fix: Fixed tls issue when running both grpc and rest servers

Signed-off-by: ntkathole <[email protected]>

Author: ntkathole

infra/feast-operator/internal/controller/services/services.go

@@ -665,7 +665,33 @@ func (feast *FeastServices) setService(svc *corev1.Service, feastType FeastServi
 		if len(svc.Annotations) == 0 {
 			svc.Annotations = map[string]string{}
 		}
-		svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = svc.Name + tlsNameSuffix
+
+		// For registry services, we need special handling based on which services are enabled
+		if feastType == RegistryFeastType && feast.isRegistryServer() {
+			grpcEnabled := feast.isRegistryGrpcEnabled()
+			restEnabled := feast.isRegistryRestEnabled()
+
+			if grpcEnabled && restEnabled {
+				// Both services enabled: Use gRPC service name as primary, add REST as SAN
+				grpcSvcName := feast.initFeastSvc(RegistryFeastType).Name
+				svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = grpcSvcName + tlsNameSuffix
+
+				// Add Subject Alternative Names (SANs) for both services
+				grpcHostname := grpcSvcName + "." + svc.Namespace + ".svc.cluster.local"
+				restHostname := feast.GetFeastRestServiceName(RegistryFeastType) + "." + svc.Namespace + ".svc.cluster.local"
+				svc.Annotations["service.beta.openshift.io/serving-cert-sans"] = grpcHostname + "," + restHostname
+			} else if grpcEnabled && !restEnabled {
+				// Only gRPC enabled: Use gRPC service name
+				grpcSvcName := feast.initFeastSvc(RegistryFeastType).Name
+				svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = grpcSvcName + tlsNameSuffix
+			} else if !grpcEnabled && restEnabled {
+				// Only REST enabled: Use REST service name
+				svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = svc.Name + tlsNameSuffix
+			}
+		} else {
+			// Standard behavior for non-registry services
+			svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = svc.Name + tlsNameSuffix
+		}
 	}
 
 	var port int32 = HttpPort

infra/feast-operator/internal/controller/services/tls.go

@@ -71,18 +71,31 @@ func (feast *FeastServices) setOpenshiftTls() error {
 		}
 	}
 	if feast.localRegistryOpenshiftTls() {
-		if feast.isRegistryRestEnabled() {
+		grpcEnabled := feast.isRegistryGrpcEnabled()
+		restEnabled := feast.isRegistryRestEnabled()
+
+		if grpcEnabled && restEnabled {
+			// Both services enabled: Use gRPC service name as primary certificate
+			// The certificate will include both hostnames as SANs via service annotations
 			appliedServices.Registry.Local.Server.TLS = &feastdevv1alpha1.TlsConfigs{
 				SecretRef: &corev1.LocalObjectReference{
-					Name: feast.initFeastRestSvc(RegistryFeastType).Name + tlsNameSuffix,
+					Name: feast.initFeastSvc(RegistryFeastType).Name + tlsNameSuffix,
 				},
 			}
-		} else {
+		} else if grpcEnabled && !restEnabled {
+			// Only gRPC enabled: Use gRPC service name
 			appliedServices.Registry.Local.Server.TLS = &feastdevv1alpha1.TlsConfigs{
 				SecretRef: &corev1.LocalObjectReference{
 					Name: feast.initFeastSvc(RegistryFeastType).Name + tlsNameSuffix,
 				},
 			}
+		} else if !grpcEnabled && restEnabled {
+			// Only REST enabled: Use REST service name
+			appliedServices.Registry.Local.Server.TLS = &feastdevv1alpha1.TlsConfigs{
+				SecretRef: &corev1.LocalObjectReference{
+					Name: feast.initFeastRestSvc(RegistryFeastType).Name + tlsNameSuffix,
+				},
+			}
 		}
 	} else if remote, err := feast.remoteRegistryOpenshiftTls(); remote {
 		// if the remote registry reference is using openshift's service serving certificates, we can use the injected service CA bundle configMap