Skip to content

feat: Extended OIDC support to extract groups & namespaces and token injection with multiple methods #6089

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ntkathole merged 41 commits into from
Apr 7, 2026
Merged

feat: Extended OIDC support to extract groups & namespaces and token injection with multiple methods #6089

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
493a6b9
feat: Extract groups and namespaces claims from JWT in OidcTokenParser
aniketpalu Mar 10, 2026
3db6db3
Minor formatting
aniketpalu Mar 10, 2026
0d59eca
feat: Allow Feast SDK to accept a pre-existing OIDC token without con…
aniketpalu Mar 10, 2026
36a5b06
fix: Raise error when configured token_env_var is empty
aniketpalu Mar 10, 2026
a478a80
Minor formatting changes
aniketpalu Mar 10, 2026
1483c6c
Activate _check_mutually_exclusive groups only when all fields are se…
aniketpalu Mar 10, 2026
34474af
Narrow OIDC client routing to use set-based key detection and extract…
aniketpalu Mar 11, 2026
505d6de
Fix .sort() assertions in test_token_parser.py that always compared N…
aniketpalu Mar 11, 2026
5c79fcf
Guard against missing roles key in resource_access to prevent unhandl…
aniketpalu Mar 11, 2026
e0359db
Fixed lint errors
aniketpalu Mar 11, 2026
7453349
Fixed lint error
aniketpalu Mar 11, 2026
4b4c1dd
Fixed lint errors
aniketpalu Mar 11, 2026
1353482
Added support to read ServiceAccount token and Minor improvements
aniketpalu Mar 11, 2026
86c9d76
Improved code readibility
aniketpalu Mar 11, 2026
5621f07
Minor reformatting
aniketpalu Mar 11, 2026
b5db157
fix: Use exact dict-key lookup for kubernetes.io claim to satisfy Cod…
aniketpalu Mar 12, 2026
1331057
feat: Add verify_ssl support to OIDC auth flow for self-signed certif…
aniketpalu Mar 20, 2026
a875169
feat: Lightweight SA token validation for OIDC auth — TokenReview onl…
aniketpalu Mar 23, 2026
7e59a53
Minor reformatting & lint related changes
aniketpalu Mar 23, 2026
611607b
Update sdk/python/feast/permissions/auth/oidc_token_parser.py
aniketpalu Mar 23, 2026
3c1e36b
fix: Restore missing return in intra-comm check and add error handlin…
aniketpalu Mar 23, 2026
c2c4863
Minor reformatting
aniketpalu Mar 23, 2026
eed8b02
Checks preferred_username first (Keycloak default), then falls back t…
aniketpalu Mar 23, 2026
593b95d
feat(operator): Split server/client OIDC config and add secretKeyName…
aniketpalu Mar 24, 2026
a1c75de
Reverted kustomization.yaml
aniketpalu Mar 24, 2026
88a389b
fix: Harden OIDC token parsing and make client_id optional
aniketpalu Mar 25, 2026
f632686
cache K8s client, eliminate double JWT decode, improve error messages
aniketpalu Apr 1, 2026
45666da
Minor formatting
aniketpalu Apr 1, 2026
0a59ad2
feat(odh): wire OIDC_ISSUER_URL from params.env into operator pod
GowthamShanmugam Mar 31, 2026
3557a15
Add issuerUrl to OidcAuthz CRD and OIDC_ISSUER_URL env var support fo…
aniketpalu Apr 6, 2026
30a04c2
Add caCertConfigMap to OidcAuthz CRD and ca_cert_path to SDK for self…
aniketpalu Apr 6, 2026
a967bc6
Reverted kustomization.yaml to use upstream image
aniketpalu Apr 6, 2026
c1d7c11
Shorten CRD field descriptions to fit maxDescLen=120 and revert kusto…
aniketpalu Apr 6, 2026
8aae62a
fix: Remove unused param, nil deref in test, and update secrets baseline
aniketpalu Apr 7, 2026
cacd649
fix: Remove unused secretExtractionFunc from client config chain and …
aniketpalu Apr 7, 2026
9200dd3
Merge branch 'master' into oidc-support
aniketpalu Apr 7, 2026
141c871
Remove always-nil error from getClientRepoConfig and stop leaking ODH…
aniketpalu Apr 7, 2026
bd81904
Remove always-nil error from getClientRepoConfig, stop leaking ODH CA…
aniketpalu Apr 7, 2026
66c3677
Thread ODH CA bundle detection into resolveOidcCACertPath for proper …
aniketpalu Apr 7, 2026
bb6fb52
Provision TokenReview RBAC for OIDC auth and add SSL error logging in…
aniketpalu Apr 7, 2026
2f3e7b9
Merge upstream/master into oidc-support and regenerate secrets baseline
aniketpalu Apr 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix: Remove unused secretExtractionFunc from client config chain and … 
…fix mypy attr-defined error

Signed-off-by: Aniket Paluskar <apaluska@redhat.com>
  • Loading branch information
@aniketpalu
aniketpalu committed Apr 7, 2026
commit cacd6493a31b02573bf986a66f6b28cdf744eea3
2 changes: 1 addition & 1 deletion infra/feast-operator/internal/controller/services/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ func (feast *FeastServices) createClientConfigMap() error {

func (feast *FeastServices) setClientConfigMap(cm *corev1.ConfigMap) error {
cm.Labels = feast.getFeastTypeLabels(ClientFeastType)
clientYaml, err := feast.getClientFeatureStoreYaml(feast.extractConfigFromSecret)
clientYaml, err := feast.getClientFeatureStoreYaml()
if err != nil {
return err
}
Expand Down
16 changes: 6 additions & 10 deletions infra/feast-operator/internal/controller/services/repo_config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ func getBaseServiceRepoConfig(
secretExtractionFunc func(storeType string, secretRef string, secretKeyName string) (map[string]interface{}, error)) (RepoConfig, error) {

repoConfig := defaultRepoConfig(featureStore)
clientRepoConfig, err := getClientRepoConfig(featureStore, secretExtractionFunc, nil)
clientRepoConfig, err := getClientRepoConfig(featureStore, nil)
if err != nil {
return repoConfig, err
}
Expand Down Expand Up @@ -340,8 +340,8 @@ func setRepoConfigBatchEngine(
return nil
}

func (feast *FeastServices) getClientFeatureStoreYaml(secretExtractionFunc func(storeType string, secretRef string, secretKeyName string) (map[string]interface{}, error)) ([]byte, error) {
clientRepo, err := getClientRepoConfig(feast.Handler.FeatureStore, secretExtractionFunc, feast)
func (feast *FeastServices) getClientFeatureStoreYaml() ([]byte, error) {
clientRepo, err := getClientRepoConfig(feast.Handler.FeatureStore, feast)
if err != nil {
return []byte{}, err
}
Expand All @@ -350,14 +350,10 @@ func (feast *FeastServices) getClientFeatureStoreYaml(secretExtractionFunc func(

func getClientRepoConfig(
featureStore *feastdevv1.FeatureStore,
secretExtractionFunc func(storeType string, secretRef string, secretKeyName string) (map[string]interface{}, error),
feast *FeastServices) (RepoConfig, error) {
status := featureStore.Status
appliedServices := status.Applied.Services
clientRepoConfig, err := getRepoConfig(featureStore)
if err != nil {
return clientRepoConfig, err
}
clientRepoConfig := getRepoConfig(featureStore)
if len(status.ServiceHostnames.OfflineStore) > 0 {
clientRepoConfig.OfflineStore = OfflineStoreConfig{
Type: OfflineRemoteConfigType,
Expand Down Expand Up @@ -398,7 +394,7 @@ func getClientRepoConfig(
return clientRepoConfig, nil
}

func getRepoConfig(featureStore *feastdevv1.FeatureStore) (RepoConfig, error) {
func getRepoConfig(featureStore *feastdevv1.FeatureStore) RepoConfig {
status := featureStore.Status
repoConfig := initRepoConfig(status.Applied.FeastProject)
if status.Applied.AuthzConfig != nil {
Expand All @@ -419,7 +415,7 @@ func getRepoConfig(featureStore *feastdevv1.FeatureStore) (RepoConfig, error) {
}
}
}
return repoConfig, nil
return repoConfig
}

func getActualPath(filePath string, pvcConfig *feastdevv1.PvcConfig) string {
Expand Down
8 changes: 4 additions & 4 deletions infra/feast-operator/internal/controller/services/repo_config_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,7 @@ var _ = Describe("Repo Config", func() {
Expect(repoConfig.OnlineStore).To(Equal(defaultOnlineStoreConfig(featureStore)))
Expect(repoConfig.Registry).To(Equal(defaultRegistryConfig(featureStore)))

repoConfig, err = getClientRepoConfig(featureStore, secretExtractionFunc, nil)
repoConfig, err = getClientRepoConfig(featureStore, nil)
Expect(err).NotTo(HaveOccurred())
Expect(repoConfig.AuthzConfig.Type).To(Equal(OidcAuthType))

Expand Down Expand Up @@ -368,7 +368,7 @@ var _ = Describe("Repo Config", func() {
string(OidcPassword): "password"})
_, err = getServiceRepoConfig(featureStore, secretExtractionFunc, emptyMockExtractConfigFromConfigMap)
Expect(err).NotTo(HaveOccurred())
_, err = getClientRepoConfig(featureStore, secretExtractionFunc, nil)
_, err = getClientRepoConfig(featureStore, nil)
Expect(err).NotTo(HaveOccurred())
})
})
Expand Down Expand Up @@ -545,7 +545,7 @@ var _ = Describe("TLS Certificate Path Configuration", func() {
}

// Test with nil feast parameter (no custom CA bundle)
repoConfig, err := getClientRepoConfig(featureStore, emptyMockExtractConfigFromSecret, nil)
repoConfig, err := getClientRepoConfig(featureStore, nil)
Expect(err).NotTo(HaveOccurred())

// Verify individual service certificate paths are used
Expand Down Expand Up @@ -615,7 +615,7 @@ var _ = Describe("TLS Certificate Path Configuration", func() {
}

// Test with nil feast parameter (no custom CA bundle available)
repoConfig, err := getClientRepoConfig(featureStore, emptyMockExtractConfigFromSecret, nil)
repoConfig, err := getClientRepoConfig(featureStore, nil)
Expect(err).NotTo(HaveOccurred())
Expect(repoConfig.OfflineStore.Cert).To(Equal("/tls/offline/tls.crt"))
})
Expand Down
4 changes: 2 additions & 2 deletions infra/feast-operator/internal/controller/services/tls_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ var _ = Describe("TLS Config", func() {
err = feast.ApplyDefaults()
Expect(err).ToNot(HaveOccurred())

repoConfig, err := getClientRepoConfig(feast.Handler.FeatureStore, emptyMockExtractConfigFromSecret, &feast)
repoConfig, err := getClientRepoConfig(feast.Handler.FeatureStore, &feast)
Expect(err).NotTo(HaveOccurred())
Expect(repoConfig.OfflineStore.Port).To(Equal(HttpsPort))
Expect(repoConfig.OfflineStore.Scheme).To(Equal(HttpsScheme))
Expand Down Expand Up @@ -275,7 +275,7 @@ var _ = Describe("TLS Config", func() {
err = feast.ApplyDefaults()
Expect(err).ToNot(HaveOccurred())

repoConfig, err = getClientRepoConfig(feast.Handler.FeatureStore, emptyMockExtractConfigFromSecret, &feast)
repoConfig, err = getClientRepoConfig(feast.Handler.FeatureStore, &feast)
Expect(err).NotTo(HaveOccurred())
Expect(repoConfig.OfflineStore.Port).To(Equal(HttpsPort))
Expect(repoConfig.OfflineStore.Scheme).To(Equal(HttpsScheme))
Expand Down
3 changes: 2 additions & 1 deletion sdk/python/feast/permissions/auth/oidc_token_parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -211,7 +211,8 @@ async def _validate_k8s_sa_token_and_extract_namespace(
token_review = client.V1TokenReview(
spec=client.V1TokenReviewSpec(token=access_token)
)
response = self._k8s_auth_api.create_token_review(token_review)
auth_api: client.AuthenticationV1Api = self._k8s_auth_api
response = auth_api.create_token_review(token_review)

if not response.status.authenticated:
raise AuthenticationError(
Expand Down
Loading