Skip to content

feat: OIDC authorization in Feast Operator #4801

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dmartinol merged 11 commits into from
Dec 4, 2024
Merged

feat: OIDC authorization in Feast Operator #4801

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
7f5c5bb
Initial commit
dmartinol Nov 22, 2024
55badf9
no private image
dmartinol Nov 22, 2024
2453a11
removed nameLabelKey, using serices.NameLabelKey
dmartinol Nov 25, 2024
cad9f3e
improved CRD comments and using IsLocalRegistry
dmartinol Nov 25, 2024
25f1d90
fixing generated code
dmartinol Nov 25, 2024
2579f40
renamed auth condition and types
dmartinol Nov 26, 2024
acde71a
more renamings
dmartinol Nov 26, 2024
82085d6
initial commit
dmartinol Nov 28, 2024
99455e5
oidc IT
dmartinol Dec 2, 2024
5f2fd33
with sample
dmartinol Dec 2, 2024
e3de29c
no private image
dmartinol Dec 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Initial commit 
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
  • Loading branch information
@dmartinol
dmartinol committed Dec 3, 2024
commit 7f5c5bb40dd2d572f522d6a42d9b44378533c4eb
18 changes: 5 additions & 13 deletions infra/feast-operator/api/v1alpha1/featurestore_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ type FeatureStoreSpec struct {
// FeastProject is the Feast project id. This can be any alphanumeric string with underscores, but it cannot start with an underscore. Required.
FeastProject string `json:"feastProject"`
Services *FeatureStoreServices `json:"services,omitempty"`
AuthzConfig *AuthzConfig `json:"authz,omitempty"`
AuthConfig *AuthConfig `json:"auth,omitempty"`
}

// FeatureStoreServices defines the desired feast service deployments. ephemeral registry is deployed by default.
Expand Down Expand Up @@ -279,20 +279,12 @@ type OptionalConfigs struct {
Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
}

// AuthzConfig defines the authorization settings for the deployed Feast services.
type AuthzConfig struct {
KubernetesAuthz *KubernetesAuthz `json:"kubernetes,omitempty"`
// AuthConfig defines the authorization settings for the deployed Feast services.
type AuthConfig struct {
KubernetesAuth *KubernetesAuth `json:"kubernetes,omitempty"`
}

// KubernetesAuthz provides a way to define the authorization settings using Kubernetes RBAC resources.
// https://kubernetes.io/docs/reference/access-authn-authz/rbac/
type KubernetesAuthz struct {
// The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
// Roles are managed by the operator and created with an empty list of rules.
// See the Feast permission model at https://docs.feast.dev/getting-started/concepts/permission
// The feature store admin is not obligated to manage roles using the Feast operator, roles can be managed independently.
// This configuration option is only providing a way to automate this procedure.
// Important note: the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
type KubernetesAuth struct {
Roles []string `json:"roles,omitempty"`
}

Expand Down
28 changes: 14 additions & 14 deletions infra/feast-operator/api/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

28 changes: 4 additions & 24 deletions infra/feast-operator/config/crd/bases/feast.dev_featurestores.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,23 +48,13 @@ spec:
spec:
description: FeatureStoreSpec defines the desired state of FeatureStore
properties:
authz:
description: AuthzConfig defines the authorization settings for the
auth:
description: AuthConfig defines the authorization settings for the
deployed Feast services.
properties:
kubernetes:
description: |-
KubernetesAuthz provides a way to define the authorization settings using Kubernetes RBAC resources.
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
properties:
roles:
description: |-
The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
Roles are managed by the operator and created with an empty list of rules.
See the Feast permission model at https://docs.feast.dev/getting-started/concepts/permission
The feature store admin is not obligated to manage roles using the Feast operator, roles can be managed independently.
This configuration option is only providing a way to automate this procedure.
Important note: the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
items:
type: string
type: array
Expand Down Expand Up @@ -1217,23 +1207,13 @@ spec:
description: Shows the currently applied feast configuration, including
any pertinent defaults
properties:
authz:
description: AuthzConfig defines the authorization settings for
auth:
description: AuthConfig defines the authorization settings for
the deployed Feast services.
properties:
kubernetes:
description: |-
KubernetesAuthz provides a way to define the authorization settings using Kubernetes RBAC resources.
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
properties:
roles:
description: |-
The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
Roles are managed by the operator and created with an empty list of rules.
See the Feast permission model at https://docs.feast.dev/getting-started/concepts/permission
The feature store admin is not obligated to manage roles using the Feast operator, roles can be managed independently.
This configuration option is only providing a way to automate this procedure.
Important note: the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
items:
type: string
type: array
Expand Down
3 changes: 3 additions & 0 deletions infra/feast-operator/config/samples/v1alpha1_featurestore_ephemeral_persistence.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,18 @@ spec:
feastProject: my_project
services:
onlineStore:
image: quay.io/dmartino/feature-server:0.2
persistence:
file:
path: /data/online_store.db
offlineStore:
image: quay.io/dmartino/feature-server:0.2
persistence:
file:
type: dask
registry:
local:
image: quay.io/dmartino/feature-server:0.2
persistence:
file:
path: /data/registry.db
5 changes: 4 additions & 1 deletion infra/feast-operator/config/samples/v1alpha1_featurestore_kubernetes_auth.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,19 +6,22 @@ spec:
feastProject: my_project
services:
onlineStore:
image: quay.io/dmartino/feature-server:0.3
persistence:
file:
path: /data/online_store.db
offlineStore:
image: quay.io/dmartino/feature-server:0.3
persistence:
file:
type: dask
registry:
local:
image: quay.io/dmartino/feature-server:0.3
persistence:
file:
path: /data/registry.db
authz:
auth:
kubernetes:
roles:
- reader
Expand Down
3 changes: 3 additions & 0 deletions infra/feast-operator/config/samples/v1alpha1_featurestore_objectstore_persistence.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,18 @@ spec:
feastProject: my_project
services:
onlineStore:
image: quay.io/dmartino/feature-server:0.2
persistence:
file:
path: /data/online_store.db
offlineStore:
image: quay.io/dmartino/feature-server:0.2
persistence:
file:
type: dask
registry:
local:
image: quay.io/dmartino/feature-server:0.2
persistence:
file:
path: s3://bucket/registry.db
Expand Down
3 changes: 3 additions & 0 deletions infra/feast-operator/config/samples/v1alpha1_featurestore_pvc_persistence.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ spec:
feastProject: my_project
services:
onlineStore:
image: quay.io/dmartino/feature-server:0.2
persistence:
file:
path: online_store.db
Expand All @@ -14,6 +15,7 @@ spec:
name: online-pvc
mountPath: /data/online
offlineStore:
image: quay.io/dmartino/feature-server:0.2
persistence:
file:
type: duckdb
Expand All @@ -26,6 +28,7 @@ spec:
mountPath: /data/offline
registry:
local:
image: quay.io/dmartino/feature-server:0.2
persistence:
file:
path: registry.db
Expand Down
28 changes: 4 additions & 24 deletions infra/feast-operator/dist/install.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,23 +56,13 @@ spec:
spec:
description: FeatureStoreSpec defines the desired state of FeatureStore
properties:
authz:
description: AuthzConfig defines the authorization settings for the
auth:
description: AuthConfig defines the authorization settings for the
deployed Feast services.
properties:
kubernetes:
description: |-
KubernetesAuthz provides a way to define the authorization settings using Kubernetes RBAC resources.
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
properties:
roles:
description: |-
The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
Roles are managed by the operator and created with an empty list of rules.
See the Feast permission model at https://docs.feast.dev/getting-started/concepts/permission
The feature store admin is not obligated to manage roles using the Feast operator, roles can be managed independently.
This configuration option is only providing a way to automate this procedure.
Important note: the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
items:
type: string
type: array
Expand Down Expand Up @@ -1225,23 +1215,13 @@ spec:
description: Shows the currently applied feast configuration, including
any pertinent defaults
properties:
authz:
description: AuthzConfig defines the authorization settings for
auth:
description: AuthConfig defines the authorization settings for
the deployed Feast services.
properties:
kubernetes:
description: |-
KubernetesAuthz provides a way to define the authorization settings using Kubernetes RBAC resources.
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
properties:
roles:
description: |-
The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
Roles are managed by the operator and created with an empty list of rules.
See the Feast permission model at https://docs.feast.dev/getting-started/concepts/permission
The feature store admin is not obligated to manage roles using the Feast operator, roles can be managed independently.
This configuration option is only providing a way to automate this procedure.
Important note: the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
items:
type: string
type: array
Expand Down
Loading