Skip to content

Commit 15c8ec5

Browse files
aniketpaluaniketpalu
committed
feat(operator): Provision minimal TokenReview RBAC for OIDC auth
When authz: oidc is configured, the operator now provisions a dedicated feast-oidc-token-review ClusterRole and per-instance ClusterRoleBinding with tokenreviews/create permission for SA token delegation. Changes: - Add OIDC status condition (AuthorizationReadyType) for feature parity with Kubernetes auth - Use instance-independent labels for shared ClusterRole to avoid misleading audit trails when multiple FeatureStores use OIDC - Clean up Kubernetes ClusterRoleBinding when switching auth types - Add test coverage for OIDC RBAC creation and cleanup Signed-off-by: Aniket Paluskar <apaluska@redhat.com>
1 parent 9feca77 commit 15c8ec5

7 files changed

Lines changed: 778 additions & 444 deletions

File tree

.secrets.baseline

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -934,7 +934,7 @@
934934
"filename": "infra/feast-operator/api/v1/featurestore_types.go",
935935
"hashed_secret": "44e17306b837162269a410204daaa5ecee4ec22c",
936936
"is_verified": false,
937-
"line_number": 761
937+
"line_number": 763
938938
}
939939
],
940940
"infra/feast-operator/api/v1/zz_generated.deepcopy.go": [
@@ -1122,7 +1122,7 @@
11221122
"filename": "infra/feast-operator/internal/controller/featurestore_controller_oidc_auth_test.go",
11231123
"hashed_secret": "a1f14fc6f33ba39a8b6d006fefa6fe0fe8d60ae2",
11241124
"is_verified": false,
1125-
"line_number": 447
1125+
"line_number": 450
11261126
}
11271127
],
11281128
"infra/feast-operator/internal/controller/featurestore_controller_test_utils_test.go": [
@@ -1539,5 +1539,5 @@
15391539
}
15401540
]
15411541
},
1542-
"generated_at": "2026-04-09T03:30:18Z"
1542+
"generated_at": "2026-04-22T15:02:50Z"
15431543
}

infra/feast-operator/api/v1/featurestore_types.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,7 @@ const (
5252
ClientFailedReason = "ClientDeploymentFailed"
5353
CronJobFailedReason = "CronJobDeploymentFailed"
5454
KubernetesAuthzFailedReason = "KubernetesAuthorizationDeploymentFailed"
55+
OidcAuthzFailedReason = "OidcAuthorizationDeploymentFailed"
5556

5657
// Feast condition messages:
5758
ReadyMessage = "FeatureStore installation complete"
@@ -62,6 +63,7 @@ const (
6263
ClientReadyMessage = "Client installation complete"
6364
CronJobReadyMessage = "CronJob installation complete"
6465
KubernetesAuthzReadyMessage = "Kubernetes authorization installation complete"
66+
OidcAuthzReadyMessage = "OIDC authorization installation complete"
6567
DeploymentNotAvailableMessage = "Deployment is not available"
6668

6769
// entity_key_serialization_version

infra/feast-operator/bundle/manifests/feast-operator.clusterserviceversion.yaml

Lines changed: 31 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ metadata:
5050
}
5151
]
5252
capabilities: Basic Install
53-
createdAt: "2026-04-08T14:26:31Z"
53+
createdAt: "2026-04-21T14:06:03Z"
5454
operators.operatorframework.io/builder: operator-sdk-v1.38.0
5555
operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
5656
name: feast-operator.v0.62.0
@@ -79,9 +79,12 @@ spec:
7979
clusterPermissions:
8080
- rules:
8181
- apiGroups:
82-
- apps
82+
- ""
8383
resources:
84-
- deployments
84+
- configmaps
85+
- persistentvolumeclaims
86+
- serviceaccounts
87+
- services
8588
verbs:
8689
- create
8790
- delete
@@ -90,65 +93,62 @@ spec:
9093
- update
9194
- watch
9295
- apiGroups:
93-
- authentication.k8s.io
96+
- ""
9497
resources:
95-
- tokenreviews
98+
- namespaces
99+
- pods
100+
- secrets
101+
verbs:
102+
- get
103+
- list
104+
- watch
105+
- apiGroups:
106+
- ""
107+
resources:
108+
- pods/exec
96109
verbs:
97110
- create
98111
- apiGroups:
99-
- autoscaling
112+
- apps
100113
resources:
101-
- horizontalpodautoscalers
114+
- deployments
102115
verbs:
103116
- create
104117
- delete
105118
- get
106119
- list
107-
- patch
108120
- update
109121
- watch
110122
- apiGroups:
111-
- batch
123+
- authentication.k8s.io
112124
resources:
113-
- cronjobs
125+
- tokenreviews
114126
verbs:
115127
- create
116-
- delete
117-
- get
118-
- list
119-
- patch
120-
- update
121-
- watch
122128
- apiGroups:
123-
- ""
129+
- autoscaling
124130
resources:
125-
- configmaps
126-
- persistentvolumeclaims
127-
- serviceaccounts
128-
- services
131+
- horizontalpodautoscalers
129132
verbs:
130133
- create
131134
- delete
132135
- get
133136
- list
137+
- patch
134138
- update
135139
- watch
136140
- apiGroups:
137-
- ""
141+
- batch
138142
resources:
139-
- namespaces
140-
- pods
141-
- secrets
143+
- cronjobs
142144
verbs:
145+
- create
146+
- delete
143147
- get
144148
- list
149+
- patch
150+
- update
145151
- watch
146-
- apiGroups:
147-
- ""
148-
resources:
149-
- pods/exec
150-
verbs:
151-
- create
152152
- apiGroups:
153153
- feast.dev
154154
resources:

0 commit comments

Comments
 (0)