fix: Fixed tls issue when running both grpc and rest servers (#5617)

* fix: Fixed tls issue when running both grpc and rest servers

Signed-off-by: ntkathole <[email protected]>

* fix: Fixed cache_mode bug introduced in 3c7a022

Signed-off-by: ntkathole <[email protected]>

---------

Signed-off-by: ntkathole <[email protected]>

Author: ntkathole

infra/feast-operator/internal/controller/services/services.go

@@ -665,7 +665,33 @@ func (feast *FeastServices) setService(svc *corev1.Service, feastType FeastServi
 		if len(svc.Annotations) == 0 {
 			svc.Annotations = map[string]string{}
 		}
-		svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = svc.Name + tlsNameSuffix
+
+		// For registry services, we need special handling based on which services are enabled
+		if feastType == RegistryFeastType && feast.isRegistryServer() {
+			grpcEnabled := feast.isRegistryGrpcEnabled()
+			restEnabled := feast.isRegistryRestEnabled()
+
+			if grpcEnabled && restEnabled {
+				// Both services enabled: Use gRPC service name as primary, add REST as SAN
+				grpcSvcName := feast.initFeastSvc(RegistryFeastType).Name
+				svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = grpcSvcName + tlsNameSuffix
+
+				// Add Subject Alternative Names (SANs) for both services
+				grpcHostname := grpcSvcName + "." + svc.Namespace + ".svc.cluster.local"
+				restHostname := feast.GetFeastRestServiceName(RegistryFeastType) + "." + svc.Namespace + ".svc.cluster.local"
+				svc.Annotations["service.beta.openshift.io/serving-cert-sans"] = grpcHostname + "," + restHostname
+			} else if grpcEnabled && !restEnabled {
+				// Only gRPC enabled: Use gRPC service name
+				grpcSvcName := feast.initFeastSvc(RegistryFeastType).Name
+				svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = grpcSvcName + tlsNameSuffix
+			} else if !grpcEnabled && restEnabled {
+				// Only REST enabled: Use REST service name
+				svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = svc.Name + tlsNameSuffix
+			}
+		} else {
+			// Standard behavior for non-registry services
+			svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = svc.Name + tlsNameSuffix
+		}
 	}
 
 	var port int32 = HttpPort

infra/feast-operator/internal/controller/services/tls.go

@@ -71,18 +71,31 @@ func (feast *FeastServices) setOpenshiftTls() error {
 		}
 	}
 	if feast.localRegistryOpenshiftTls() {
-		if feast.isRegistryRestEnabled() {
+		grpcEnabled := feast.isRegistryGrpcEnabled()
+		restEnabled := feast.isRegistryRestEnabled()
+
+		if grpcEnabled && restEnabled {
+			// Both services enabled: Use gRPC service name as primary certificate
+			// The certificate will include both hostnames as SANs via service annotations
 			appliedServices.Registry.Local.Server.TLS = &feastdevv1alpha1.TlsConfigs{
 				SecretRef: &corev1.LocalObjectReference{
-					Name: feast.initFeastRestSvc(RegistryFeastType).Name + tlsNameSuffix,
+					Name: feast.initFeastSvc(RegistryFeastType).Name + tlsNameSuffix,
 				},
 			}
-		} else {
+		} else if grpcEnabled && !restEnabled {
+			// Only gRPC enabled: Use gRPC service name
 			appliedServices.Registry.Local.Server.TLS = &feastdevv1alpha1.TlsConfigs{
 				SecretRef: &corev1.LocalObjectReference{
 					Name: feast.initFeastSvc(RegistryFeastType).Name + tlsNameSuffix,
 				},
 			}
+		} else if !grpcEnabled && restEnabled {
+			// Only REST enabled: Use REST service name
+			appliedServices.Registry.Local.Server.TLS = &feastdevv1alpha1.TlsConfigs{
+				SecretRef: &corev1.LocalObjectReference{
+					Name: feast.initFeastRestSvc(RegistryFeastType).Name + tlsNameSuffix,
+				},
+			}
 		}
 	} else if remote, err := feast.remoteRegistryOpenshiftTls(); remote {
 		// if the remote registry reference is using openshift's service serving certificates, we can use the injected service CA bundle configMap

sdk/python/feast/infra/registry/sql.py

@@ -269,17 +269,17 @@ def __init__(
             registry_config.thread_pool_executor_worker_count
         )
         self.purge_feast_metadata = registry_config.purge_feast_metadata
+        super().__init__(
+            project=project,
+            cache_ttl_seconds=registry_config.cache_ttl_seconds,
+            cache_mode=registry_config.cache_mode,
+        )
         # Sync feast_metadata to projects table
         # when purge_feast_metadata is set to True, Delete data from
         # feast_metadata table and list_project_metadata will not return any data
         self._sync_feast_metadata_to_projects_table()
         if not self.purge_feast_metadata:
             self._maybe_init_project_metadata(project)
-        super().__init__(
-            project=project,
-            cache_ttl_seconds=registry_config.cache_ttl_seconds,
-            cache_mode=registry_config.cache_mode,
-        )
 
     def _sync_feast_metadata_to_projects_table(self):
         feast_metadata_projects: dict = {}