Skip to content

feat: integrate with cluster TLS security profile#4931

Open
ugiordan wants to merge 1 commit into
ray-project:masterfrom
ugiordan:tls-profile-upstream
Open

feat: integrate with cluster TLS security profile#4931
ugiordan wants to merge 1 commit into
ray-project:masterfrom
ugiordan:tls-profile-upstream

Conversation

@ugiordan

Copy link
Copy Markdown

Summary

  • Read the cluster-wide TLS security profile from apiservers.config.openshift.io/cluster at startup
  • TLS resolution code in ray-operator/pkg/tls/ using typed configv1.APIServer objects (openshift/api already a dependency)
  • Apply MinVersion, CipherSuites, and NextProtos to metrics server TLS config
  • Fail closed on unexpected errors, use Intermediate defaults (TLS 1.2, ECDHE ciphers) on non-OpenShift clusters
  • Add RBAC for config.openshift.io/apiservers (get/list/watch)
  • Sync Helm chart RBAC with generated role.yaml

Motivation

OCP 5.0 requires all components to honor the centralized TLS profile. The kuberay operator already imports openshift/api (for routes). This PR extends that to also read the cluster TLS security posture, ensuring the operator's metrics endpoint uses the correct TLS version and cipher suites configured by the cluster admin.

On non-OpenShift clusters, the code gracefully falls back to hardened defaults (TLS 1.2, Intermediate cipher set).

Reference: openshift/cluster-machine-approver #286

Test plan

  • go build ./... passes
  • go test ./pkg/tls/... -v passes (9 table-driven tests)
  • make manifests regenerated RBAC
  • Deploy on OpenShift cluster with Intermediate profile
  • Deploy on vanilla K8s, verify fallback

Comment thread ray-operator/pkg/tls/tls.go Outdated
@ugiordan ugiordan force-pushed the tls-profile-upstream branch from 5ff3ccc to c13d4c4 Compare June 19, 2026 15:23
Comment thread ray-operator/main.go
@ugiordan ugiordan force-pushed the tls-profile-upstream branch from c13d4c4 to e2e3932 Compare June 19, 2026 15:45

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

Fix All in Cursor

Reviewed by Cursor Bugbot for commit e2e3932. Configure here.

Comment thread ray-operator/main.go Outdated
@ugiordan ugiordan force-pushed the tls-profile-upstream branch 3 times, most recently from 5bc436d to 456dc60 Compare June 22, 2026 13:48
Read the cluster TLS profile from apiservers.config.openshift.io/cluster
at startup via pkg/tls.Resolve(). Apply MinVersion, CipherSuites, and
NextProtos to metrics server TLS config. Fail closed on unexpected errors.
Use Intermediate defaults on non-OpenShift clusters.

Signed-off-by: Ugo Giordano <ugiordan@redhat.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Ugo Giordano <ugiordan@redhat.com>
@ugiordan ugiordan force-pushed the tls-profile-upstream branch from 456dc60 to 7342c58 Compare June 24, 2026 09:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant