René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Feast Operator ignores OIDC secretRef - accepts syntax but doesn't inject secret values","articleBody":"## Expected Behavior \nWhen a FeatureStore specifies spec.authz.oidc.secretRef, the operator should:\n1.Read the referenced Kubernetes secret containing OIDC credentials\n2.Inject secret values (client_secret, username, password) into container environments\n3.Generate complete OIDC configuration enabling full authentication for both API and UI\n4.Redirect UI access through OIDC provider (Keycloak) login flow\n\n## Current Behavior\nThe operator:\n1.Accepts secretRef configuration without validation errors\n2.Completely ignores the referenced secret - no mounting or injection occurs\n3.Generates incomplete OIDC config with only basic fields (auth_discovery_url, client_id)\n4.Results in broken authentication:\na.API shows AuthManagerType.OIDC but authentication fails due to missing client_secret\nb.UI serves directly without any authentication redirect\n\n## Steps to reproduce\n1.Create OIDC Secret\n```yaml\napiVersion: v1\nkind: Secret\nmetadata:\n  name: oidc-secret\n  namespace: feast\nstringData:\n  client_id: your-client-id\n  client_secret: your-client-secret  \n  auth_discovery_url: https://your-keycloak/realms/realm/.well-known/openid_configuration\n  username: your-username\n  password: your-password\n```\n\n2. Create FeatureStore with secretRef:\n```yaml\napiVersion: feast.dev/v1alpha1\nkind: FeatureStore\nmetadata:\n  name: sample-oidc-auth\nspec:\n  feastProject: my_project\n  authz:\n    oidc:\n      secretRef:\n        name: oidc-secret\n  services:\n    ui: {}\n```\n3.Verify the bug:\nContainer shows OIDC type but incomplete config\n```bash\nkubectl logs deployment/feast-sample-oidc-auth -c online\n```\nOUTPUT: INFO:fastapi:Auth type: AuthManagerType.OIDC\n\n\u003cimg width=\"1498\" height=\"343\" alt=\"Image\" src=\"https://github.com/user-attachments/assets/db4df218-6723-46c9-b6c5-62edc6fee7f1\" /\u003e\n\nNo secret values injected as environment variables\n```bash\nkubectl exec deployment/feast-sample-oidc-auth -c ui -- env | grep client_\n```\nOUTPUT: (empty)\n\n\u003cimg width=\"1498\" height=\"272\" alt=\"Image\" src=\"https://github.com/user-attachments/assets/34804818-36fb-404c-8e78-12c3aa8da454\" /\u003e\n\nCheck generated config - missing client_secret\n```bash\nkubectl exec deployment/feast-sample-oidc-auth -c ui -- env | grep TMP_FEATURE_STORE_YAML_BASE64\n```\nDecode shows: only auth_discovery_url and client_id, missing client_secret\nexample:\n```yaml\n$ echo \"\u003cbase64-string\u003e\" | base64 --decode\nproject: my_project\nprovider: local\nonline_store:\n    path: /feast-data/online_store.db\n    type: sqlite\nregistry:\n    path: /feast-data/registry.db\n    registry_type: file\nauth:\n    type: oidc\n    auth_discovery_url: https://example.com/keycloak/realms/myrealm/.well-known/openid_configuration\n    client_id: my-client-id\nentity_key_serialization_version: 3\n```\nNotice: Missing client_secret, username, password from secret!\n\nHence,UI accessible without authentication redirect\nReturns HTML directly instead of OIDC redirect\n\n### Specifications\n\nVersion: Feast operator with feature-server:0.54.0\nPlatform: Kubernetes\nSubsystem: feast-operator (FeatureStore CRD controller)\n\n## Possible Solution\nThe operator needs to implement secret processing in the FeatureStore controller:\n1.Read secret values when spec.authz.oidc.secretRef is specified\n2.Mount secret as volume or inject as environment variables into containers\n3.Modify feature_store.yaml generation to include complete OIDC configuration with secret values\n4.Ensure both online and ui containers receive the OIDC credentials for proper authentication","author":{"url":"https://github.com/RSBhoomika","@type":"Person","name":"RSBhoomika"},"datePublished":"2025-10-17T10:01:00.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":2},"url":"https://github.com/5676/feast/issues/5676"}