fix: make operator include full OIDC secret in repo config (#5676)

jfw-ppi · jfw-ppi · commit e5760b4bf647 · 2026-01-03T22:47:42.000+01:00
diff --git a/infra/feast-operator/internal/controller/featurestore_controller_oidc_auth_test.go b/infra/feast-operator/internal/controller/featurestore_controller_oidc_auth_test.go
@@ -487,16 +487,21 @@ func expectedServerOidcAuthorizConfig() services.AuthzConfig {
 		OidcParameters: map[string]interface{}{
 			string(services.OidcAuthDiscoveryUrl): "auth-discovery-url",
 			string(services.OidcClientId):         "client-id",
+			string(services.OidcClientSecret):     "client-secret",
+			string(services.OidcUsername):         "username",
+			string(services.OidcPassword):         "password",
 		},
 	}
 }
 func expectedClientOidcAuthorizConfig() services.AuthzConfig {
 	return services.AuthzConfig{
 		Type: services.OidcAuthType,
 		OidcParameters: map[string]interface{}{
-			string(services.OidcClientSecret): "client-secret",
-			string(services.OidcUsername):     "username",
-			string(services.OidcPassword):     "password"},
+			string(services.OidcClientId):         "client-id",
+			string(services.OidcAuthDiscoveryUrl): "auth-discovery-url",
+			string(services.OidcClientSecret):     "client-secret",
+			string(services.OidcUsername):         "username",
+			string(services.OidcPassword):         "password"},
 	}
 }
 
diff --git a/infra/feast-operator/internal/controller/services/repo_config.go b/infra/feast-operator/internal/controller/services/repo_config.go
@@ -102,15 +102,15 @@ func getBaseServiceRepoConfig(
 			return repoConfig, authSecretErr
 		}
 
-		oidcServerProperties := map[string]interface{}{}
-		for _, oidcServerProperty := range OidcServerProperties {
-			if val, exists := propertiesMap[string(oidcServerProperty)]; exists {
-				oidcServerProperties[string(oidcServerProperty)] = val
+		oidcParameters := map[string]interface{}{}
+		for _, oidcProperty := range OidcProperties {
+			if val, exists := propertiesMap[string(oidcProperty)]; exists {
+				oidcParameters[string(oidcProperty)] = val
 			} else {
-				return repoConfig, missingOidcSecretProperty(oidcServerProperty)
+				return repoConfig, missingOidcSecretProperty(oidcProperty)
 			}
 		}
-		repoConfig.AuthzConfig.OidcParameters = oidcServerProperties
+		repoConfig.AuthzConfig.OidcParameters = oidcParameters
 	}
 
 	return repoConfig, nil
@@ -327,11 +327,11 @@ func getRepoConfig(
 			}
 
 			oidcClientProperties := map[string]interface{}{}
-			for _, oidcClientProperty := range OidcClientProperties {
-				if val, exists := propertiesMap[string(oidcClientProperty)]; exists {
-					oidcClientProperties[string(oidcClientProperty)] = val
+			for _, oidcProperty := range OidcProperties {
+				if val, exists := propertiesMap[string(oidcProperty)]; exists {
+					oidcClientProperties[string(oidcProperty)] = val
 				} else {
-					return repoConfig, missingOidcSecretProperty(oidcClientProperty)
+					return repoConfig, missingOidcSecretProperty(oidcProperty)
 				}
 			}
 			repoConfig.AuthzConfig.OidcParameters = oidcClientProperties
diff --git a/infra/feast-operator/internal/controller/services/repo_config_test.go b/infra/feast-operator/internal/controller/services/repo_config_test.go
@@ -214,17 +214,22 @@ var _ = Describe("Repo Config", func() {
 			repoConfig, err = getServiceRepoConfig(featureStore, secretExtractionFunc)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(repoConfig.AuthzConfig.Type).To(Equal(OidcAuthType))
-			Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveLen(2))
+			Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveLen(5))
 			Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveKey(string(OidcClientId)))
 			Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveKey(string(OidcAuthDiscoveryUrl)))
+			Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveKey(string(OidcClientSecret)))
+			Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveKey(string(OidcUsername)))
+			Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveKey(string(OidcPassword)))
 			Expect(repoConfig.OfflineStore).To(Equal(expectedOfflineConfig))
 			Expect(repoConfig.OnlineStore).To(Equal(defaultOnlineStoreConfig(featureStore)))
 			Expect(repoConfig.Registry).To(Equal(defaultRegistryConfig(featureStore)))
 
 			repoConfig, err = getClientRepoConfig(featureStore, secretExtractionFunc, nil)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(repoConfig.AuthzConfig.Type).To(Equal(OidcAuthType))
-			Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveLen(3))
+			Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveLen(5))
+			Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveKey(string(OidcClientId)))
+			Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveKey(string(OidcAuthDiscoveryUrl)))
 			Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveKey(string(OidcClientSecret)))
 			Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveKey(string(OidcUsername)))
 			Expect(repoConfig.AuthzConfig.OidcParameters).To(HaveKey(string(OidcPassword)))
@@ -314,14 +319,9 @@ var _ = Describe("Repo Config", func() {
 		_, err := getServiceRepoConfig(featureStore, secretExtractionFunc)
 		Expect(err).To(HaveOccurred())
 		Expect(err.Error()).To(ContainSubstring("missing OIDC secret"))
-		_, err = getServiceRepoConfig(featureStore, secretExtractionFunc)
-		Expect(err).To(HaveOccurred())
-		Expect(err.Error()).To(ContainSubstring("missing OIDC secret"))
-		_, err = getServiceRepoConfig(featureStore, secretExtractionFunc)
+		_, err = getClientRepoConfig(featureStore, secretExtractionFunc, nil)
 		Expect(err).To(HaveOccurred())
 		Expect(err.Error()).To(ContainSubstring("missing OIDC secret"))
-		_, err = getClientRepoConfig(featureStore, secretExtractionFunc, nil)
-		Expect(err).ToNot(HaveOccurred())
 
 		By("Having invalid client oidc authorization")
 		featureStore.Spec.AuthzConfig = &feastdevv1.AuthzConfig{
@@ -341,12 +341,6 @@ var _ = Describe("Repo Config", func() {
 		_, err = getServiceRepoConfig(featureStore, secretExtractionFunc)
 		Expect(err).To(HaveOccurred())
 		Expect(err.Error()).To(ContainSubstring("missing OIDC secret"))
-		_, err = getServiceRepoConfig(featureStore, secretExtractionFunc)
-		Expect(err).To(HaveOccurred())
-		Expect(err.Error()).To(ContainSubstring("missing OIDC secret"))
-		_, err = getServiceRepoConfig(featureStore, secretExtractionFunc)
-		Expect(err).To(HaveOccurred())
-		Expect(err.Error()).To(ContainSubstring("missing OIDC secret"))
 		_, err = getClientRepoConfig(featureStore, secretExtractionFunc, nil)
 		Expect(err).To(HaveOccurred())
 		Expect(err.Error()).To(ContainSubstring("missing OIDC secret"))
diff --git a/infra/feast-operator/internal/controller/services/services_types.go b/infra/feast-operator/internal/controller/services/services_types.go
@@ -210,6 +210,7 @@ var (
 
 	OidcServerProperties = []OidcPropertyType{OidcClientId, OidcAuthDiscoveryUrl}
 	OidcClientProperties = []OidcPropertyType{OidcClientSecret, OidcUsername, OidcPassword}
+	OidcProperties       = []OidcPropertyType{OidcClientId, OidcAuthDiscoveryUrl, OidcClientSecret, OidcUsername, OidcPassword}
 )
 
 // Feast server types: Reserved only for server types like Online, Offline, and Registry servers. Should not be used for client types like the UI, etc.

Original file line number	Diff line number	Diff line change
`@@ -487,16 +487,21 @@ func expectedServerOidcAuthorizConfig() services.AuthzConfig {`
`487`	`487`	`OidcParameters: map[string]interface{}{`
`488`	`488`	`string(services.OidcAuthDiscoveryUrl): "auth-discovery-url",`
`489`	`489`	`string(services.OidcClientId): "client-id",`
	`490`	`+ string(services.OidcClientSecret): "client-secret",`
	`491`	`+ string(services.OidcUsername): "username",`
	`492`	`+ string(services.OidcPassword): "password",`
`490`	`493`	`},`
`491`	`494`	`}`
`492`	`495`	`}`
`493`	`496`	`func expectedClientOidcAuthorizConfig() services.AuthzConfig {`
`494`	`497`	`return services.AuthzConfig{`
`495`	`498`	`Type: services.OidcAuthType,`
`496`	`499`	`OidcParameters: map[string]interface{}{`
`497`		`- string(services.OidcClientSecret): "client-secret",`
`498`		`- string(services.OidcUsername): "username",`
`499`		`- string(services.OidcPassword): "password"},`
	`500`	`+ string(services.OidcClientId): "client-id",`
	`501`	`+ string(services.OidcAuthDiscoveryUrl): "auth-discovery-url",`
	`502`	`+ string(services.OidcClientSecret): "client-secret",`
	`503`	`+ string(services.OidcUsername): "username",`
	`504`	`+ string(services.OidcPassword): "password"},`
`500`	`505`	`}`
`501`	`506`	`}`
`502`	`507`
Original file line number	Diff line number	Diff line change
`@@ -102,15 +102,15 @@ func getBaseServiceRepoConfig(`
`102`	`102`	`return repoConfig, authSecretErr`
`103`	`103`	`}`
`104`	`104`
`105`		`- oidcServerProperties := map[string]interface{}{}`
`106`		`- for _, oidcServerProperty := range OidcServerProperties {`
`107`		`- if val, exists := propertiesMap[string(oidcServerProperty)]; exists {`
`108`		`- oidcServerProperties[string(oidcServerProperty)] = val`
	`105`	`+ oidcParameters := map[string]interface{}{}`
	`106`	`+ for _, oidcProperty := range OidcProperties {`
	`107`	`+ if val, exists := propertiesMap[string(oidcProperty)]; exists {`
	`108`	`+ oidcParameters[string(oidcProperty)] = val`
`109`	`109`	`} else {`
`110`		`- return repoConfig, missingOidcSecretProperty(oidcServerProperty)`
	`110`	`+ return repoConfig, missingOidcSecretProperty(oidcProperty)`
`111`	`111`	`}`
`112`	`112`	`}`
`113`		`- repoConfig.AuthzConfig.OidcParameters = oidcServerProperties`
	`113`	`+ repoConfig.AuthzConfig.OidcParameters = oidcParameters`
`114`	`114`	`}`
`115`	`115`
`116`	`116`	`return repoConfig, nil`
`@@ -327,11 +327,11 @@ func getRepoConfig(`
`327`	`327`	`}`
`328`	`328`
`329`	`329`	`oidcClientProperties := map[string]interface{}{}`
`330`		`- for _, oidcClientProperty := range OidcClientProperties {`
`331`		`- if val, exists := propertiesMap[string(oidcClientProperty)]; exists {`
`332`		`- oidcClientProperties[string(oidcClientProperty)] = val`
	`330`	`+ for _, oidcProperty := range OidcProperties {`
	`331`	`+ if val, exists := propertiesMap[string(oidcProperty)]; exists {`
	`332`	`+ oidcClientProperties[string(oidcProperty)] = val`
`333`	`333`	`} else {`
`334`		`- return repoConfig, missingOidcSecretProperty(oidcClientProperty)`
	`334`	`+ return repoConfig, missingOidcSecretProperty(oidcProperty)`
`335`	`335`	`}`
`336`	`336`	`}`
`337`	`337`	`repoConfig.AuthzConfig.OidcParameters = oidcClientProperties`
Original file line number	Diff line number	Diff line change
`@@ -210,6 +210,7 @@ var (`
`210`	`210`
`211`	`211`	`OidcServerProperties = []OidcPropertyType{OidcClientId, OidcAuthDiscoveryUrl}`
`212`	`212`	`OidcClientProperties = []OidcPropertyType{OidcClientSecret, OidcUsername, OidcPassword}`
	`213`	`+ OidcProperties = []OidcPropertyType{OidcClientId, OidcAuthDiscoveryUrl, OidcClientSecret, OidcUsername, OidcPassword}`
`213`	`214`	`)`
`214`	`215`
`215`	`216`	`// Feast server types: Reserved only for server types like Online, Offline, and Registry servers. Should not be used for client types like the UI, etc.`