◐ Shell
clean mode source ↗

Feast Operator ignores OIDC secretRef - accepts syntax but doesn't inject secret values

RSBhoomika

Expected Behavior

When a FeatureStore specifies spec.authz.oidc.secretRef, the operator should:
1.Read the referenced Kubernetes secret containing OIDC credentials
2.Inject secret values (client_secret, username, password) into container environments
3.Generate complete OIDC configuration enabling full authentication for both API and UI
4.Redirect UI access through OIDC provider (Keycloak) login flow

Current Behavior

The operator:
1.Accepts secretRef configuration without validation errors
2.Completely ignores the referenced secret - no mounting or injection occurs
3.Generates incomplete OIDC config with only basic fields (auth_discovery_url, client_id)
4.Results in broken authentication:
a.API shows AuthManagerType.OIDC but authentication fails due to missing client_secret
b.UI serves directly without any authentication redirect

Steps to reproduce

1.Create OIDC Secret

apiVersion: v1
kind: Secret
metadata:
  name: oidc-secret
  namespace: feast
stringData:
  client_id: your-client-id
  client_secret: your-client-secret  
  auth_discovery_url: https://your-keycloak/realms/realm/.well-known/openid_configuration
  username: your-username
  password: your-password
  1. Create FeatureStore with secretRef:
apiVersion: feast.dev/v1alpha1
kind: FeatureStore
metadata:
  name: sample-oidc-auth
spec:
  feastProject: my_project
  authz:
    oidc:
      secretRef:
        name: oidc-secret
  services:
    ui: {}

3.Verify the bug:
Container shows OIDC type but incomplete config

kubectl logs deployment/feast-sample-oidc-auth -c online

OUTPUT: INFO:fastapi:Auth type: AuthManagerType.OIDC

Image

No secret values injected as environment variables

kubectl exec deployment/feast-sample-oidc-auth -c ui -- env | grep client_

OUTPUT: (empty)

Image

Check generated config - missing client_secret

kubectl exec deployment/feast-sample-oidc-auth -c ui -- env | grep TMP_FEATURE_STORE_YAML_BASE64

Decode shows: only auth_discovery_url and client_id, missing client_secret
example:

$ echo "<base64-string>" | base64 --decode
project: my_project
provider: local
online_store:
    path: /feast-data/online_store.db
    type: sqlite
registry:
    path: /feast-data/registry.db
    registry_type: file
auth:
    type: oidc
    auth_discovery_url: https://example.com/keycloak/realms/myrealm/.well-known/openid_configuration
    client_id: my-client-id
entity_key_serialization_version: 3

Notice: Missing client_secret, username, password from secret!

Hence,UI accessible without authentication redirect
Returns HTML directly instead of OIDC redirect

Specifications

Version: Feast operator with feature-server:0.54.0
Platform: Kubernetes
Subsystem: feast-operator (FeatureStore CRD controller)

Possible Solution

The operator needs to implement secret processing in the FeatureStore controller:
1.Read secret values when spec.authz.oidc.secretRef is specified
2.Mount secret as volume or inject as environment variables into containers
3.Modify feature_store.yaml generation to include complete OIDC configuration with secret values
4.Ensure both online and ui containers receive the OIDC credentials for proper authentication