Skip to content

feat: OIDC authorization in Feast Operator #4801

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dmartinol merged 11 commits into from
Dec 4, 2024
Merged

feat: OIDC authorization in Feast Operator #4801

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
7f5c5bb
Initial commit
dmartinol Nov 22, 2024
55badf9
no private image
dmartinol Nov 22, 2024
2453a11
removed nameLabelKey, using serices.NameLabelKey
dmartinol Nov 25, 2024
cad9f3e
improved CRD comments and using IsLocalRegistry
dmartinol Nov 25, 2024
25f1d90
fixing generated code
dmartinol Nov 25, 2024
2579f40
renamed auth condition and types
dmartinol Nov 26, 2024
acde71a
more renamings
dmartinol Nov 26, 2024
82085d6
initial commit
dmartinol Nov 28, 2024
99455e5
oidc IT
dmartinol Dec 2, 2024
5f2fd33
with sample
dmartinol Dec 2, 2024
e3de29c
no private image
dmartinol Dec 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
initial commit 
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
  • Loading branch information
@dmartinol
dmartinol committed Dec 3, 2024
commit 82085d66e95b6bf75280869bb5681a5550ba0b76
8 changes: 8 additions & 0 deletions infra/feast-operator/api/v1alpha1/featurestore_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -280,8 +280,10 @@ type OptionalConfigs struct {
}

// AuthzConfig defines the authorization settings for the deployed Feast services.
// +kubebuilder:validation:XValidation:rule="[has(self.kubernetes), has(self.oidc)].exists_one(c, c)",message="One selection required between kubernetes or oidc."
type AuthzConfig struct {
KubernetesAuthz *KubernetesAuthz `json:"kubernetes,omitempty"`
OidcAuthz *OidcAuthz `json:"oidc,omitempty"`
}

// KubernetesAuthz provides a way to define the authorization settings using Kubernetes RBAC resources.
Expand All @@ -296,6 +298,12 @@ type KubernetesAuthz struct {
Roles []string `json:"roles,omitempty"`
}

// OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider.
// https://auth0.com/docs/authenticate/protocols/openid-connect-protocol
type OidcAuthz struct {
SecretRef corev1.LocalObjectReference `json:"secretRef"`
}

// TlsConfigs configures server TLS for a feast service. in an openshift cluster, this is configured by default using service serving certificates.
// +kubebuilder:validation:XValidation:rule="(!has(self.disable) || !self.disable) ? has(self.secretRef) : true",message="`secretRef` required if `disable` is false."
type TlsConfigs struct {
Expand Down
21 changes: 21 additions & 0 deletions infra/feast-operator/api/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

49 changes: 49 additions & 0 deletions infra/feast-operator/config/crd/bases/feast.dev_featurestores.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,31 @@ spec:
type: string
type: array
type: object
oidc:
description: |-
OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider.
https://auth0.com/docs/authenticate/protocols/openid-connect-protocol
properties:
secretRef:
description: |-
LocalObjectReference contains enough information to let you locate the
referenced object inside the same namespace.
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
Copy link
Copy Markdown
Member

@franciscojavierarceo franciscojavierarceo Dec 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will this be added in another PR?

Copy link
Copy Markdown
Contributor Author

@dmartinol dmartinol Dec 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is generated code and the comments you see are from the core type LocalObjectReference. I don’t think we can do more, here. @tchughesiv ?

Copy link
Copy Markdown
Contributor

@tchughesiv tchughesiv Dec 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is being imported from the kubernetes type we're using
https://github.com/kubernetes/kubernetes/blob/c83cbee114ddb732cdc06d3d1b62c9eb9220726f/pkg/apis/core/types.go#L5627

Copy link
Copy Markdown
Contributor

@tchughesiv tchughesiv Dec 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree @dmartinol

type: string
type: object
x-kubernetes-map-type: atomic
required:
- secretRef
type: object
type: object
x-kubernetes-validations:
- message: One selection required between kubernetes or oidc.
rule: '[has(self.kubernetes), has(self.oidc)].exists_one(c, c)'
feastProject:
description: FeastProject is the Feast project id. This can be any
alphanumeric string with underscores, but it cannot start with an
Expand Down Expand Up @@ -1238,7 +1262,32 @@ spec:
type: string
type: array
type: object
oidc:
description: |-
OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider.
https://auth0.com/docs/authenticate/protocols/openid-connect-protocol
properties:
secretRef:
description: |-
LocalObjectReference contains enough information to let you locate the
referenced object inside the same namespace.
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
required:
- secretRef
type: object
type: object
x-kubernetes-validations:
- message: One selection required between kubernetes or oidc.
rule: '[has(self.kubernetes), has(self.oidc)].exists_one(c,
c)'
feastProject:
description: FeastProject is the Feast project id. This can be
any alphanumeric string with underscores, but it cannot start
Expand Down
49 changes: 49 additions & 0 deletions infra/feast-operator/dist/install.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,31 @@ spec:
type: string
type: array
type: object
oidc:
description: |-
OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider.
https://auth0.com/docs/authenticate/protocols/openid-connect-protocol
properties:
secretRef:
description: |-
LocalObjectReference contains enough information to let you locate the
referenced object inside the same namespace.
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
required:
- secretRef
type: object
type: object
x-kubernetes-validations:
- message: One selection required between kubernetes or oidc.
rule: '[has(self.kubernetes), has(self.oidc)].exists_one(c, c)'
feastProject:
description: FeastProject is the Feast project id. This can be any
alphanumeric string with underscores, but it cannot start with an
Expand Down Expand Up @@ -1246,7 +1270,32 @@ spec:
type: string
type: array
type: object
oidc:
description: |-
OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider.
https://auth0.com/docs/authenticate/protocols/openid-connect-protocol
properties:
secretRef:
description: |-
LocalObjectReference contains enough information to let you locate the
referenced object inside the same namespace.
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
required:
- secretRef
type: object
type: object
x-kubernetes-validations:
- message: One selection required between kubernetes or oidc.
rule: '[has(self.kubernetes), has(self.oidc)].exists_one(c,
c)'
feastProject:
description: FeastProject is the Feast project id. This can be
any alphanumeric string with underscores, but it cannot start
Expand Down
14 changes: 6 additions & 8 deletions infra/feast-operator/internal/controller/authz/authz.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,15 +18,13 @@ import (
// Deploy the feast authorization
func (authz *FeastAuthorization) Deploy() error {
if authz.isKubernetesAuth() {
if err := authz.deployKubernetesAuth(); err != nil {
return err
}
} else {
authz.removeOrphanedRoles()
_ = authz.Handler.DeleteOwnedFeastObj(authz.initFeastRole())
_ = authz.Handler.DeleteOwnedFeastObj(authz.initFeastRoleBinding())
apimeta.RemoveStatusCondition(&authz.Handler.FeatureStore.Status.Conditions, feastKubernetesAuthConditions[metav1.ConditionTrue].Type)
return authz.deployKubernetesAuth()
}

authz.removeOrphanedRoles()
_ = authz.Handler.DeleteOwnedFeastObj(authz.initFeastRole())
_ = authz.Handler.DeleteOwnedFeastObj(authz.initFeastRoleBinding())
apimeta.RemoveStatusCondition(&authz.Handler.FeatureStore.Status.Conditions, feastKubernetesAuthConditions[metav1.ConditionTrue].Type)
return nil
}

Expand Down
4 changes: 2 additions & 2 deletions infra/feast-operator/internal/controller/featurestore_controller_kubernetes_auth_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -333,9 +333,9 @@ var _ = Describe("FeatureStore Controller-Kubernetes authorization", func() {
Expect(err).To(HaveOccurred())
Expect(errors.IsNotFound(err)).To(BeTrue())

By("Clearing the kubernetes authorizatino and reconciling")
By("Clearing the kubernetes authorization and reconciling")
resourceNew = resource.DeepCopy()
resourceNew.Spec.AuthzConfig = &feastdevv1alpha1.AuthzConfig{}
resourceNew.Spec.AuthzConfig = nil
err = k8sClient.Update(ctx, resourceNew)
Expect(err).NotTo(HaveOccurred())
_, err = controllerReconciler.Reconcile(ctx, reconcile.Request{
Expand Down
1 change: 0 additions & 1 deletion infra/feast-operator/internal/controller/featurestore_controller_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -964,7 +964,6 @@ var _ = Describe("FeatureStore Controller", func() {
},
Spec: feastdevv1alpha1.FeatureStoreSpec{
FeastProject: referencedRegistry.Spec.FeastProject,
AuthzConfig: &feastdevv1alpha1.AuthzConfig{},
Services: &feastdevv1alpha1.FeatureStoreServices{
OnlineStore: &feastdevv1alpha1.OnlineStore{},
OfflineStore: &feastdevv1alpha1.OfflineStore{},
Expand Down
2 changes: 1 addition & 1 deletion infra/feast-operator/internal/controller/services/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ func (feast *FeastServices) createClientConfigMap() error {

func (feast *FeastServices) setClientConfigMap(cm *corev1.ConfigMap) error {
cm.Labels = feast.getLabels(ClientFeastType)
clientYaml, err := feast.getClientFeatureStoreYaml()
clientYaml, err := feast.getClientFeatureStoreYaml(feast.extractConfigFromSecret)
if err != nil {
return err
}
Expand Down
119 changes: 91 additions & 28 deletions infra/feast-operator/internal/controller/services/repo_config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,10 +47,34 @@ func (feast *FeastServices) getServiceRepoConfig(feastType FeastServiceType) (Re
return getServiceRepoConfig(feastType, feast.Handler.FeatureStore, feast.extractConfigFromSecret)
}

func getServiceRepoConfig(feastType FeastServiceType, featureStore *feastdevv1alpha1.FeatureStore, secretExtractionFunc func(secretRef string, secretKeyName string) (map[string]interface{}, error)) (RepoConfig, error) {
func getServiceRepoConfig(
feastType FeastServiceType,
featureStore *feastdevv1alpha1.FeatureStore,
secretExtractionFunc func(secretRef string, secretKeyName string) (map[string]interface{}, error)) (RepoConfig, error) {
appliedSpec := featureStore.Status.Applied

repoConfig := getClientRepoConfig(featureStore)
repoConfig, err := getClientRepoConfig(featureStore, secretExtractionFunc)
if err != nil {
return repoConfig, err
}

if appliedSpec.AuthzConfig != nil && appliedSpec.AuthzConfig.OidcAuthz != nil {
propertiesMap, err := secretExtractionFunc(appliedSpec.AuthzConfig.OidcAuthz.SecretRef.Name, "")
if err != nil {
return repoConfig, err
}

oidcServerProperties := map[string]interface{}{}
for _, oidcServerProperty := range OidcServerProperties {
if val, exists := propertiesMap[string(oidcServerProperty)]; exists {
oidcServerProperties[string(oidcServerProperty)] = val
} else {
return repoConfig, missingOidcSecretProperty(oidcServerProperty)
}
}
repoConfig.AuthzConfig.OidcParameters = oidcServerProperties
}

if appliedSpec.Services != nil {
services := appliedSpec.Services

Expand Down Expand Up @@ -200,11 +224,17 @@ func setRepoConfigOffline(services *feastdevv1alpha1.FeatureStoreServices, secre
return nil
}

func (feast *FeastServices) getClientFeatureStoreYaml() ([]byte, error) {
return yaml.Marshal(getClientRepoConfig(feast.Handler.FeatureStore))
func (feast *FeastServices) getClientFeatureStoreYaml(secretExtractionFunc func(secretRef string, secretKeyName string) (map[string]interface{}, error)) ([]byte, error) {
clientRepo, err := getClientRepoConfig(feast.Handler.FeatureStore, secretExtractionFunc)
if err != nil {
return []byte{}, err
}
return yaml.Marshal(clientRepo)
}

func getClientRepoConfig(featureStore *feastdevv1alpha1.FeatureStore) RepoConfig {
func getClientRepoConfig(
featureStore *feastdevv1alpha1.FeatureStore,
secretExtractionFunc func(secretRef string, secretKeyName string) (map[string]interface{}, error)) (RepoConfig, error) {
status := featureStore.Status
appliedServices := status.Applied.Services
clientRepoConfig := RepoConfig{
Expand Down Expand Up @@ -248,13 +278,37 @@ func getClientRepoConfig(featureStore *feastdevv1alpha1.FeatureStore) RepoConfig
}
}

clientRepoConfig.AuthzConfig = AuthzConfig{
Type: NoAuthAuthType,
}
if status.Applied.AuthzConfig != nil && status.Applied.AuthzConfig.KubernetesAuthz != nil {
clientRepoConfig.AuthzConfig.Type = KubernetesAuthType
if status.Applied.AuthzConfig == nil {
clientRepoConfig.AuthzConfig = AuthzConfig{
Type: NoAuthAuthType,
}
} else {
if status.Applied.AuthzConfig.KubernetesAuthz != nil {
clientRepoConfig.AuthzConfig = AuthzConfig{
Type: KubernetesAuthType,
}
} else if status.Applied.AuthzConfig.OidcAuthz != nil {
clientRepoConfig.AuthzConfig = AuthzConfig{
Type: OidcAuthType,
}

propertiesMap, err := secretExtractionFunc(status.Applied.AuthzConfig.OidcAuthz.SecretRef.Name, "")
if err != nil {
return clientRepoConfig, err
}

oidcClientProperties := map[string]interface{}{}
for _, oidcClientProperty := range OidcClientProperties {
if val, exists := propertiesMap[string(oidcClientProperty)]; exists {
oidcClientProperties[string(oidcClientProperty)] = val
} else {
return clientRepoConfig, missingOidcSecretProperty(oidcClientProperty)
}
}
clientRepoConfig.AuthzConfig.OidcParameters = oidcClientProperties
}
}
return clientRepoConfig
return clientRepoConfig, nil
}

func getActualPath(filePath string, pvcConfig *feastdevv1alpha1.PvcConfig) string {
Expand All @@ -271,24 +325,33 @@ func (feast *FeastServices) extractConfigFromSecret(secretRef string, secretKeyN
}
parameters := map[string]interface{}{}

val, exists := secret.Data[secretKeyName]
if !exists {
return nil, fmt.Errorf("secret key %s doesn't exist in secret %s", secretKeyName, secretRef)
}

err = yaml.Unmarshal(val, &parameters)
if err != nil {
return nil, fmt.Errorf("secret %s contains invalid value", secretKeyName)
}

_, exists = parameters["type"]
if exists {
return nil, fmt.Errorf("secret key %s in secret %s contains invalid tag named type", secretKeyName, secretRef)
}
if secretKeyName != "" {
val, exists := secret.Data[secretKeyName]
if !exists {
return nil, fmt.Errorf("secret key %s doesn't exist in secret %s", secretKeyName, secretRef)
}
err = yaml.Unmarshal(val, &parameters)
if err != nil {
return nil, fmt.Errorf("secret %s contains invalid value", secretKeyName)
}
_, exists = parameters["type"]
if exists {
return nil, fmt.Errorf("secret key %s in secret %s contains invalid tag named type", secretKeyName, secretRef)
}

_, exists = parameters["registry_type"]
if exists {
return nil, fmt.Errorf("secret key %s in secret %s contains invalid tag named registry_type", secretKeyName, secretRef)
_, exists = parameters["registry_type"]
if exists {
return nil, fmt.Errorf("secret key %s in secret %s contains invalid tag named registry_type", secretKeyName, secretRef)
}
} else {
for k, v := range secret.Data {
var val interface{}
err := yaml.Unmarshal(v, &val)
if err != nil {
return nil, fmt.Errorf("secret %s contains invalid value %v", k, v)
}
parameters[k] = val
}
}

return parameters, nil
Expand Down
Loading