← 返回首页
fix: Fixed tls issue when running both grpc and rest servers by ntkathole · Pull Request #5617 · feast-dev/feast · GitHub
Skip to content

Navigation Menu

Toggle navigation
Sign in
Appearance settings
Search or jump to...

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted
Cancel Submit feedback

Saved searches

Use saved searches to filter your results more quickly

Cancel Create saved search
Appearance settings
Resetting focus

fix: Fixed tls issue when running both grpc and rest servers #5617

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
franciscojavierarceo merged 2 commits into from
Sep 15, 2025
Conversation 1 Commits 2 Checks 18 Files changed
Merged

fix: Fixed tls issue when running both grpc and rest servers #5617

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0835e27
fix: Fixed tls issue when running both grpc and rest servers
ntkathole Sep 15, 2025
0b705ee
fix: Fixed cache_mode bug introduced in 3c7a022ec
ntkathole Sep 15, 2025
File filter

Filter by extension

Filter by extension .go  (2) .py  (1) All 2 file types selected Viewed files
Conversations
Failed to load comments. Retry
Loading
Jump to
Jump to file
Failed to load files. Retry
Loading
Diff view
Unified
Split
Hide whitespace
Apply and reload
Show whitespace
Diff view
Unified
Split
Hide whitespace
Apply and reload
  • infra/feast-operator/internal/controller/services
    • services.go
    • tls.go
  • sdk/python/feast/infra/registry
    • sql.py
28 changes: 27 additions & 1 deletion infra/feast-operator/internal/controller/services/services.go
Show comments
View file Edit file Delete file
Open in desktop
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Show hidden characters
Original file line number Diff line number Diff line change
Expand Up @@ -665,7 +665,33 @@ func (feast *FeastServices) setService(svc *corev1.Service, feastType FeastServi
if len(svc.Annotations) == 0 {
svc.Annotations = map[string]string{}
}
svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = svc.Name + tlsNameSuffix

// For registry services, we need special handling based on which services are enabled
if feastType == RegistryFeastType && feast.isRegistryServer() {
grpcEnabled := feast.isRegistryGrpcEnabled()
restEnabled := feast.isRegistryRestEnabled()

if grpcEnabled && restEnabled {
// Both services enabled: Use gRPC service name as primary, add REST as SAN
grpcSvcName := feast.initFeastSvc(RegistryFeastType).Name
svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = grpcSvcName + tlsNameSuffix

// Add Subject Alternative Names (SANs) for both services
grpcHostname := grpcSvcName + "." + svc.Namespace + ".svc.cluster.local"
restHostname := feast.GetFeastRestServiceName(RegistryFeastType) + "." + svc.Namespace + ".svc.cluster.local"
svc.Annotations["service.beta.openshift.io/serving-cert-sans"] = grpcHostname + "," + restHostname
} else if grpcEnabled && !restEnabled {
// Only gRPC enabled: Use gRPC service name
grpcSvcName := feast.initFeastSvc(RegistryFeastType).Name
svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = grpcSvcName + tlsNameSuffix
} else if !grpcEnabled && restEnabled {
// Only REST enabled: Use REST service name
svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = svc.Name + tlsNameSuffix
}
} else {
// Standard behavior for non-registry services
svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = svc.Name + tlsNameSuffix
}
}

var port int32 = HttpPort
Expand Down
19 changes: 16 additions & 3 deletions infra/feast-operator/internal/controller/services/tls.go
Show comments
View file Edit file Delete file
Open in desktop
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Show hidden characters
Original file line number Diff line number Diff line change
Expand Up @@ -71,18 +71,31 @@ func (feast *FeastServices) setOpenshiftTls() error {
}
}
if feast.localRegistryOpenshiftTls() {
if feast.isRegistryRestEnabled() {
grpcEnabled := feast.isRegistryGrpcEnabled()
restEnabled := feast.isRegistryRestEnabled()

if grpcEnabled && restEnabled {
// Both services enabled: Use gRPC service name as primary certificate
// The certificate will include both hostnames as SANs via service annotations
appliedServices.Registry.Local.Server.TLS = &feastdevv1alpha1.TlsConfigs{
SecretRef: &corev1.LocalObjectReference{
Name: feast.initFeastRestSvc(RegistryFeastType).Name + tlsNameSuffix,
Name: feast.initFeastSvc(RegistryFeastType).Name + tlsNameSuffix,
},
}
} else {
} else if grpcEnabled && !restEnabled {
// Only gRPC enabled: Use gRPC service name
appliedServices.Registry.Local.Server.TLS = &feastdevv1alpha1.TlsConfigs{
SecretRef: &corev1.LocalObjectReference{
Name: feast.initFeastSvc(RegistryFeastType).Name + tlsNameSuffix,
},
}
} else if !grpcEnabled && restEnabled {
// Only REST enabled: Use REST service name
appliedServices.Registry.Local.Server.TLS = &feastdevv1alpha1.TlsConfigs{
SecretRef: &corev1.LocalObjectReference{
Name: feast.initFeastRestSvc(RegistryFeastType).Name + tlsNameSuffix,
},
}
}
} else if remote, err := feast.remoteRegistryOpenshiftTls(); remote {
// if the remote registry reference is using openshift's service serving certificates, we can use the injected service CA bundle configMap
Expand Down
10 changes: 5 additions & 5 deletions sdk/python/feast/infra/registry/sql.py
Show comments
View file Edit file Delete file
Open in desktop
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Show hidden characters
Original file line number Diff line number Diff line change
Expand Up @@ -269,17 +269,17 @@ def __init__(
registry_config.thread_pool_executor_worker_count
)
self.purge_feast_metadata = registry_config.purge_feast_metadata
super().__init__(
project=project,
cache_ttl_seconds=registry_config.cache_ttl_seconds,
cache_mode=registry_config.cache_mode,
)
# Sync feast_metadata to projects table
# when purge_feast_metadata is set to True, Delete data from
# feast_metadata table and list_project_metadata will not return any data
self._sync_feast_metadata_to_projects_table()
if not self.purge_feast_metadata:
self._maybe_init_project_metadata(project)
super().__init__(
project=project,
cache_ttl_seconds=registry_config.cache_ttl_seconds,
cache_mode=registry_config.cache_mode,
)

def _sync_feast_metadata_to_projects_table(self):
feast_metadata_projects: dict = {}
Expand Down
Loading
Toggle all file notes Toggle all file annotations

Footer

© 2026 GitHub, Inc.