improved CRD comments and using IsLocalRegistry

Signed-off-by: Daniele Martinoli <[email protected]>
dmartinol · Nov 25, 2024 · 0788dc5 · 0788dc5
1 parent 7484764
commit 0788dc5
Show file tree

Hide file tree

Showing 7 changed files with 51 additions and 5 deletions.
diff --git a/infra/feast-operator/api/v1alpha1/featurestore_types.go b/infra/feast-operator/api/v1alpha1/featurestore_types.go
@@ -214,7 +214,15 @@ type AuthConfig struct {
 	KubernetesAuth *KubernetesAuth `json:"kubernetes,omitempty"`
 }
 
+// KubernetesAuth provides a way to define the authorization settings using Kubernetes RBAC resources.
+// https://kubernetes.io/docs/reference/access-authn-authz/rbac/
 type KubernetesAuth struct {
+	// The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
+	// Roles are managed by the operator and created with an empty list of rules.
+	// See the Feast permission model at https://docs.feast.dev/getting-started/concepts/permission
+	// The feature store admin is not obligated to manage roles using the Feast operator, roles can be managed independently.
+	// This configuration option is only providing a way to automate this procedure.
+	// Important note: the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
 	Roles []string `json:"roles,omitempty"`
 }
 

diff --git a/infra/feast-operator/config/crd/bases/feast.dev_featurestores.yaml b/infra/feast-operator/config/crd/bases/feast.dev_featurestores.yaml
@@ -53,8 +53,18 @@ spec:
                   deployed Feast services.
                 properties:
                   kubernetes:
+                    description: |-
+                      KubernetesAuth provides a way to define the authorization settings using Kubernetes RBAC resources.
+                      https://kubernetes.io/docs/reference/access-authn-authz/rbac/
                     properties:
                       roles:
+                        description: |-
+                          The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
+                          Roles are managed by the operator and created with an empty list of rules.
+                          See the Feast permission model at https://docs.feast.dev/getting-started/concepts/permission
+                          The feature store admin is not obligated to manage roles using the Feast operator, roles can be managed independently.
+                          This configuration option is only providing a way to automate this procedure.
+                          Important note: the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
                         items:
                           type: string
                         type: array
@@ -961,8 +971,18 @@ spec:
                       the deployed Feast services.
                     properties:
                       kubernetes:
+                        description: |-
+                          KubernetesAuth provides a way to define the authorization settings using Kubernetes RBAC resources.
+                          https://kubernetes.io/docs/reference/access-authn-authz/rbac/
                         properties:
                           roles:
+                            description: |-
+                              The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
+                              Roles are managed by the operator and created with an empty list of rules.
+                              See the Feast permission model at https://docs.feast.dev/getting-started/concepts/permission
+                              The feature store admin is not obligated to manage roles using the Feast operator, roles can be managed independently.
+                              This configuration option is only providing a way to automate this procedure.
+                              Important note: the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
                             items:
                               type: string
                             type: array

diff --git a/infra/feast-operator/dist/install.yaml b/infra/feast-operator/dist/install.yaml
@@ -61,8 +61,17 @@ spec:
                   deployed Feast services.
                 properties:
                   kubernetes:
+                    description: |-
+                      KubernetesAuth defines the authorization settings using Kubernetes RBAC.
+                      https://kubernetes.io/docs/reference/access-authn-authz/rbac/
                     properties:
                       roles:
+                        description: |-
+                          The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
+                          See the Feast permission model https://docs.feast.dev/getting-started/concepts/permission
+                          Please note that the feature store admin is not obligated to manage roles using the Feast operator.
+                          Roles can be managed independently. This configuration is only providing a way to automate this step.
+                          Note that the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
                         items:
                           type: string
                         type: array
@@ -969,8 +978,17 @@ spec:
                       the deployed Feast services.
                     properties:
                       kubernetes:
+                        description: |-
+                          KubernetesAuth defines the authorization settings using Kubernetes RBAC.
+                          https://kubernetes.io/docs/reference/access-authn-authz/rbac/
                         properties:
                           roles:
+                            description: |-
+                              The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
+                              See the Feast permission model https://docs.feast.dev/getting-started/concepts/permission
+                              Please note that the feature store admin is not obligated to manage roles using the Feast operator.
+                              Roles can be managed independently. This configuration is only providing a way to automate this step.
+                              Note that the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
                             items:
                               type: string
                             type: array

diff --git a/infra/feast-operator/internal/controller/auth/auth.go b/infra/feast-operator/internal/controller/auth/auth.go
@@ -146,7 +146,7 @@ func (auth *FeastAuth) setFeastRoleBinding(roleBinding *rbacv1.RoleBinding) erro
 			Namespace: auth.Handler.FeatureStore.Namespace,
 		})
 	}
-	if auth.Handler.FeatureStore.Status.Applied.Services.Registry != nil {
+	if services.IsLocalRegistry(auth.Handler.FeatureStore) {
 		roleBinding.Subjects = append(roleBinding.Subjects, rbacv1.Subject{
 			Kind:      rbacv1.ServiceAccountKind,
 			Name:      services.GetFeastServiceName(auth.Handler.FeatureStore, services.RegistryFeastType),

diff --git a/infra/feast-operator/internal/controller/services/repo_config.go b/infra/feast-operator/internal/controller/services/repo_config.go
@@ -51,7 +51,7 @@ func getServiceRepoConfig(feastType FeastServiceType, featureStore *feastdevv1al
 	appliedSpec := featureStore.Status.Applied
 
 	repoConfig := getClientRepoConfig(featureStore)
-	isLocalRegistry := isLocalRegistry(featureStore)
+	isLocalRegistry := IsLocalRegistry(featureStore)
 	if appliedSpec.Services != nil {
 		services := appliedSpec.Services
 		switch feastType {

diff --git a/infra/feast-operator/internal/controller/services/services.go b/infra/feast-operator/internal/controller/services/services.go
@@ -419,7 +419,7 @@ func (feast *FeastServices) setRemoteRegistryURL() error {
 }
 
 func (feast *FeastServices) isLocalRegistry() bool {
-	return isLocalRegistry(feast.Handler.FeatureStore)
+	return IsLocalRegistry(feast.Handler.FeatureStore)
 }
 
 func (feast *FeastServices) isRemoteRegistry() bool {

diff --git a/infra/feast-operator/internal/controller/services/util.go b/infra/feast-operator/internal/controller/services/util.go
@@ -10,7 +10,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/resource"
 )
 
-func isLocalRegistry(featureStore *feastdevv1alpha1.FeatureStore) bool {
+func IsLocalRegistry(featureStore *feastdevv1alpha1.FeatureStore) bool {
 	appliedServices := featureStore.Status.Applied.Services
 	return appliedServices != nil && appliedServices.Registry != nil && appliedServices.Registry.Local != nil
 }
@@ -28,7 +28,7 @@ func hasPvcConfig(featureStore *feastdevv1alpha1.FeatureStore, feastType FeastSe
 			pvcConfig = services.OfflineStore.Persistence.FilePersistence.PvcConfig
 		}
 	case RegistryFeastType:
-		if isLocalRegistry(featureStore) && services.Registry.Local.Persistence.FilePersistence != nil {
+		if IsLocalRegistry(featureStore) && services.Registry.Local.Persistence.FilePersistence != nil {
 			pvcConfig = services.Registry.Local.Persistence.FilePersistence.PvcConfig
 		}
 	}