Skip to content

feat: Extended OIDC support to extract groups & namespaces and token injection with multiple methods #6089

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ntkathole merged 41 commits into from
Apr 7, 2026
Merged

feat: Extended OIDC support to extract groups & namespaces and token injection with multiple methods #6089

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
493a6b9
feat: Extract groups and namespaces claims from JWT in OidcTokenParser
aniketpalu Mar 10, 2026
3db6db3
Minor formatting
aniketpalu Mar 10, 2026
0d59eca
feat: Allow Feast SDK to accept a pre-existing OIDC token without con…
aniketpalu Mar 10, 2026
36a5b06
fix: Raise error when configured token_env_var is empty
aniketpalu Mar 10, 2026
a478a80
Minor formatting changes
aniketpalu Mar 10, 2026
1483c6c
Activate _check_mutually_exclusive groups only when all fields are se…
aniketpalu Mar 10, 2026
34474af
Narrow OIDC client routing to use set-based key detection and extract…
aniketpalu Mar 11, 2026
505d6de
Fix .sort() assertions in test_token_parser.py that always compared N…
aniketpalu Mar 11, 2026
5c79fcf
Guard against missing roles key in resource_access to prevent unhandl…
aniketpalu Mar 11, 2026
e0359db
Fixed lint errors
aniketpalu Mar 11, 2026
7453349
Fixed lint error
aniketpalu Mar 11, 2026
4b4c1dd
Fixed lint errors
aniketpalu Mar 11, 2026
1353482
Added support to read ServiceAccount token and Minor improvements
aniketpalu Mar 11, 2026
86c9d76
Improved code readibility
aniketpalu Mar 11, 2026
5621f07
Minor reformatting
aniketpalu Mar 11, 2026
b5db157
fix: Use exact dict-key lookup for kubernetes.io claim to satisfy Cod…
aniketpalu Mar 12, 2026
1331057
feat: Add verify_ssl support to OIDC auth flow for self-signed certif…
aniketpalu Mar 20, 2026
a875169
feat: Lightweight SA token validation for OIDC auth — TokenReview onl…
aniketpalu Mar 23, 2026
7e59a53
Minor reformatting & lint related changes
aniketpalu Mar 23, 2026
611607b
Update sdk/python/feast/permissions/auth/oidc_token_parser.py
aniketpalu Mar 23, 2026
3c1e36b
fix: Restore missing return in intra-comm check and add error handlin…
aniketpalu Mar 23, 2026
c2c4863
Minor reformatting
aniketpalu Mar 23, 2026
eed8b02
Checks preferred_username first (Keycloak default), then falls back t…
aniketpalu Mar 23, 2026
593b95d
feat(operator): Split server/client OIDC config and add secretKeyName…
aniketpalu Mar 24, 2026
a1c75de
Reverted kustomization.yaml
aniketpalu Mar 24, 2026
88a389b
fix: Harden OIDC token parsing and make client_id optional
aniketpalu Mar 25, 2026
f632686
cache K8s client, eliminate double JWT decode, improve error messages
aniketpalu Apr 1, 2026
45666da
Minor formatting
aniketpalu Apr 1, 2026
0a59ad2
feat(odh): wire OIDC_ISSUER_URL from params.env into operator pod
GowthamShanmugam Mar 31, 2026
3557a15
Add issuerUrl to OidcAuthz CRD and OIDC_ISSUER_URL env var support fo…
aniketpalu Apr 6, 2026
30a04c2
Add caCertConfigMap to OidcAuthz CRD and ca_cert_path to SDK for self…
aniketpalu Apr 6, 2026
a967bc6
Reverted kustomization.yaml to use upstream image
aniketpalu Apr 6, 2026
c1d7c11
Shorten CRD field descriptions to fit maxDescLen=120 and revert kusto…
aniketpalu Apr 6, 2026
8aae62a
fix: Remove unused param, nil deref in test, and update secrets baseline
aniketpalu Apr 7, 2026
cacd649
fix: Remove unused secretExtractionFunc from client config chain and …
aniketpalu Apr 7, 2026
9200dd3
Merge branch 'master' into oidc-support
aniketpalu Apr 7, 2026
141c871
Remove always-nil error from getClientRepoConfig and stop leaking ODH…
aniketpalu Apr 7, 2026
bd81904
Remove always-nil error from getClientRepoConfig, stop leaking ODH CA…
aniketpalu Apr 7, 2026
66c3677
Thread ODH CA bundle detection into resolveOidcCACertPath for proper …
aniketpalu Apr 7, 2026
bb6fb52
Provision TokenReview RBAC for OIDC auth and add SSL error logging in…
aniketpalu Apr 7, 2026
2f3e7b9
Merge upstream/master into oidc-support and regenerate secrets baseline
aniketpalu Apr 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add issuerUrl to OidcAuthz CRD and OIDC_ISSUER_URL env var support fo… 
…r Secret-less OIDC configuration

Signed-off-by: Aniket Paluskar <apaluska@redhat.com>
  • Loading branch information
@aniketpalu
aniketpalu committed Apr 7, 2026
commit 3557a15af54b0892d39b9c876e64e373954df068
11 changes: 10 additions & 1 deletion infra/feast-operator/api/v1/featurestore_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -708,7 +708,16 @@ type KubernetesAuthz struct {
// OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider.
// https://auth0.com/docs/authenticate/protocols/openid-connect-protocol
type OidcAuthz struct {
SecretRef corev1.LocalObjectReference `json:"secretRef"`
// The OIDC issuer URL (e.g. "https://keycloak.example.com/realms/myrealm").
// The operator derives the OIDC discovery endpoint by appending /.well-known/openid-configuration.
// When set, no Secret is required for basic OIDC authentication.
// +optional
// +kubebuilder:validation:Pattern=`^https://\S+$`
IssuerUrl string `json:"issuerUrl,omitempty"`
// Reference to a Secret containing OIDC properties (auth_discovery_url, client_id, client_secret, etc.).
// When both issuerUrl and a Secret with auth_discovery_url are provided, issuerUrl takes precedence.
// +optional
SecretRef *corev1.LocalObjectReference `json:"secretRef,omitempty"`
// The key within the Secret that contains the OIDC configuration as a YAML-encoded value.
// When set, only this key is read and its YAML value is expected to contain the OIDC properties
// (e.g. client_id, auth_discovery_url). This allows sharing a single Secret across services.
Expand Down
6 changes: 5 additions & 1 deletion infra/feast-operator/api/v1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 13 additions & 1 deletion infra/feast-operator/bundle/manifests/feast-operator.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ metadata:
}
]
capabilities: Basic Install
createdAt: "2026-03-24T07:09:46Z"
createdAt: "2026-04-06T12:13:16Z"
operators.operatorframework.io/builder: operator-sdk-v1.38.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
name: feast-operator.v0.61.0
Expand Down Expand Up @@ -175,6 +175,17 @@ spec:
- get
- patch
- update
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- policy
resources:
Expand Down Expand Up @@ -259,6 +270,7 @@ spec:
value: quay.io/feastdev/feature-server:0.61.0
- name: RELATED_IMAGE_CRON_JOB
value: quay.io/openshift/origin-cli:4.17
- name: OIDC_ISSUER_URL
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot Apr 6, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 OIDC_ISSUER_URL env var missing value: field in bundle CSV makes OLM deployment spec invalid

In the operator's OLM bundle CSV at line 273, the OIDC_ISSUER_URL env entry is missing a value: key. Compare the correct form in config/manager/manager.yaml:82-83 which has value: "". Without value:, the YAML parser treats the next line (image: quay.io/...) as a key within the env var map entry rather than a sibling container-level field. This makes the container spec structurally invalid: the container loses its image field entirely. OLM deployments using this CSV will fail to create the operator pod.

Expected vs actual YAML structure

Expected (from config/manager/manager.yaml):

- name: OIDC_ISSUER_URL
  value: ""
image: quay.io/feastdev/feast-operator:0.61.0

Actual (bundle CSV):

- name: OIDC_ISSUER_URL
image: quay.io/feastdev/feast-operator:0.61.0
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Copy link
Copy Markdown
Contributor Author

@aniketpalu aniketpalu Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

operator-sdk generate bundle strips value: "" from env vars by design. This is a known operator-sdk behavior as it considers value: "" equivalent to absent and removes it during YAML serialization. The source manager.yaml has value: "", kustomize build (install.yaml) preserves it, but operator-sdk (CSV) strips it.

image: quay.io/feastdev/feast-operator:0.61.0
livenessProbe:
httpGet:
Expand Down
28 changes: 15 additions & 13 deletions infra/feast-operator/bundle/manifests/feast.dev_featurestores.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,14 +62,17 @@ spec:
OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider.
https://auth0.
properties:
issuerUrl:
description: The OIDC issuer URL (e.g. "https://keycloak.example.com/realms/myrealm").
pattern: ^https://\S+$
type: string
secretKeyName:
description: The key within the Secret that contains the OIDC
configuration as a YAML-encoded value.
type: string
secretRef:
description: |-
LocalObjectReference contains enough information to let you locate the
referenced object inside the same namespace.
description: Reference to a Secret containing OIDC properties
(auth_discovery_url, client_id, client_secret, etc.).
properties:
name:
default: ""
Expand All @@ -81,16 +84,14 @@ spec:
type: object
x-kubernetes-map-type: atomic
tokenEnvVar:
description: The name of the environment variable that client
pods will use to read a pre-existing OIDC token.
description: The name of the environment variable that Feast
SDK client pods (e.g.
type: string
verifySSL:
description: |-
Whether to verify SSL certificates when communicating with the OIDC provider.
Defaults to true.
type: boolean
required:
- secretRef
type: object
type: object
x-kubernetes-validations:
Expand Down Expand Up @@ -5770,14 +5771,17 @@ spec:
OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider.
https://auth0.
properties:
issuerUrl:
description: The OIDC issuer URL (e.g. "https://keycloak.example.com/realms/myrealm").
pattern: ^https://\S+$
type: string
secretKeyName:
description: The key within the Secret that contains the
OIDC configuration as a YAML-encoded value.
type: string
secretRef:
description: |-
LocalObjectReference contains enough information to let you locate the
referenced object inside the same namespace.
description: Reference to a Secret containing OIDC properties
(auth_discovery_url, client_id, client_secret, etc.).
properties:
name:
default: ""
Expand All @@ -5790,15 +5794,13 @@ spec:
x-kubernetes-map-type: atomic
tokenEnvVar:
description: The name of the environment variable that
client pods will use to read a pre-existing OIDC token.
Feast SDK client pods (e.g.
type: string
verifySSL:
description: |-
Whether to verify SSL certificates when communicating with the OIDC provider.
Defaults to true.
type: boolean
required:
- secretRef
type: object
type: object
x-kubernetes-validations:
Expand Down
28 changes: 15 additions & 13 deletions infra/feast-operator/config/crd/bases/feast.dev_featurestores.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,14 +62,17 @@ spec:
OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider.
https://auth0.
properties:
issuerUrl:
description: The OIDC issuer URL (e.g. "https://keycloak.example.com/realms/myrealm").
pattern: ^https://\S+$
type: string
secretKeyName:
description: The key within the Secret that contains the OIDC
configuration as a YAML-encoded value.
type: string
secretRef:
description: |-
LocalObjectReference contains enough information to let you locate the
referenced object inside the same namespace.
description: Reference to a Secret containing OIDC properties
(auth_discovery_url, client_id, client_secret, etc.).
properties:
name:
default: ""
Expand All @@ -81,16 +84,14 @@ spec:
type: object
x-kubernetes-map-type: atomic
tokenEnvVar:
description: The name of the environment variable that client
pods will use to read a pre-existing OIDC token.
description: The name of the environment variable that Feast
SDK client pods (e.g.
type: string
verifySSL:
description: |-
Whether to verify SSL certificates when communicating with the OIDC provider.
Defaults to true.
type: boolean
required:
- secretRef
type: object
type: object
x-kubernetes-validations:
Expand Down Expand Up @@ -5770,14 +5771,17 @@ spec:
OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider.
https://auth0.
properties:
issuerUrl:
description: The OIDC issuer URL (e.g. "https://keycloak.example.com/realms/myrealm").
pattern: ^https://\S+$
type: string
secretKeyName:
description: The key within the Secret that contains the
OIDC configuration as a YAML-encoded value.
type: string
secretRef:
description: |-
LocalObjectReference contains enough information to let you locate the
referenced object inside the same namespace.
description: Reference to a Secret containing OIDC properties
(auth_discovery_url, client_id, client_secret, etc.).
properties:
name:
default: ""
Expand All @@ -5790,15 +5794,13 @@ spec:
x-kubernetes-map-type: atomic
tokenEnvVar:
description: The name of the environment variable that
client pods will use to read a pre-existing OIDC token.
Feast SDK client pods (e.g.
type: string
verifySSL:
description: |-
Whether to verify SSL certificates when communicating with the OIDC provider.
Defaults to true.
type: boolean
required:
- secretRef
type: object
type: object
x-kubernetes-validations:
Expand Down
4 changes: 2 additions & 2 deletions infra/feast-operator/config/manager/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
images:
- name: controller
newName: quay.io/feastdev/feast-operator
newTag: 0.61.0
newName: quay.io/aniket-redhat/feast-operator
Comment thread
aniketpalu marked this conversation as resolved.
Outdated
newTag: oidc-op-0.4
30 changes: 17 additions & 13 deletions infra/feast-operator/dist/install.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,14 +70,17 @@ spec:
OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider.
https://auth0.
properties:
issuerUrl:
description: The OIDC issuer URL (e.g. "https://keycloak.example.com/realms/myrealm").
pattern: ^https://\S+$
type: string
secretKeyName:
description: The key within the Secret that contains the OIDC
configuration as a YAML-encoded value.
type: string
secretRef:
description: |-
LocalObjectReference contains enough information to let you locate the
referenced object inside the same namespace.
description: Reference to a Secret containing OIDC properties
(auth_discovery_url, client_id, client_secret, etc.).
properties:
name:
default: ""
Expand All @@ -89,16 +92,14 @@ spec:
type: object
x-kubernetes-map-type: atomic
tokenEnvVar:
description: The name of the environment variable that client
pods will use to read a pre-existing OIDC token.
description: The name of the environment variable that Feast
SDK client pods (e.g.
type: string
verifySSL:
description: |-
Whether to verify SSL certificates when communicating with the OIDC provider.
Defaults to true.
type: boolean
required:
- secretRef
type: object
type: object
x-kubernetes-validations:
Expand Down Expand Up @@ -5778,14 +5779,17 @@ spec:
OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider.
https://auth0.
properties:
issuerUrl:
description: The OIDC issuer URL (e.g. "https://keycloak.example.com/realms/myrealm").
pattern: ^https://\S+$
type: string
secretKeyName:
description: The key within the Secret that contains the
OIDC configuration as a YAML-encoded value.
type: string
secretRef:
description: |-
LocalObjectReference contains enough information to let you locate the
referenced object inside the same namespace.
description: Reference to a Secret containing OIDC properties
(auth_discovery_url, client_id, client_secret, etc.).
properties:
name:
default: ""
Expand All @@ -5798,15 +5802,13 @@ spec:
x-kubernetes-map-type: atomic
tokenEnvVar:
description: The name of the environment variable that
client pods will use to read a pre-existing OIDC token.
Feast SDK client pods (e.g.
type: string
verifySSL:
description: |-
Whether to verify SSL certificates when communicating with the OIDC provider.
Defaults to true.
type: boolean
required:
- secretRef
type: object
type: object
x-kubernetes-validations:
Expand Down Expand Up @@ -20609,6 +20611,8 @@ spec:
value: quay.io/feastdev/feature-server:0.61.0
- name: RELATED_IMAGE_CRON_JOB
value: quay.io/openshift/origin-cli:4.17
- name: OIDC_ISSUER_URL
value: ""
image: quay.io/feastdev/feast-operator:0.61.0
livenessProbe:
httpGet:
Expand Down
9 changes: 7 additions & 2 deletions infra/feast-operator/docs/api/markdown/ref.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -542,12 +542,17 @@ _Appears in:_

| Field | Description |
| --- | --- |
| `secretRef` _[LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#localobjectreference-v1-core)_ | |
| `issuerUrl` _string_ | The OIDC issuer URL (e.g. "https://keycloak.example.com/realms/myrealm").
The operator derives the OIDC discovery endpoint by appending /.well-known/openid-configuration.
When set, no Secret is required for basic OIDC authentication. |
| `secretRef` _[LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#localobjectreference-v1-core)_ | Reference to a Secret containing OIDC properties (auth_discovery_url, client_id, client_secret, etc.).
When both issuerUrl and a Secret with auth_discovery_url are provided, issuerUrl takes precedence. |
| `secretKeyName` _string_ | The key within the Secret that contains the OIDC configuration as a YAML-encoded value.
When set, only this key is read and its YAML value is expected to contain the OIDC properties
(e.g. client_id, auth_discovery_url). This allows sharing a single Secret across services.
When unset, each top-level key in the Secret is treated as a separate OIDC property. |
| `tokenEnvVar` _string_ | The name of the environment variable that client pods will use to read a pre-existing OIDC token.
| `tokenEnvVar` _string_ | The name of the environment variable that Feast SDK client pods (e.g. workbenches, application pods)
will read a pre-existing OIDC token from.
When set, the client feature_store.yaml will include token_env_var with this value.
When unset, the client config is bare `type: oidc` which falls back to FEAST_OIDC_TOKEN or the pod's SA token. |
| `verifySSL` _boolean_ | Whether to verify SSL certificates when communicating with the OIDC provider.
Expand Down
6 changes: 3 additions & 3 deletions infra/feast-operator/internal/controller/featurestore_controller_oidc_auth_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ var _ = Describe("FeatureStore Controller-OIDC authorization", func() {
if err != nil && errors.IsNotFound(err) {
resource := createFeatureStoreResource(resourceName, image, pullPolicy, &[]corev1.EnvVar{}, withEnvFrom())
resource.Spec.AuthzConfig = &feastdevv1.AuthzConfig{OidcAuthz: &feastdevv1.OidcAuthz{
SecretRef: corev1.LocalObjectReference{
SecretRef: &corev1.LocalObjectReference{
Name: oidcSecretName,
},
}}
Expand Down Expand Up @@ -134,7 +134,7 @@ var _ = Describe("FeatureStore Controller-OIDC authorization", func() {
Expect(resource.Status.Applied.FeastProject).To(Equal(resource.Spec.FeastProject))
expectedAuthzConfig := &feastdevv1.AuthzConfig{
OidcAuthz: &feastdevv1.OidcAuthz{
SecretRef: corev1.LocalObjectReference{
SecretRef: &corev1.LocalObjectReference{
Name: oidcSecretName,
},
},
Expand Down Expand Up @@ -476,7 +476,7 @@ var _ = Describe("FeatureStore Controller-OIDC authorization", func() {
Expect(cond.Status).To(Equal(metav1.ConditionFalse))
Expect(cond.Reason).To(Equal(feastdevv1.FailedReason))
Expect(cond.Type).To(Equal(feastdevv1.ReadyType))
Expect(cond.Message).To(ContainSubstring("missing OIDC"))
Expect(cond.Message).To(ContainSubstring("OIDC discovery URL"))
})
})
})
Expand Down
Loading