Skip to content

HPCASE-208:Add TLSAdherencePolicy helper#2114

Open
richardsonnick wants to merge 3 commits intoopenshift:masterfrom
richardsonnick:tls-adherence-helper
Open

HPCASE-208:Add TLSAdherencePolicy helper#2114
richardsonnick wants to merge 3 commits intoopenshift:masterfrom
richardsonnick:tls-adherence-helper

Conversation

@richardsonnick
Copy link

@richardsonnick richardsonnick commented Feb 4, 2026
edited
Loading

Add ShouldHonorClusterTLSProfile helper for TLS adherence policy

Adds a helper function that encapsulates the logic for determining
whether a component should honor the cluster-wide TLS security profile
from apiserver.config.openshift.io/cluster.

This function handles:

  • Empty/unset values (treated as LegacyExternalAPIServerComponentsOnly)
  • LegacyExternalAPIServerComponentsOnly (returns false)
  • StrictAllComponents (returns true)
  • Unknown enum values (returns true for forward compatibility)

Component implementors should use this helper rather than checking
tlsAdherence field values directly, allowing coordinated changes to
the default semantic across all implementations.

See: https://github.com/openshift/enhancements/pull/XXXX

Relevant APIServer changes: openshift/api#2680

@richardsonnick
Adds TLSAdherencePolicy helper.
d3ed7c7 
This helper gives us control on the behavior of consuming components without making changes to the APIServer CRD.
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 4, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 4, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@richardsonnick
Copy link
Author

richardsonnick commented Feb 4, 2026

This will be a draft diff until openshift/api#2680 is landed. Since 2680 adds the TLSAdherencePolicy type

@richardsonnick richardsonnick mentioned this pull request Feb 4, 2026
Open
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 4, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: richardsonnick
Once this PR has been reviewed and has the lgtm label, please assign p0lyn0mial for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@richardsonnick richardsonnick changed the title Adds TLSAdherencePolicy helper. HPCASE-208:Add TLSAdherencePolicy helper Feb 5, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Feb 5, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 5, 2026
edited by openshift-ci bot
Loading

@richardsonnick: This pull request references HPCASE-208 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This helper gives us control on the behavior of consuming components without making changes to the APIServer CRD.

Relevant APIServer changes: openshift/api#2680

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@richardsonnick richardsonnick marked this pull request as ready for review February 24, 2026 20:41
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 24, 2026
@richardsonnick richardsonnick marked this pull request as draft February 24, 2026 20:42
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 24, 2026
@richardsonnick richardsonnick marked this pull request as ready for review March 4, 2026 21:08
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 4, 2026
@openshift-ci openshift-ci bot requested a review from deads2k March 4, 2026 21:08
@openshift-ci-robot
Copy link

openshift-ci-robot commented Mar 4, 2026
edited by openshift-ci bot
Loading

@richardsonnick: This pull request references HPCASE-208 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Add ShouldHonorClusterTLSProfile helper for TLS adherence policy

Adds a helper function that encapsulates the logic for determining
whether a component should honor the cluster-wide TLS security profile
from apiserver.config.openshift.io/cluster.

This function handles:

  • Empty/unset values (treated as LegacyExternalAPIServerComponentsOnly)
  • LegacyExternalAPIServerComponentsOnly (returns false)
  • StrictAllComponents (returns true)
  • Unknown enum values (returns true for forward compatibility)

Component implementors should use this helper rather than checking
tlsAdherence field values directly, allowing coordinated changes to
the default semantic across all implementations.

See: https://github.com/openshift/enhancements/pull/XXXX

Relevant APIServer changes: openshift/api#2680

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 4, 2026

@richardsonnick: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/verify-deps b244d82 link true /test verify-deps
ci/prow/verify b244d82 link true /test verify
ci/prow/unit b244d82 link true /test unit

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@richardsonnick
Copy link
Author

richardsonnick commented Mar 4, 2026

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 4, 2026
@richardsonnick
Copy link
Author

richardsonnick commented Mar 4, 2026

Tests will not pass until api changes are merged: openshift/api#2680

@jstuever jstuever mentioned this pull request Mar 5, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bertinatto bertinatto Awaiting requested review from bertinatto

@p0lyn0mial p0lyn0mial Awaiting requested review from p0lyn0mial

@deads2k deads2k Awaiting requested review from deads2k

Assignees

No one assigned

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@richardsonnick @openshift-ci-robot