feat: Add TLS support to the Operator (feast-dev#4796)

* add tls support to the operator Signed-off-by: Tommy Hughes <[email protected]> * operator tls review fix: if statement Signed-off-by: Tommy Hughes <[email protected]> * rebase fixes Signed-off-by: Tommy Hughes <[email protected]> * authz rbac fixes Signed-off-by: Tommy Hughes <[email protected]> --------- Signed-off-by: Tommy Hughes <[email protected]>
nishantgaurav-dev · Jan 15, 2025 · be5882b · be5882b
1 parent 82d3b35
commit be5882b
Show file tree

Hide file tree

Showing 21 changed files with 910 additions and 69 deletions.
diff --git a/infra/feast-operator/api/v1alpha1/featurestore_types.go b/infra/feast-operator/api/v1alpha1/featurestore_types.go
@@ -33,11 +33,15 @@ const (
 	OnlineStoreReadyType   = "OnlineStore"
 	RegistryReadyType      = "Registry"
 	ReadyType              = "FeatureStore"
+<<<<<<< HEAD
 <<<<<<< HEAD
 	AuthorizationReadyType = "Authorization"
 =======
 	AuthorizationReadyType = "AuthorizationReadyType"
 >>>>>>> 39eb4d80c (feat: RBAC Authorization in Feast Operator (#4786))
+=======
+	AuthorizationReadyType = "Authorization"
+>>>>>>> 668d47b8e (feat: Add TLS support to the Operator (#4796))
 
 	// Feast condition reasons:
 	ReadyReason                 = "Ready"
@@ -80,11 +84,22 @@ type FeatureStoreServices struct {
 type OfflineStore struct {
 	ServiceConfigs `json:",inline"`
 	Persistence    *OfflineStorePersistence `json:"persistence,omitempty"`
+<<<<<<< HEAD
 	TLS            *TlsConfigs              `json:"tls,omitempty"`
 	// LogLevel sets the logging level for the offline store service
 	// Allowed values: "debug", "info", "warning", "error", "critical".
 	// +kubebuilder:validation:Enum=debug;info;warning;error;critical
 	LogLevel string `json:"logLevel,omitempty"`
+=======
+	TLS            *OfflineTlsConfigs       `json:"tls,omitempty"`
+}
+
+// OfflineTlsConfigs configures server TLS for the offline feast service. in an openshift cluster, this is configured by default using service serving certificates.
+type OfflineTlsConfigs struct {
+	TlsConfigs `json:",inline"`
+	// verify the client TLS certificate.
+	VerifyClient *bool `json:"verifyClient,omitempty"`
+>>>>>>> 668d47b8e (feat: Add TLS support to the Operator (#4796))
 }
 
 // OfflineStorePersistence configures the persistence settings for the offline store service
@@ -156,10 +171,13 @@ type OnlineStore struct {
 	ServiceConfigs `json:",inline"`
 	Persistence    *OnlineStorePersistence `json:"persistence,omitempty"`
 	TLS            *TlsConfigs             `json:"tls,omitempty"`
+<<<<<<< HEAD
 	// LogLevel sets the logging level for the online store service
 	// Allowed values: "debug", "info", "warning", "error", "critical".
 	// +kubebuilder:validation:Enum=debug;info;warning;error;critical
 	LogLevel string `json:"logLevel,omitempty"`
+=======
+>>>>>>> 668d47b8e (feat: Add TLS support to the Operator (#4796))
 }
 
 // OnlineStorePersistence configures the persistence settings for the online store service
@@ -238,10 +256,13 @@ type LocalRegistryConfig struct {
 	ServiceConfigs `json:",inline"`
 	Persistence    *RegistryPersistence `json:"persistence,omitempty"`
 	TLS            *TlsConfigs          `json:"tls,omitempty"`
+<<<<<<< HEAD
 	// LogLevel sets the logging level for the registry service
 	// Allowed values: "debug", "info", "warning", "error", "critical".
 	// +kubebuilder:validation:Enum=debug;info;warning;error;critical
 	LogLevel string `json:"logLevel,omitempty"`
+=======
+>>>>>>> 668d47b8e (feat: Add TLS support to the Operator (#4796))
 }
 
 // RegistryPersistence configures the persistence settings for the registry service
@@ -422,13 +443,16 @@ type KubernetesAuthz struct {
 	Roles []string `json:"roles,omitempty"`
 }
 
+<<<<<<< HEAD
 <<<<<<< HEAD
 // OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider.
 // https://auth0.com/docs/authenticate/protocols/openid-connect-protocol
 type OidcAuthz struct {
 	SecretRef corev1.LocalObjectReference `json:"secretRef"`
 }
 
+=======
+>>>>>>> 668d47b8e (feat: Add TLS support to the Operator (#4796))
 // TlsConfigs configures server TLS for a feast service. in an openshift cluster, this is configured by default using service serving certificates.
 // +kubebuilder:validation:XValidation:rule="(!has(self.disable) || !self.disable) ? has(self.secretRef) : true",message="`secretRef` required if `disable` is false."
 type TlsConfigs struct {
@@ -468,8 +492,11 @@ type SecretKeyNames struct {
 	TlsKey string `json:"tlsKey,omitempty"`
 }
 
+<<<<<<< HEAD
 =======
 >>>>>>> 39eb4d80c (feat: RBAC Authorization in Feast Operator (#4786))
+=======
+>>>>>>> 668d47b8e (feat: Add TLS support to the Operator (#4796))
 // FeatureStoreStatus defines the observed state of FeatureStore
 type FeatureStoreStatus struct {
 	// Shows the currently applied feast configuration, including any pertinent defaults

diff --git a/infra/feast-operator/api/v1alpha1/zz_generated.deepcopy.go b/infra/feast-operator/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/infra/feast-operator/config/crd/bases/feast.dev_featurestores.yaml b/infra/feast-operator/config/crd/bases/feast.dev_featurestores.yaml
@@ -505,9 +505,15 @@ spec:
                             type: object
                         type: object
                       tls:
+<<<<<<< HEAD
                         description: TlsConfigs configures server TLS for a feast
                           service. in an openshift cluster, this is configured by
                           default using service serving certificates.
+=======
+                        description: OfflineTlsConfigs configures server TLS for the
+                          offline feast service. in an openshift cluster, this is
+                          configured by default using service serving certificates.
+>>>>>>> 668d47b8e (feat: Add TLS support to the Operator (#4796))
                         properties:
                           disable:
                             description: will disable TLS for the feast service. useful
@@ -537,6 +543,12 @@ spec:
                                 type: string
                             type: object
                             x-kubernetes-map-type: atomic
+<<<<<<< HEAD
+=======
+                          verifyClient:
+                            description: verify the client TLS certificate.
+                            type: boolean
+>>>>>>> 668d47b8e (feat: Add TLS support to the Operator (#4796))
                         type: object
                         x-kubernetes-validations:
                         - message: '`secretRef` required if `disable` is false.'
@@ -2045,9 +2057,16 @@ spec:
                                 type: object
                             type: object
                           tls:
+<<<<<<< HEAD
                             description: TlsConfigs configures server TLS for a feast
                               service. in an openshift cluster, this is configured
                               by default using service serving certificates.
+=======
+                            description: OfflineTlsConfigs configures server TLS for
+                              the offline feast service. in an openshift cluster,
+                              this is configured by default using service serving
+                              certificates.
+>>>>>>> 668d47b8e (feat: Add TLS support to the Operator (#4796))
                             properties:
                               disable:
                                 description: will disable TLS for the feast service.
@@ -2077,6 +2096,12 @@ spec:
                                     type: string
                                 type: object
                                 x-kubernetes-map-type: atomic
+<<<<<<< HEAD
+=======
+                              verifyClient:
+                                description: verify the client TLS certificate.
+                                type: boolean
+>>>>>>> 668d47b8e (feat: Add TLS support to the Operator (#4796))
                             type: object
                             x-kubernetes-validations:
                             - message: '`secretRef` required if `disable` is false.'

diff --git a/infra/feast-operator/config/rbac/role.yaml b/infra/feast-operator/config/rbac/role.yaml
@@ -72,10 +72,14 @@ rules:
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
+<<<<<<< HEAD
 <<<<<<< HEAD
   - rolebindings
 =======
 >>>>>>> 39eb4d80c (feat: RBAC Authorization in Feast Operator (#4786))
+=======
+  - rolebindings
+>>>>>>> 668d47b8e (feat: Add TLS support to the Operator (#4796))
   - roles
   verbs:
   - create

diff --git a/infra/feast-operator/dist/install.yaml b/infra/feast-operator/dist/install.yaml
@@ -513,9 +513,15 @@ spec:
                             type: object
                         type: object
                       tls:
+<<<<<<< HEAD
                         description: TlsConfigs configures server TLS for a feast
                           service. in an openshift cluster, this is configured by
                           default using service serving certificates.
+=======
+                        description: OfflineTlsConfigs configures server TLS for the
+                          offline feast service. in an openshift cluster, this is
+                          configured by default using service serving certificates.
+>>>>>>> 668d47b8e (feat: Add TLS support to the Operator (#4796))
                         properties:
                           disable:
                             description: will disable TLS for the feast service. useful
@@ -545,6 +551,12 @@ spec:
                                 type: string
                             type: object
                             x-kubernetes-map-type: atomic
+<<<<<<< HEAD
+=======
+                          verifyClient:
+                            description: verify the client TLS certificate.
+                            type: boolean
+>>>>>>> 668d47b8e (feat: Add TLS support to the Operator (#4796))
                         type: object
                         x-kubernetes-validations:
                         - message: '`secretRef` required if `disable` is false.'
@@ -2053,9 +2065,16 @@ spec:
                                 type: object
                             type: object
                           tls:
+<<<<<<< HEAD
                             description: TlsConfigs configures server TLS for a feast
                               service. in an openshift cluster, this is configured
                               by default using service serving certificates.
+=======
+                            description: OfflineTlsConfigs configures server TLS for
+                              the offline feast service. in an openshift cluster,
+                              this is configured by default using service serving
+                              certificates.
+>>>>>>> 668d47b8e (feat: Add TLS support to the Operator (#4796))
                             properties:
                               disable:
                                 description: will disable TLS for the feast service.
@@ -2085,6 +2104,12 @@ spec:
                                     type: string
                                 type: object
                                 x-kubernetes-map-type: atomic
+<<<<<<< HEAD
+=======
+                              verifyClient:
+                                description: verify the client TLS certificate.
+                                type: boolean
+>>>>>>> 668d47b8e (feat: Add TLS support to the Operator (#4796))
                             type: object
                             x-kubernetes-validations:
                             - message: '`secretRef` required if `disable` is false.'
@@ -3408,10 +3433,14 @@ rules:
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
+<<<<<<< HEAD
 <<<<<<< HEAD
   - rolebindings
 =======
 >>>>>>> 39eb4d80c (feat: RBAC Authorization in Feast Operator (#4786))
+=======
+  - rolebindings
+>>>>>>> 668d47b8e (feat: Add TLS support to the Operator (#4796))
   - roles
   verbs:
   - create

diff --git a/infra/feast-operator/internal/controller/authz/authz.go b/infra/feast-operator/internal/controller/authz/authz.go
@@ -17,6 +17,7 @@ import (
 
 // Deploy the feast authorization
 func (authz *FeastAuthorization) Deploy() error {
+<<<<<<< HEAD
 <<<<<<< HEAD
 	if authz.isKubernetesAuth() {
 		return authz.deployKubernetesAuth()
@@ -61,26 +62,46 @@ func (authz *FeastAuthorization) deployKubernetesAuth() error {
 			authz.removeOrphanedRoles()
 			_ = authz.Handler.DeleteOwnedFeastObj(authz.initFeastRole())
 			_ = authz.Handler.DeleteOwnedFeastObj(authz.initFeastRoleBinding())
+=======
+	if authz.isKubernetesAuth() {
+		if err := authz.deployKubernetesAuth(); err != nil {
+			return err
+>>>>>>> 668d47b8e (feat: Add TLS support to the Operator (#4796))
 		}
+	} else {
+		authz.removeOrphanedRoles()
+		_ = authz.Handler.DeleteOwnedFeastObj(authz.initFeastRole())
+		_ = authz.Handler.DeleteOwnedFeastObj(authz.initFeastRoleBinding())
+		apimeta.RemoveStatusCondition(&authz.Handler.FeatureStore.Status.Conditions, feastKubernetesAuthConditions[metav1.ConditionTrue].Type)
 	}
 	return nil
 }
 
-func (authz *FeastAuthorization) deployKubernetesAuth(kubernetesAuth *feastdevv1alpha1.KubernetesAuthz) error {
-	authz.removeOrphanedRoles()
+func (authz *FeastAuthorization) isKubernetesAuth() bool {
+	authzConfig := authz.Handler.FeatureStore.Status.Applied.AuthzConfig
+	return authzConfig != nil && authzConfig.KubernetesAuthz != nil
+}
 
-	if err := authz.createFeastRole(); err != nil {
-		return authz.setFeastKubernetesAuthCondition(err)
-	}
-	if err := authz.createFeastRoleBinding(); err != nil {
-		return authz.setFeastKubernetesAuthCondition(err)
-	}
+func (authz *FeastAuthorization) deployKubernetesAuth() error {
+	if authz.isKubernetesAuth() {
+		authz.removeOrphanedRoles()
 
-	for _, roleName := range kubernetesAuth.Roles {
-		if err := authz.createAuthRole(roleName); err != nil {
+		if err := authz.createFeastRole(); err != nil {
 			return authz.setFeastKubernetesAuthCondition(err)
 		}
+<<<<<<< HEAD
 >>>>>>> 39eb4d80c (feat: RBAC Authorization in Feast Operator (#4786))
+=======
+		if err := authz.createFeastRoleBinding(); err != nil {
+			return authz.setFeastKubernetesAuthCondition(err)
+		}
+
+		for _, roleName := range authz.Handler.FeatureStore.Status.Applied.AuthzConfig.KubernetesAuthz.Roles {
+			if err := authz.createAuthRole(roleName); err != nil {
+				return authz.setFeastKubernetesAuthCondition(err)
+			}
+		}
+>>>>>>> 668d47b8e (feat: Add TLS support to the Operator (#4796))
 	}
 	return authz.setFeastKubernetesAuthCondition(nil)
 }
@@ -96,11 +117,15 @@ func (authz *FeastAuthorization) removeOrphanedRoles() {
 	}
 
 	desiredRoles := []string{}
+<<<<<<< HEAD
 <<<<<<< HEAD
 	if authz.isKubernetesAuth() {
 =======
 	if authz.Handler.FeatureStore.Status.Applied.AuthzConfig.KubernetesAuthz != nil {
 >>>>>>> 39eb4d80c (feat: RBAC Authorization in Feast Operator (#4786))
+=======
+	if authz.isKubernetesAuth() {
+>>>>>>> 668d47b8e (feat: Add TLS support to the Operator (#4796))
 		desiredRoles = authz.Handler.FeatureStore.Status.Applied.AuthzConfig.KubernetesAuthz.Roles
 	}
 	for _, role := range roleList.Items {