Skip to content

fix: Fixed tls issue when running both grpc and rest servers #5617

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Sep 15, 2025
Merged

fix: Fixed tls issue when running both grpc and rest servers #5617

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0835e27
fix: Fixed tls issue when running both grpc and rest servers
ntkathole Sep 15, 2025
0b705ee
fix: Fixed cache_mode bug introduced in 3c7a022ec
ntkathole Sep 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 27 additions & 1 deletion infra/feast-operator/internal/controller/services/services.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -665,7 +665,33 @@ func (feast *FeastServices) setService(svc *corev1.Service, feastType FeastServi
if len(svc.Annotations) == 0 {
svc.Annotations = map[string]string{}
}
svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = svc.Name + tlsNameSuffix

// For registry services, we need special handling based on which services are enabled
if feastType == RegistryFeastType && feast.isRegistryServer() {
grpcEnabled := feast.isRegistryGrpcEnabled()
restEnabled := feast.isRegistryRestEnabled()

if grpcEnabled && restEnabled {
// Both services enabled: Use gRPC service name as primary, add REST as SAN
grpcSvcName := feast.initFeastSvc(RegistryFeastType).Name
svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = grpcSvcName + tlsNameSuffix

// Add Subject Alternative Names (SANs) for both services
grpcHostname := grpcSvcName + "." + svc.Namespace + ".svc.cluster.local"
restHostname := feast.GetFeastRestServiceName(RegistryFeastType) + "." + svc.Namespace + ".svc.cluster.local"
svc.Annotations["service.beta.openshift.io/serving-cert-sans"] = grpcHostname + "," + restHostname
} else if grpcEnabled && !restEnabled {
// Only gRPC enabled: Use gRPC service name
grpcSvcName := feast.initFeastSvc(RegistryFeastType).Name
svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = grpcSvcName + tlsNameSuffix
} else if !grpcEnabled && restEnabled {
// Only REST enabled: Use REST service name
svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = svc.Name + tlsNameSuffix
}
} else {
// Standard behavior for non-registry services
svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = svc.Name + tlsNameSuffix
}
}

var port int32 = HttpPort
Expand Down
19 changes: 16 additions & 3 deletions infra/feast-operator/internal/controller/services/tls.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,18 +71,31 @@ func (feast *FeastServices) setOpenshiftTls() error {
}
}
if feast.localRegistryOpenshiftTls() {
if feast.isRegistryRestEnabled() {
grpcEnabled := feast.isRegistryGrpcEnabled()
restEnabled := feast.isRegistryRestEnabled()

if grpcEnabled && restEnabled {
// Both services enabled: Use gRPC service name as primary certificate
// The certificate will include both hostnames as SANs via service annotations
appliedServices.Registry.Local.Server.TLS = &feastdevv1alpha1.TlsConfigs{
SecretRef: &corev1.LocalObjectReference{
Name: feast.initFeastRestSvc(RegistryFeastType).Name + tlsNameSuffix,
Name: feast.initFeastSvc(RegistryFeastType).Name + tlsNameSuffix,
},
}
} else {
} else if grpcEnabled && !restEnabled {
// Only gRPC enabled: Use gRPC service name
appliedServices.Registry.Local.Server.TLS = &feastdevv1alpha1.TlsConfigs{
SecretRef: &corev1.LocalObjectReference{
Name: feast.initFeastSvc(RegistryFeastType).Name + tlsNameSuffix,
},
}
} else if !grpcEnabled && restEnabled {
// Only REST enabled: Use REST service name
appliedServices.Registry.Local.Server.TLS = &feastdevv1alpha1.TlsConfigs{
SecretRef: &corev1.LocalObjectReference{
Name: feast.initFeastRestSvc(RegistryFeastType).Name + tlsNameSuffix,
},
}
}
} else if remote, err := feast.remoteRegistryOpenshiftTls(); remote {
// if the remote registry reference is using openshift's service serving certificates, we can use the injected service CA bundle configMap
Expand Down
10 changes: 5 additions & 5 deletions sdk/python/feast/infra/registry/sql.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -269,17 +269,17 @@ def __init__(
registry_config.thread_pool_executor_worker_count
)
self.purge_feast_metadata = registry_config.purge_feast_metadata
super().__init__(
project=project,
cache_ttl_seconds=registry_config.cache_ttl_seconds,
cache_mode=registry_config.cache_mode,
)
# Sync feast_metadata to projects table
# when purge_feast_metadata is set to True, Delete data from
# feast_metadata table and list_project_metadata will not return any data
self._sync_feast_metadata_to_projects_table()
if not self.purge_feast_metadata:
self._maybe_init_project_metadata(project)
super().__init__(
project=project,
cache_ttl_seconds=registry_config.cache_ttl_seconds,
cache_mode=registry_config.cache_mode,
)

def _sync_feast_metadata_to_projects_table(self):
feast_metadata_projects: dict = {}
Expand Down
Loading