator project
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@koct9i @qurname2