TLS Path automatic setup

Signed-off-by: jyejare <jyejare@redhat.com>
feast-dev · franciscojavierarceo · Oct 10, 2025 · Sep 16, 2025 · Sep 18, 2025 · Oct 7, 2025
commit 83c94e5d6cc070ac85c10c921cef91445ccdaeca
@@ -79,19 +79,25 @@
    "id": "8e00a2f3",
    "metadata": {},
    "source": [
-    "### Change the Cert path for all servers to CACert in repo config\n",
+    "### Certificate Path Configuration\n",
     "\n",
-    "Note: Below example is for MacOS, For linux remove empty `''`."
+    "The Feast operator automatically configures the correct certificate path based on the deployment environment:\n",
+    "- For RHOAI/ODH deployments with custom CA bundle: Uses `/etc/pki/tls/custom-certs/service-ca.crt`\n",
+    "- For standard deployments: Uses individual service certificate paths like `/tls/offline/tls.crt`\n",
+    "\n",
+    "No manual configuration is needed - the operator handles this automatically."
    ]
   },
   {
    "cell_type": "code",
-   "execution_count": 15,
+   "execution_count": null,
    "id": "fcb92e6a",
    "metadata": {},
    "outputs": [],
    "source": [
-    "!sed -i '' 's|cert: /tls/[^/]*/tls.crt|cert: /etc/pki/tls/custom-certs/service-ca.crt|g' client/feature_repo/feature_store.yaml"
+    "# The operator now automatically configures the correct certificate path\n",
+    "# No manual modification needed - the feature_store.yaml already has the correct paths\n",
+    "print(\"Certificate paths are automatically configured by the Feast operator\")"
    ]
   },
   {
@@ -707,7 +713,7 @@
    "name": "python",
    "nbconvert_exporter": "python",
    "pygments_lexer": "ipython3",
-   "version": "3.11.11"
+   "version": "3.11.13"
   }
  },
  "nbformat": 4,

@@ -86,7 +86,7 @@ func getBaseServiceRepoConfig(
 	secretExtractionFunc func(storeType string, secretRef string, secretKeyName string) (map[string]interface{}, error)) (RepoConfig, error) {
 
 	repoConfig := defaultRepoConfig(featureStore)
-	clientRepoConfig, err := getClientRepoConfig(featureStore, secretExtractionFunc)
+	clientRepoConfig, err := getClientRepoConfig(featureStore, secretExtractionFunc, nil)
 	if err != nil {
 		return repoConfig, err
 	}
@@ -217,7 +217,7 @@ func setRepoConfigOffline(services *feastdevv1alpha1.FeatureStoreServices, secre
 }
 
 func (feast *FeastServices) getClientFeatureStoreYaml(secretExtractionFunc func(storeType string, secretRef string, secretKeyName string) (map[string]interface{}, error)) ([]byte, error) {
-	clientRepo, err := getClientRepoConfig(feast.Handler.FeatureStore, secretExtractionFunc)
+	clientRepo, err := getClientRepoConfig(feast.Handler.FeatureStore, secretExtractionFunc, feast)
 	if err != nil {
 		return []byte{}, err
 	}
@@ -226,7 +226,8 @@ func (feast *FeastServices) getClientFeatureStoreYaml(secretExtractionFunc func(
 
 func getClientRepoConfig(
 	featureStore *feastdevv1alpha1.FeatureStore,
-	secretExtractionFunc func(storeType string, secretRef string, secretKeyName string) (map[string]interface{}, error)) (RepoConfig, error) {
+	secretExtractionFunc func(storeType string, secretRef string, secretKeyName string) (map[string]interface{}, error),
+	feast *FeastServices) (RepoConfig, error) {
 	status := featureStore.Status
 	appliedServices := status.Applied.Services
 	clientRepoConfig, err := getRepoConfig(featureStore, secretExtractionFunc)
@@ -241,7 +242,7 @@ func getClientRepoConfig(
 		}
 		if appliedServices.OfflineStore != nil &&
 			appliedServices.OfflineStore.Server != nil && appliedServices.OfflineStore.Server.TLS.IsTLS() {
-			clientRepoConfig.OfflineStore.Cert = GetTlsPath(OfflineFeastType) + appliedServices.OfflineStore.Server.TLS.SecretKeyNames.TlsCrt
+			clientRepoConfig.OfflineStore.Cert = getCertificatePath(feast, OfflineFeastType, appliedServices.OfflineStore.Server.TLS.SecretKeyNames.TlsCrt)
 			clientRepoConfig.OfflineStore.Port = HttpsPort
 			clientRepoConfig.OfflineStore.Scheme = HttpsScheme
 		}
@@ -254,7 +255,7 @@ func getClientRepoConfig(
 		}
 		if appliedServices.OnlineStore != nil &&
 			appliedServices.OnlineStore.Server != nil && appliedServices.OnlineStore.Server.TLS.IsTLS() {
-			clientRepoConfig.OnlineStore.Cert = GetTlsPath(OnlineFeastType) + appliedServices.OnlineStore.Server.TLS.SecretKeyNames.TlsCrt
+			clientRepoConfig.OnlineStore.Cert = getCertificatePath(feast, OnlineFeastType, appliedServices.OnlineStore.Server.TLS.SecretKeyNames.TlsCrt)
 			clientRepoConfig.OnlineStore.Path = HttpsScheme + onlinePath
 		}
 	}
@@ -264,9 +265,9 @@ func getClientRepoConfig(
 			Path:         status.ServiceHostnames.Registry,
 		}
 		if localRegistryTls(featureStore) {
-			clientRepoConfig.Registry.Cert = GetTlsPath(RegistryFeastType) + appliedServices.Registry.Local.Server.TLS.SecretKeyNames.TlsCrt
+			clientRepoConfig.Registry.Cert = getCertificatePath(feast, RegistryFeastType, appliedServices.Registry.Local.Server.TLS.SecretKeyNames.TlsCrt)
 		} else if remoteRegistryTls(featureStore) {
-			clientRepoConfig.Registry.Cert = GetTlsPath(RegistryFeastType) + appliedServices.Registry.Remote.TLS.CertName
+			clientRepoConfig.Registry.Cert = getCertificatePath(feast, RegistryFeastType, appliedServices.Registry.Remote.TLS.CertName)
 		}
 	}
 
@@ -415,3 +416,17 @@ var defaultOfflineStoreConfig = OfflineStoreConfig{
 var defaultAuthzConfig = AuthzConfig{
 	Type: NoAuthAuthType,
 }
+
+// getCertificatePath returns the appropriate certificate path based on whether a custom CA bundle is available
+func getCertificatePath(feast *FeastServices, feastType FeastServiceType, certFileName string) string {
+	// Check if custom CA bundle is available
+	if feast != nil {
+		customCaBundle := feast.GetCustomCertificatesBundle()
+		if customCaBundle.IsDefined {
+			// Use custom CA bundle path when available (for RHOAI/ODH deployments)
+			return tlsPathCustomCABundle
+		}
+	}
+	// Fall back to individual service certificate path
+	return GetTlsPath(feastType) + certFileName
+}
@@ -128,7 +128,7 @@ var _ = Describe("TLS Config", func() {
 			err = feast.ApplyDefaults()
 			Expect(err).ToNot(HaveOccurred())
 
-			repoConfig, err := getClientRepoConfig(feast.Handler.FeatureStore, emptyMockExtractConfigFromSecret)
+			repoConfig, err := getClientRepoConfig(feast.Handler.FeatureStore, emptyMockExtractConfigFromSecret, &feast)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(repoConfig.OfflineStore.Port).To(Equal(HttpsPort))
 			Expect(repoConfig.OfflineStore.Scheme).To(Equal(HttpsScheme))
@@ -262,7 +262,7 @@ var _ = Describe("TLS Config", func() {
 			err = feast.ApplyDefaults()
 			Expect(err).ToNot(HaveOccurred())
 
-			repoConfig, err = getClientRepoConfig(feast.Handler.FeatureStore, emptyMockExtractConfigFromSecret)
+			repoConfig, err = getClientRepoConfig(feast.Handler.FeatureStore, emptyMockExtractConfigFromSecret, &feast)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(repoConfig.OfflineStore.Port).To(Equal(HttpsPort))
 			Expect(repoConfig.OfflineStore.Scheme).To(Equal(HttpsScheme))