Skip to content

feat: Extended OIDC support to extract groups & namespaces and token injection with multiple methods #6089

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ntkathole merged 41 commits into from
Apr 7, 2026
Merged

feat: Extended OIDC support to extract groups & namespaces and token injection with multiple methods #6089

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
493a6b9
feat: Extract groups and namespaces claims from JWT in OidcTokenParser
aniketpalu Mar 10, 2026
3db6db3
Minor formatting
aniketpalu Mar 10, 2026
0d59eca
feat: Allow Feast SDK to accept a pre-existing OIDC token without con…
aniketpalu Mar 10, 2026
36a5b06
fix: Raise error when configured token_env_var is empty
aniketpalu Mar 10, 2026
a478a80
Minor formatting changes
aniketpalu Mar 10, 2026
1483c6c
Activate _check_mutually_exclusive groups only when all fields are se…
aniketpalu Mar 10, 2026
34474af
Narrow OIDC client routing to use set-based key detection and extract…
aniketpalu Mar 11, 2026
505d6de
Fix .sort() assertions in test_token_parser.py that always compared N…
aniketpalu Mar 11, 2026
5c79fcf
Guard against missing roles key in resource_access to prevent unhandl…
aniketpalu Mar 11, 2026
e0359db
Fixed lint errors
aniketpalu Mar 11, 2026
7453349
Fixed lint error
aniketpalu Mar 11, 2026
4b4c1dd
Fixed lint errors
aniketpalu Mar 11, 2026
1353482
Added support to read ServiceAccount token and Minor improvements
aniketpalu Mar 11, 2026
86c9d76
Improved code readibility
aniketpalu Mar 11, 2026
5621f07
Minor reformatting
aniketpalu Mar 11, 2026
b5db157
fix: Use exact dict-key lookup for kubernetes.io claim to satisfy Cod…
aniketpalu Mar 12, 2026
1331057
feat: Add verify_ssl support to OIDC auth flow for self-signed certif…
aniketpalu Mar 20, 2026
a875169
feat: Lightweight SA token validation for OIDC auth — TokenReview onl…
aniketpalu Mar 23, 2026
7e59a53
Minor reformatting & lint related changes
aniketpalu Mar 23, 2026
611607b
Update sdk/python/feast/permissions/auth/oidc_token_parser.py
aniketpalu Mar 23, 2026
3c1e36b
fix: Restore missing return in intra-comm check and add error handlin…
aniketpalu Mar 23, 2026
c2c4863
Minor reformatting
aniketpalu Mar 23, 2026
eed8b02
Checks preferred_username first (Keycloak default), then falls back t…
aniketpalu Mar 23, 2026
593b95d
feat(operator): Split server/client OIDC config and add secretKeyName…
aniketpalu Mar 24, 2026
a1c75de
Reverted kustomization.yaml
aniketpalu Mar 24, 2026
88a389b
fix: Harden OIDC token parsing and make client_id optional
aniketpalu Mar 25, 2026
f632686
cache K8s client, eliminate double JWT decode, improve error messages
aniketpalu Apr 1, 2026
45666da
Minor formatting
aniketpalu Apr 1, 2026
0a59ad2
feat(odh): wire OIDC_ISSUER_URL from params.env into operator pod
GowthamShanmugam Mar 31, 2026
3557a15
Add issuerUrl to OidcAuthz CRD and OIDC_ISSUER_URL env var support fo…
aniketpalu Apr 6, 2026
30a04c2
Add caCertConfigMap to OidcAuthz CRD and ca_cert_path to SDK for self…
aniketpalu Apr 6, 2026
a967bc6
Reverted kustomization.yaml to use upstream image
aniketpalu Apr 6, 2026
c1d7c11
Shorten CRD field descriptions to fit maxDescLen=120 and revert kusto…
aniketpalu Apr 6, 2026
8aae62a
fix: Remove unused param, nil deref in test, and update secrets baseline
aniketpalu Apr 7, 2026
cacd649
fix: Remove unused secretExtractionFunc from client config chain and …
aniketpalu Apr 7, 2026
9200dd3
Merge branch 'master' into oidc-support
aniketpalu Apr 7, 2026
141c871
Remove always-nil error from getClientRepoConfig and stop leaking ODH…
aniketpalu Apr 7, 2026
bd81904
Remove always-nil error from getClientRepoConfig, stop leaking ODH CA…
aniketpalu Apr 7, 2026
66c3677
Thread ODH CA bundle detection into resolveOidcCACertPath for proper …
aniketpalu Apr 7, 2026
bb6fb52
Provision TokenReview RBAC for OIDC auth and add SSL error logging in…
aniketpalu Apr 7, 2026
2f3e7b9
Merge upstream/master into oidc-support and regenerate secrets baseline
aniketpalu Apr 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
feat(operator): Split server/client OIDC config and add secretKeyName… 
…, tokenEnvVar, verifySSL CRD fields

Signed-off-by: Aniket Paluskar <apaluska@redhat.com>
  • Loading branch information
@aniketpalu @ntkathole
aniketpalu authored and ntkathole committed Apr 6, 2026
commit 593b95d894e4d083d434f1fdeeb6bcc5598dabb2
15 changes: 15 additions & 0 deletions infra/feast-operator/api/v1/featurestore_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -709,6 +709,21 @@ type KubernetesAuthz struct {
// https://auth0.com/docs/authenticate/protocols/openid-connect-protocol
type OidcAuthz struct {
SecretRef corev1.LocalObjectReference `json:"secretRef"`
// The key within the Secret that contains the OIDC configuration as a YAML-encoded value.
// When set, only this key is read and its YAML value is expected to contain the OIDC properties
// (e.g. client_id, auth_discovery_url). This allows sharing a single Secret across services.
// When unset, each top-level key in the Secret is treated as a separate OIDC property.
// +optional
SecretKeyName string `json:"secretKeyName,omitempty"`
// The name of the environment variable that client pods will use to read a pre-existing OIDC token.
// When set, the client feature_store.yaml will include token_env_var with this value.
// When unset, the client config is bare `type: oidc` which falls back to FEAST_OIDC_TOKEN or the pod's SA token.
// +optional
TokenEnvVar *string `json:"tokenEnvVar,omitempty"`
// Whether to verify SSL certificates when communicating with the OIDC provider.
// Defaults to true. Set to false for self-signed certificates (common in internal OpenShift clusters).
// +optional
VerifySSL *bool `json:"verifySSL,omitempty"`
}

// TlsConfigs configures server TLS for a feast service. in an openshift cluster, this is configured by default using service serving certificates.
Expand Down
12 changes: 11 additions & 1 deletion infra/feast-operator/api/v1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion infra/feast-operator/bundle/manifests/feast-operator.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ metadata:
}
]
capabilities: Basic Install
createdAt: "2026-03-10T20:00:10Z"
createdAt: "2026-03-24T07:09:46Z"
operators.operatorframework.io/builder: operator-sdk-v1.38.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
name: feast-operator.v0.61.0
Expand Down
46 changes: 44 additions & 2 deletions infra/feast-operator/bundle/manifests/feast.dev_featurestores.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,10 @@ spec:
OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider.
https://auth0.
properties:
secretKeyName:
description: The key within the Secret that contains the OIDC
configuration as a YAML-encoded value.
type: string
secretRef:
description: |-
LocalObjectReference contains enough information to let you locate the
Expand All @@ -76,6 +80,15 @@ spec:
type: string
type: object
x-kubernetes-map-type: atomic
tokenEnvVar:
description: The name of the environment variable that client
pods will use to read a pre-existing OIDC token.
Copy link
Copy Markdown
Collaborator

@jyejare jyejare Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you clarify which client pods we are talking about here ?

Copy link
Copy Markdown
Contributor Author

@aniketpalu aniketpalu Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Client pods" refers to any pod running the Feast SDK as a client that connects to the Feast server. Would you like me to change description?

type: string
verifySSL:
description: |-
Whether to verify SSL certificates when communicating with the OIDC provider.
Defaults to true.
type: boolean
required:
- secretRef
type: object
Expand Down Expand Up @@ -3129,6 +3142,10 @@ spec:
x-kubernetes-validations:
- message: One selection required.
rule: '[has(self.local), has(self.remote)].exists_one(c, c)'
runFeastApplyOnInit:
description: Runs feast apply on pod start to populate the registry.
Defaults to true. Ignored when DisableInitContainers is true.
type: boolean
scaling:
description: Scaling configures horizontal scaling for the FeatureStore
deployment (e.g. HPA autoscaling).
Expand Down Expand Up @@ -5695,7 +5712,6 @@ spec:
type: object
required:
- feastProject
- replicas
type: object
x-kubernetes-validations:
- message: replicas > 1 and services.scaling.autoscaling are mutually
Expand Down Expand Up @@ -5754,6 +5770,10 @@ spec:
OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider.
https://auth0.
properties:
secretKeyName:
description: The key within the Secret that contains the
OIDC configuration as a YAML-encoded value.
type: string
secretRef:
description: |-
LocalObjectReference contains enough information to let you locate the
Expand All @@ -5768,6 +5788,15 @@ spec:
type: string
type: object
x-kubernetes-map-type: atomic
tokenEnvVar:
description: The name of the environment variable that
client pods will use to read a pre-existing OIDC token.
type: string
verifySSL:
description: |-
Whether to verify SSL certificates when communicating with the OIDC provider.
Defaults to true.
type: boolean
required:
- secretRef
type: object
Expand Down Expand Up @@ -8871,6 +8900,11 @@ spec:
- message: One selection required.
rule: '[has(self.local), has(self.remote)].exists_one(c,
c)'
runFeastApplyOnInit:
description: Runs feast apply on pod start to populate the
registry. Defaults to true. Ignored when DisableInitContainers
is true.
type: boolean
scaling:
description: Scaling configures horizontal scaling for the
FeatureStore deployment (e.g. HPA autoscaling).
Expand Down Expand Up @@ -11458,7 +11492,6 @@ spec:
type: object
required:
- feastProject
- replicas
type: object
x-kubernetes-validations:
- message: replicas > 1 and services.scaling.autoscaling are mutually
Expand Down Expand Up @@ -13920,6 +13953,10 @@ spec:
x-kubernetes-validations:
- message: One selection required.
rule: '[has(self.local), has(self.remote)].exists_one(c, c)'
runFeastApplyOnInit:
description: Runs feast apply on pod start to populate the registry.
Defaults to true. Ignored when DisableInitContainers is true.
type: boolean
securityContext:
description: PodSecurityContext holds pod-level security attributes
and common container settings.
Expand Down Expand Up @@ -18163,6 +18200,11 @@ spec:
- message: One selection required.
rule: '[has(self.local), has(self.remote)].exists_one(c,
c)'
runFeastApplyOnInit:
description: Runs feast apply on pod start to populate the
registry. Defaults to true. Ignored when DisableInitContainers
is true.
type: boolean
securityContext:
description: PodSecurityContext holds pod-level security attributes
and common container settings.
Expand Down
26 changes: 26 additions & 0 deletions infra/feast-operator/config/crd/bases/feast.dev_featurestores.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,10 @@ spec:
OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider.
https://auth0.
properties:
secretKeyName:
description: The key within the Secret that contains the OIDC
configuration as a YAML-encoded value.
type: string
secretRef:
description: |-
LocalObjectReference contains enough information to let you locate the
Expand All @@ -76,6 +80,15 @@ spec:
type: string
type: object
x-kubernetes-map-type: atomic
tokenEnvVar:
description: The name of the environment variable that client
pods will use to read a pre-existing OIDC token.
type: string
verifySSL:
description: |-
Whether to verify SSL certificates when communicating with the OIDC provider.
Defaults to true.
type: boolean
required:
- secretRef
type: object
Expand Down Expand Up @@ -5757,6 +5770,10 @@ spec:
OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider.
https://auth0.
properties:
secretKeyName:
description: The key within the Secret that contains the
OIDC configuration as a YAML-encoded value.
type: string
secretRef:
description: |-
LocalObjectReference contains enough information to let you locate the
Expand All @@ -5771,6 +5788,15 @@ spec:
type: string
type: object
x-kubernetes-map-type: atomic
tokenEnvVar:
description: The name of the environment variable that
client pods will use to read a pre-existing OIDC token.
type: string
verifySSL:
description: |-
Whether to verify SSL certificates when communicating with the OIDC provider.
Defaults to true.
type: boolean
required:
- secretRef
type: object
Expand Down
4 changes: 2 additions & 2 deletions infra/feast-operator/config/manager/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
images:
- name: controller
newName: quay.io/feastdev/feast-operator
newTag: 0.61.0
newName: quay.io/aniket-redhat/feast-operator
Comment thread
aniketpalu marked this conversation as resolved.
Outdated
newTag: oidc-op-0.1
Comment thread
aniketpalu marked this conversation as resolved.
Outdated
26 changes: 26 additions & 0 deletions infra/feast-operator/dist/install.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,10 @@ spec:
OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider.
https://auth0.
properties:
secretKeyName:
description: The key within the Secret that contains the OIDC
configuration as a YAML-encoded value.
type: string
secretRef:
description: |-
LocalObjectReference contains enough information to let you locate the
Expand All @@ -84,6 +88,15 @@ spec:
type: string
type: object
x-kubernetes-map-type: atomic
tokenEnvVar:
description: The name of the environment variable that client
pods will use to read a pre-existing OIDC token.
type: string
verifySSL:
description: |-
Whether to verify SSL certificates when communicating with the OIDC provider.
Defaults to true.
type: boolean
required:
- secretRef
type: object
Expand Down Expand Up @@ -5765,6 +5778,10 @@ spec:
OidcAuthz defines the authorization settings for deployments using an Open ID Connect identity provider.
https://auth0.
properties:
secretKeyName:
description: The key within the Secret that contains the
OIDC configuration as a YAML-encoded value.
type: string
secretRef:
description: |-
LocalObjectReference contains enough information to let you locate the
Expand All @@ -5779,6 +5796,15 @@ spec:
type: string
type: object
x-kubernetes-map-type: atomic
tokenEnvVar:
description: The name of the environment variable that
client pods will use to read a pre-existing OIDC token.
type: string
verifySSL:
description: |-
Whether to verify SSL certificates when communicating with the OIDC provider.
Defaults to true.
type: boolean
required:
- secretRef
type: object
Expand Down
9 changes: 9 additions & 0 deletions infra/feast-operator/docs/api/markdown/ref.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -543,6 +543,15 @@ _Appears in:_
| Field | Description |
| --- | --- |
| `secretRef` _[LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#localobjectreference-v1-core)_ | |
| `secretKeyName` _string_ | The key within the Secret that contains the OIDC configuration as a YAML-encoded value.
When set, only this key is read and its YAML value is expected to contain the OIDC properties
(e.g. client_id, auth_discovery_url). This allows sharing a single Secret across services.
When unset, each top-level key in the Secret is treated as a separate OIDC property. |
| `tokenEnvVar` _string_ | The name of the environment variable that client pods will use to read a pre-existing OIDC token.
When set, the client feature_store.yaml will include token_env_var with this value.
When unset, the client config is bare `type: oidc` which falls back to FEAST_OIDC_TOKEN or the pod's SA token. |
| `verifySSL` _boolean_ | Whether to verify SSL certificates when communicating with the OIDC provider.
Defaults to true. Set to false for self-signed certificates (common in internal OpenShift clusters). |


#### OnlineStore
Expand Down
6 changes: 0 additions & 6 deletions infra/feast-operator/internal/controller/featurestore_controller_oidc_auth_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -496,12 +496,6 @@ func expectedServerOidcAuthorizConfig() services.AuthzConfig {
func expectedClientOidcAuthorizConfig() services.AuthzConfig {
return services.AuthzConfig{
Type: services.OidcAuthType,
OidcParameters: map[string]interface{}{
string(services.OidcClientId): "client-id",
string(services.OidcAuthDiscoveryUrl): "auth-discovery-url",
string(services.OidcClientSecret): "client-secret",
string(services.OidcUsername): "username",
string(services.OidcPassword): "password"},
}
}

Expand Down
36 changes: 19 additions & 17 deletions infra/feast-operator/internal/controller/services/repo_config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,24 +101,34 @@ func getBaseServiceRepoConfig(
if isRemoteRegistry(featureStore) {
repoConfig.Registry = clientRepoConfig.Registry
}
repoConfig.AuthzConfig = clientRepoConfig.AuthzConfig

appliedSpec := featureStore.Status.Applied
if appliedSpec.AuthzConfig != nil && appliedSpec.AuthzConfig.OidcAuthz != nil {
propertiesMap, authSecretErr := secretExtractionFunc("", appliedSpec.AuthzConfig.OidcAuthz.SecretRef.Name, "")
repoConfig.AuthzConfig = AuthzConfig{Type: OidcAuthType}

propertiesMap, authSecretErr := secretExtractionFunc("", appliedSpec.AuthzConfig.OidcAuthz.SecretRef.Name, appliedSpec.AuthzConfig.OidcAuthz.SecretKeyName)
if authSecretErr != nil {
return repoConfig, authSecretErr
}

oidcParameters := map[string]interface{}{}
for _, oidcProperty := range OidcProperties {
for _, oidcProperty := range OidcServerProperties {
if val, exists := propertiesMap[string(oidcProperty)]; exists {
oidcParameters[string(oidcProperty)] = val
} else {
return repoConfig, missingOidcSecretProperty(oidcProperty)
}
}
for _, oidcProperty := range OidcOptionalSecretProperties {
if val, exists := propertiesMap[string(oidcProperty)]; exists {
oidcParameters[string(oidcProperty)] = val
}
}
if appliedSpec.AuthzConfig.OidcAuthz.VerifySSL != nil {
oidcParameters[string(OidcVerifySsl)] = *appliedSpec.AuthzConfig.OidcAuthz.VerifySSL
}
repoConfig.AuthzConfig.OidcParameters = oidcParameters
} else {
repoConfig.AuthzConfig = clientRepoConfig.AuthzConfig
}

return repoConfig, nil
Expand Down Expand Up @@ -356,21 +366,13 @@ func getRepoConfig(
repoConfig.AuthzConfig = AuthzConfig{
Type: OidcAuthType,
}

propertiesMap, err := secretExtractionFunc("", status.Applied.AuthzConfig.OidcAuthz.SecretRef.Name, "")
if err != nil {
return repoConfig, err
}

oidcClientProperties := map[string]interface{}{}
for _, oidcProperty := range OidcProperties {
if val, exists := propertiesMap[string(oidcProperty)]; exists {
oidcClientProperties[string(oidcProperty)] = val
} else {
return repoConfig, missingOidcSecretProperty(oidcProperty)
}
if status.Applied.AuthzConfig.OidcAuthz.TokenEnvVar != nil {
oidcClientProperties[string(OidcTokenEnvVar)] = *status.Applied.AuthzConfig.OidcAuthz.TokenEnvVar
}
if len(oidcClientProperties) > 0 {
repoConfig.AuthzConfig.OidcParameters = oidcClientProperties
}
repoConfig.AuthzConfig.OidcParameters = oidcClientProperties
}
}
return repoConfig, nil
Expand Down
Loading