diff --git a/docs/how-to-guides/starting-feast-servers-tls-mode.md b/docs/how-to-guides/starting-feast-servers-tls-mode.md index e1ddbc08be..f5075fdab3 100644 --- a/docs/how-to-guides/starting-feast-servers-tls-mode.md +++ b/docs/how-to-guides/starting-feast-servers-tls-mode.md @@ -189,3 +189,8 @@ INFO: Waiting for application startup. INFO: Application startup complete. INFO: Uvicorn running on https://0.0.0.0:8888 (Press CTRL+C to quit) ``` + + +## Adding public key to CA trust store and configuring the feast to use the trust store. +You can pass the public key for SSL verification using `cert` parameter, however, it is sometimes a hassle to maintain individual certificate and pass the public certificate individually. +The alternate recommendation is to add the public certificate to CA trust store and set the path as environment variable `FEAST_CA_CERT_FILE_PATH`. Feast will refer the trust store path set as environment variable as `FEAST_CA_CERT_FILE_PATH` \ No newline at end of file diff --git a/sdk/python/feast/cli.py b/sdk/python/feast/cli.py index 56c5752ed8..165677a843 100644 --- a/sdk/python/feast/cli.py +++ b/sdk/python/feast/cli.py @@ -865,6 +865,7 @@ def materialize_incremental_command(ctx: click.Context, end_ts: str, views: List "cassandra", "hazelcast", "ikv", + "couchbase", ], case_sensitive=False, ), diff --git a/sdk/python/feast/infra/registry/remote.py b/sdk/python/feast/infra/registry/remote.py index f9177aeb24..c654a008aa 100644 --- a/sdk/python/feast/infra/registry/remote.py +++ b/sdk/python/feast/infra/registry/remote.py @@ -61,8 +61,9 @@ class RemoteRegistryConfig(RegistryConfig): If registry_type is 'remote', then this configuration is needed to connect to remote registry server in TLS mode. If the remote registry started in non-tls mode then this configuration is not needed.""" is_tls: bool = False - """ str: Path to the public certificate when the registry server starts in TLS(SSL) mode. This may be needed if the registry server started with a self-signed certificate, typically this file ends with `*.crt`, `*.cer`, or `*.pem`. - If registry_type is 'remote', then this configuration is needed to connect to remote registry server in TLS mode. If the remote registry started in non-tls mode then this configuration is not needed.""" + """ bool: if you are planning to connect the registry server which started in TLS(SSL) mode then this should be true. + If you are planning to add the public certificate as part of the trust store instead of passing it as a `cert` parameters then setting this field to `true` is a mandatory. + """ class RemoteRegistry(BaseRegistry): @@ -75,8 +76,6 @@ def __init__( ): self.auth_config = auth_config assert isinstance(registry_config, RemoteRegistryConfig) - # self.channel = create_tls_channel(registry_config) - self.channel = self._create_grpc_channel(registry_config) auth_header_interceptor = GrpcClientAuthHeaderInterceptor(auth_config) diff --git a/sdk/python/tests/conftest.py b/sdk/python/tests/conftest.py index 443926404f..6e5f1e1487 100644 --- a/sdk/python/tests/conftest.py +++ b/sdk/python/tests/conftest.py @@ -521,8 +521,6 @@ def auth_config(request, is_integration_test): @pytest.fixture(scope="module") def tls_mode(request): is_tls_mode = request.param[0] - # remove any existing environment variables if there are any - # clear_previous_cert_env_vars() output_combined_truststore_path = "" if is_tls_mode: diff --git a/sdk/python/tests/unit/permissions/auth/server/test_auth_registry_server.py b/sdk/python/tests/unit/permissions/auth/server/test_auth_registry_server.py index f67da3b4d3..0395f99541 100644 --- a/sdk/python/tests/unit/permissions/auth/server/test_auth_registry_server.py +++ b/sdk/python/tests/unit/permissions/auth/server/test_auth_registry_server.py @@ -46,8 +46,6 @@ def start_registry_server( is_tls_mode, tls_key_path, tls_cert_path, tls_ca_file_path = tls_mode if is_tls_mode: - # configure_ssl_ca(ca_file_path=tls_ca_file_path) - # Setting the ca_trust_store_path environment variables. print(f"Starting Registry in TLS mode at {server_port}") server = start_server( store=feature_store, diff --git a/sdk/python/tests/utils/ssl_certifcates_util.py b/sdk/python/tests/utils/ssl_certifcates_util.py index e8dc0a483e..53a56e04f3 100644 --- a/sdk/python/tests/utils/ssl_certifcates_util.py +++ b/sdk/python/tests/utils/ssl_certifcates_util.py @@ -83,30 +83,6 @@ def generate_self_signed_cert( ) -def clear_previous_cert_env_vars(): - """ - Clear SSL_CERT_FILE and REQUESTS_CA_BUNDLE environment variables if they match FEAST_CA_CERT_FILE_PATH. - """ - # Fetch FEAST_CA_CERT_FILE_PATH value - feast_ca_cert_file_path = os.environ.get("FEAST_CA_CERT_FILE_PATH") - - if not feast_ca_cert_file_path: - print("FEAST_CA_CERT_FILE_PATH is not set. Skipping cleanup.") - return - - print(f"FEAST_CA_CERT_FILE_PATH: {feast_ca_cert_file_path}") - env_vars_to_check = ["SSL_CERT_FILE", "REQUESTS_CA_BUNDLE"] - - # Compare and clear the environment variables - for var in env_vars_to_check: - env_value = os.environ.get(var) - if env_value and env_value == feast_ca_cert_file_path: - del os.environ[var] - print(f"Cleared environment variable: {var}") - else: - print(f"Skipped clearing {var}. Current value: {env_value}") - - def create_ca_trust_store( public_key_path: str, private_key_path: str, output_trust_store_path: str ): @@ -124,7 +100,6 @@ def create_ca_trust_store( "REQUESTS_CA_BUNDLE" ) - # Step 2: Copy the existing trust store to the new location (if it exists) # Step 2: Copy the existing trust store to the new location (if it exists) if existing_trust_store and os.path.exists(existing_trust_store): shutil.copy(existing_trust_store, output_trust_store_path) @@ -192,7 +167,8 @@ def combine_trust_stores(custom_cert_path: str, output_combined_path: str): with open(custom_cert_path, "rb") as custom_file: combined_file.write(custom_file.read()) - print(f"Combined trust store created at: {output_combined_path}") + logger.info(f"Combined trust store created at: {output_combined_path}") except Exception as e: - print(f"Error combining trust stores: {e}") + logger.error(f"Error combining trust stores: {e}") + raise e