Alauda DevOps Connectors Docs
  • English

    • Feature Flags

    Connectors uses feature flags to control optional or gradually introduced capabilities. The flags are stored in the connectors-config ConfigMap created by the ConnectorsCore component.

    This page describes the feature flags currently defined for the ConnectorsCore component.

    TOC

    Where Feature Flags Are StoredView Current Feature FlagsUpdate a Feature FlagVia ConnectorsCore CR (Recommended)Built-in Feature FlagsFeature Flag Detailsenable-connector-apis-permissionsenable-connector-proxy-permissionsenable-connectors-approvalenable-multi-connectorenable-custom-ca-certsNext Steps

    Where Feature Flags Are Stored

    The ConnectorsCore component creates a connectors-config ConfigMap in the namespace where the component is installed. The default namespace is connectors-system.

    apiVersion: v1
kind: ConfigMap
metadata:
  name: connectors-config
  namespace: connectors-system # example namespace
data:
  enable-connector-apis-permissions: "false"
  enable-connector-proxy-permissions: "false"
  enable-connectors-approval: "false"
  enable-multi-connector: "false"
  enable-custom-ca-certs: "false"

    All values are string booleans ("true" or "false"). Because the flags are stored in one shared ConfigMap, they apply to the current Connectors installation rather than to a single Connector.

    View Current Feature Flags

    You can inspect the ConfigMap directly:

    kubectl -n <connectors-namespace> get configmap connectors-config -o yaml

    You can also query the Connectors Operator API:

    curl -H "Authorization: Bearer ${K8S_TOKEN}" \
  "https://platform.example.com/clusters-rewrite/${CLUSTER_NAME}/connectors-operator/featureflags"

    This API requires permission to access ConnectorClass. For the endpoint details, see Connector API.

    Update a Feature Flag

    Feature flags are configured through the ConnectorsCore CR's spec.featureFlags field. The operator merges these values into the connectors-config ConfigMap during reconciliation, with CR values overriding manifest defaults.

    Edit the ConnectorsCore CR to set feature flags declaratively:

    kubectl edit connectorscore connectorscore
    apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsCore
metadata:
  name: connectorscore
spec:
  featureFlags:
    enable-multi-connector: "true"
    enable-custom-ca-certs: "true"

    Or use kubectl patch:

    kubectl patch connectorscore connectorscore --type merge \
  -p '{"spec":{"featureFlags":{"enable-multi-connector":"true"}}}'

    Feature flags declared in spec.featureFlags override the manifest defaults in connectors-config. Keys not listed in the CR keep their manifest default values. When a new version introduces additional feature flags, they appear automatically with their default values.

    Note: Direct modifications to the connectors-config ConfigMap (e.g., via kubectl edit configmap) are overwritten during the next reconciliation. Always use the ConnectorsCore CR to configure feature flags.

    Built-in Feature Flags

    FlagDefaultDescription
    enable-connector-apis-permissions"false"Enables permission checks for access to tool APIs exposed through the Connectors API.
    enable-connector-proxy-permissions"false"Enables permission control for traffic handled through Connectors Proxy.
    enable-connectors-approval"false"Enables the Connectors approval workflow for gated access to Connectors Proxy. This flag should be enabled together with enable-connector-proxy-permissions.
    enable-multi-connector"false"Enables mounting and rendering configuration for multiple Connectors in a single CSI volume.
    enable-custom-ca-certs"false"Enables trusting custom CA certificates (global labeled Secrets and per-Connector spec.caCertSecretRef) when verifying TLS connections to tools.

    Feature Flag Details

    enable-connector-apis-permissions

    When this flag is enabled, the system applies RBAC-based permission checks to access performed through the Connectors API. This separates the permission to read a Connector resource from the permission to use that Connector to access the target tool API.

    This capability is useful when you want users or workloads to discover Connectors but still control whether they can perform read or write operations against the integrated tool.

    Related reading:

    enable-connector-proxy-permissions

    When this flag is enabled, permission control is applied to requests handled through Connectors Proxy. This is relevant when workloads or tools access external systems through proxy-based secretless connectivity.

    Use this flag when proxy access itself must be governed by platform permissions. This flag is also required when enable-connectors-approval is enabled, because the approval feature protects the use of Connectors Proxy.

    Related reading:

    enable-connectors-approval

    When this flag is enabled, Connectors can participate in approval-gated access workflows for Connectors Proxy. This feature is intended to protect proxy-based connector usage, especially when workloads access external tools through proxy endpoints.

    Enable enable-connector-proxy-permissions together with this flag. Without proxy permission control, the approval feature cannot protect the target proxy usage path.

    This feature is designed for scenarios such as production artifact promotion, deployment to protected clusters, or any environment where proxy-based connector usage must be approved before access is granted.

    Related reading:

    enable-multi-connector

    When this flag is enabled, the Connectors CSI Driver can mount configuration rendered from multiple Connectors in a single volume. This allows one workload to consume multiple tool integrations together, and the driver merges rendered configuration according to the configured configuration.names.

    This is useful for workflows such as a Tekton task that needs one Connector for reading dependencies and another Connector for publishing artifacts.

    Related reading:

    enable-custom-ca-certs

    When this flag is enabled, the platform trusts additional CA certificates when verifying TLS connections to tools, without disabling certificate verification. The trust pool is composed additively:

    1. System default CA pool — the OS-level trust store baked into the container image.
    2. Global custom CA certificates — Secrets in the connectors-system namespace labeled connectors.cpaas.io/ca-cert: "true".
    3. Per-Connector CA certificate — an optional Secret referenced by spec.caCertSecretRef.name on the Connector, which must reside in the same namespace as the Connector.

    The constructed CA pool is used by controller liveness and authentication probes, Connectors Proxy traffic, ConnectorClass accessibility checks, and extension proxies (OCI, Harbor, Git HTTPS, etc.) where applicable.

    When the flag is enabled, the informational CACertReady condition is published on each Connector to reflect the per-Connector CA load status. This condition has severity: Info and does not affect the top-level Ready condition.

    Related reading:

    Next Steps