Feast Operator ignores OIDC secretRef - accepts syntax but doesn't inject secret values #5676
Description
Expected Behavior
When a FeatureStore specifies spec.authz.oidc.secretRef, the operator should:
1.Read the referenced Kubernetes secret containing OIDC credentials
2.Inject secret values (client_secret, username, password) into container environments
3.Generate complete OIDC configuration enabling full authentication for both API and UI
4.Redirect UI access through OIDC provider (Keycloak) login flow
Current Behavior
The operator:
1.Accepts secretRef configuration without validation errors
2.Completely ignores the referenced secret - no mounting or injection occurs
3.Generates incomplete OIDC config with only basic fields (auth_discovery_url, client_id)
4.Results in broken authentication:
a.API shows AuthManagerType.OIDC but authentication fails due to missing client_secret
b.UI serves directly without any authentication redirect
Steps to reproduce
1.Create OIDC Secret
apiVersion: v1
kind: Secret
metadata:
name: oidc-secret
namespace: feast
stringData:
client_id: your-client-id
client_secret: your-client-secret
auth_discovery_url: https://your-keycloak/realms/realm/.well-known/openid_configuration
username: your-username
password: your-password- Create FeatureStore with secretRef:
apiVersion: feast.dev/v1alpha1
kind: FeatureStore
metadata:
name: sample-oidc-auth
spec:
feastProject: my_project
authz:
oidc:
secretRef:
name: oidc-secret
services:
ui: {}3.Verify the bug:
Container shows OIDC type but incomplete config
kubectl logs deployment/feast-sample-oidc-auth -c onlineOUTPUT: INFO:fastapi:Auth type: AuthManagerType.OIDC
No secret values injected as environment variables
kubectl exec deployment/feast-sample-oidc-auth -c ui -- env | grep client_OUTPUT: (empty)
Check generated config - missing client_secret
kubectl exec deployment/feast-sample-oidc-auth -c ui -- env | grep TMP_FEATURE_STORE_YAML_BASE64Decode shows: only auth_discovery_url and client_id, missing client_secret
example:
$ echo "<base64-string>" | base64 --decode
project: my_project
provider: local
online_store:
path: /feast-data/online_store.db
type: sqlite
registry:
path: /feast-data/registry.db
registry_type: file
auth:
type: oidc
auth_discovery_url: https://example.com/keycloak/realms/myrealm/.well-known/openid_configuration
client_id: my-client-id
entity_key_serialization_version: 3Notice: Missing client_secret, username, password from secret!
Hence,UI accessible without authentication redirect
Returns HTML directly instead of OIDC redirect
Specifications
Version: Feast operator with feature-server:0.54.0
Platform: Kubernetes
Subsystem: feast-operator (FeatureStore CRD controller)
Possible Solution
The operator needs to implement secret processing in the FeatureStore controller:
1.Read secret values when spec.authz.oidc.secretRef is specified
2.Mount secret as volume or inject as environment variables into containers
3.Modify feature_store.yaml generation to include complete OIDC configuration with secret values
4.Ensure both online and ui containers receive the OIDC credentials for proper authentication