feat: RBAC Authorization in Feast Operator (feast-dev#4786)

* Initial commit

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* refactoring types with FeastHandler

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* no private image

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* removed  log-level

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* no empty list for default Role

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* removed nameLabelKey, using serices.NameLabelKey

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* improved CRD comments and using IsLocalRegistry

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* fixing generated code

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* renamed auth condition and types

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* post rebase fixes

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* more renamings

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

---------

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>

infra/feast-operator/api/v1alpha1/featurestore_types.go

@@ -28,26 +28,29 @@ const (
 	FailedPhase  = "Failed"
 
 	// Feast condition types:
-	ClientReadyType       = "Client"
-	OfflineStoreReadyType = "OfflineStore"
-	OnlineStoreReadyType  = "OnlineStore"
-	RegistryReadyType     = "Registry"
-	ReadyType             = "FeatureStore"
+	ClientReadyType        = "Client"
+	OfflineStoreReadyType  = "OfflineStore"
+	OnlineStoreReadyType   = "OnlineStore"
+	RegistryReadyType      = "Registry"
+	ReadyType              = "FeatureStore"
+	AuthorizationReadyType = "AuthorizationReadyType"
 
 	// Feast condition reasons:
-	ReadyReason              = "Ready"
-	FailedReason             = "FeatureStoreFailed"
-	OfflineStoreFailedReason = "OfflineStoreDeploymentFailed"
-	OnlineStoreFailedReason  = "OnlineStoreDeploymentFailed"
-	RegistryFailedReason     = "RegistryDeploymentFailed"
-	ClientFailedReason       = "ClientDeploymentFailed"
+	ReadyReason                 = "Ready"
+	FailedReason                = "FeatureStoreFailed"
+	OfflineStoreFailedReason    = "OfflineStoreDeploymentFailed"
+	OnlineStoreFailedReason     = "OnlineStoreDeploymentFailed"
+	RegistryFailedReason        = "RegistryDeploymentFailed"
+	ClientFailedReason          = "ClientDeploymentFailed"
+	KubernetesAuthzFailedReason = "KubernetesAuthorizationDeploymentFailed"
 
 	// Feast condition messages:
-	ReadyMessage             = "FeatureStore installation complete"
-	OfflineStoreReadyMessage = "Offline Store installation complete"
-	OnlineStoreReadyMessage  = "Online Store installation complete"
-	RegistryReadyMessage     = "Registry installation complete"
-	ClientReadyMessage       = "Client installation complete"
+	ReadyMessage                = "FeatureStore installation complete"
+	OfflineStoreReadyMessage    = "Offline Store installation complete"
+	OnlineStoreReadyMessage     = "Online Store installation complete"
+	RegistryReadyMessage        = "Registry installation complete"
+	ClientReadyMessage          = "Client installation complete"
+	KubernetesAuthzReadyMessage = "Kubernetes authorization installation complete"
 
 	// entity_key_serialization_version
 	SerializationVersion = 3
@@ -59,6 +62,7 @@ type FeatureStoreSpec struct {
 	// FeastProject is the Feast project id. This can be any alphanumeric string with underscores, but it cannot start with an underscore. Required.
 	FeastProject string                `json:"feastProject"`
 	Services     *FeatureStoreServices `json:"services,omitempty"`
+	AuthzConfig  *AuthzConfig          `json:"authz,omitempty"`
 }
 
 // FeatureStoreServices defines the desired feast service deployments. ephemeral registry is deployed by default.
@@ -263,6 +267,23 @@ type OptionalConfigs struct {
 	Resources       *corev1.ResourceRequirements `json:"resources,omitempty"`
 }
 
+// AuthzConfig defines the authorization settings for the deployed Feast services.
+type AuthzConfig struct {
+	KubernetesAuthz *KubernetesAuthz `json:"kubernetes,omitempty"`
+}
+
+// KubernetesAuthz provides a way to define the authorization settings using Kubernetes RBAC resources.
+// https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+type KubernetesAuthz struct {
+	// The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
+	// Roles are managed by the operator and created with an empty list of rules.
+	// See the Feast permission model at https://docs.feast.dev/getting-started/concepts/permission
+	// The feature store admin is not obligated to manage roles using the Feast operator, roles can be managed independently.
+	// This configuration option is only providing a way to automate this procedure.
+	// Important note: the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
+	Roles []string `json:"roles,omitempty"`
+}
+
 // FeatureStoreStatus defines the observed state of FeatureStore
 type FeatureStoreStatus struct {
 	// Shows the currently applied feast configuration, including any pertinent defaults

infra/feast-operator/config/crd/bases/feast.dev_featurestores.yaml

@@ -48,6 +48,28 @@ spec:
           spec:
             description: FeatureStoreSpec defines the desired state of FeatureStore
             properties:
+              authz:
+                description: AuthzConfig defines the authorization settings for the
+                  deployed Feast services.
+                properties:
+                  kubernetes:
+                    description: |-
+                      KubernetesAuthz provides a way to define the authorization settings using Kubernetes RBAC resources.
+                      https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+                    properties:
+                      roles:
+                        description: |-
+                          The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
+                          Roles are managed by the operator and created with an empty list of rules.
+                          See the Feast permission model at https://docs.feast.dev/getting-started/concepts/permission
+                          The feature store admin is not obligated to manage roles using the Feast operator, roles can be managed independently.
+                          This configuration option is only providing a way to automate this procedure.
+                          Important note: the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                type: object
               feastProject:
                 description: FeastProject is the Feast project id. This can be any
                   alphanumeric string with underscores, but it cannot start with an
@@ -1048,6 +1070,28 @@ spec:
                 description: Shows the currently applied feast configuration, including
                   any pertinent defaults
                 properties:
+                  authz:
+                    description: AuthzConfig defines the authorization settings for
+                      the deployed Feast services.
+                    properties:
+                      kubernetes:
+                        description: |-
+                          KubernetesAuthz provides a way to define the authorization settings using Kubernetes RBAC resources.
+                          https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+                        properties:
+                          roles:
+                            description: |-
+                              The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
+                              Roles are managed by the operator and created with an empty list of rules.
+                              See the Feast permission model at https://docs.feast.dev/getting-started/concepts/permission
+                              The feature store admin is not obligated to manage roles using the Feast operator, roles can be managed independently.
+                              This configuration option is only providing a way to automate this procedure.
+                              Important note: the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                    type: object
                   feastProject:
                     description: FeastProject is the Feast project id. This can be
                       any alphanumeric string with underscores, but it cannot start

infra/feast-operator/config/rbac/role.yaml

@@ -62,3 +62,14 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch

infra/feast-operator/config/samples/v1alpha1_featurestore_all_services_default.yaml

@@ -0,0 +1,14 @@
+apiVersion: feast.dev/v1alpha1
+kind: FeatureStore
+metadata:
+  name: sample-all-default
+spec:
+  feastProject: my_project
+  services:
+    onlineStore:
+      image: 'feastdev/feature-server:0.40.0'
+    offlineStore:
+      image: 'feastdev/feature-server:0.40.0'
+    registry:
+      local:
+        image: 'feastdev/feature-server:0.40.0'

infra/feast-operator/config/samples/v1alpha1_featurestore_kubernetes_auth.yaml

@@ -0,0 +1,25 @@
+apiVersion: feast.dev/v1alpha1
+kind: FeatureStore
+metadata:
+  name: sample-kubernetes-auth
+spec:
+  feastProject: my_project
+  services:
+    onlineStore:
+      persistence:
+        file:
+          path: /data/online_store.db
+    offlineStore:
+      persistence:
+        file:
+          type: dask
+    registry:
+      local:
+        persistence:
+          file:
+            path: /data/registry.db
+  authz:
+    kubernetes:
+      roles:
+        - reader
+        - writer

infra/feast-operator/dist/install.yaml

@@ -56,6 +56,28 @@ spec:
           spec:
             description: FeatureStoreSpec defines the desired state of FeatureStore
             properties:
+              authz:
+                description: AuthzConfig defines the authorization settings for the
+                  deployed Feast services.
+                properties:
+                  kubernetes:
+                    description: |-
+                      KubernetesAuthz provides a way to define the authorization settings using Kubernetes RBAC resources.
+                      https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+                    properties:
+                      roles:
+                        description: |-
+                          The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
+                          Roles are managed by the operator and created with an empty list of rules.
+                          See the Feast permission model at https://docs.feast.dev/getting-started/concepts/permission
+                          The feature store admin is not obligated to manage roles using the Feast operator, roles can be managed independently.
+                          This configuration option is only providing a way to automate this procedure.
+                          Important note: the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                type: object
               feastProject:
                 description: FeastProject is the Feast project id. This can be any
                   alphanumeric string with underscores, but it cannot start with an
@@ -1056,6 +1078,28 @@ spec:
                 description: Shows the currently applied feast configuration, including
                   any pertinent defaults
                 properties:
+                  authz:
+                    description: AuthzConfig defines the authorization settings for
+                      the deployed Feast services.
+                    properties:
+                      kubernetes:
+                        description: |-
+                          KubernetesAuthz provides a way to define the authorization settings using Kubernetes RBAC resources.
+                          https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+                        properties:
+                          roles:
+                            description: |-
+                              The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
+                              Roles are managed by the operator and created with an empty list of rules.
+                              See the Feast permission model at https://docs.feast.dev/getting-started/concepts/permission
+                              The feature store admin is not obligated to manage roles using the Feast operator, roles can be managed independently.
+                              This configuration option is only providing a way to automate this procedure.
+                              Important note: the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                    type: object
                   feastProject:
                     description: FeastProject is the Feast project id. This can be
                       any alphanumeric string with underscores, but it cannot start
@@ -2324,6 +2368,17 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole