Skip to content

feat: Apply Intermediate TLS defaults on API fallback and handle transient errors#6587

Open
ugiordan wants to merge 1 commit into
feast-dev:masterfrom
ugiordan:feat/tls-intermediate-fallback
Open

feat: Apply Intermediate TLS defaults on API fallback and handle transient errors#6587
ugiordan wants to merge 1 commit into
feast-dev:masterfrom
ugiordan:feat/tls-intermediate-fallback

Conversation

@ugiordan

@ugiordan ugiordan commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

What this PR does / why we need it:

Follow-up to #6567. Fixes two issues in the TLS profile integration:

  1. Else-only pattern: NewTLSConfigFromProfile was only called in the success branch of the TLS profile fetch. On any error path (non-OpenShift cluster, resource not found), no TLS config was applied, leaving the operator running with Go's bare defaults (no MinVersion, no cipher restrictions). This PR moves NewTLSConfigFromProfile outside the if/else and explicitly falls back to configv1.TLSProfiles[TLSProfileIntermediateType] on all error paths.

  2. No transient error handling: The error switch only handled IsNotFound and IsNoMatchError. Transient API errors (ServiceUnavailable, Timeout, TooManyRequests) hit the default case and crashed the operator with os.Exit(1). This PR adds a dedicated case for these errors with a graceful Intermediate fallback. tlsProfileFetched is set to true so the SecurityProfileWatcher self-heals when the API recovers.

Additionally:

  • Adds a 10-second context timeout on bootstrap API calls (previously used context.Background() with no deadline).
  • Applies the same transient error handling to the TLS adherence policy fetch.

Which issue(s) this PR fixes:

Follow-up to #6567.

Checks

  • I've made sure the tests are passing.
  • My commits are signed off (git commit -s)
  • My PR title follows conventional commits format

Testing Strategy

  • Manual tests
  • Testing is not required for this change

Misc

The operator Go module builds cleanly with go build ./... from infra/feast-operator/.

@ugiordan ugiordan requested a review from a team as a code owner July 7, 2026 15:55
@ugiordan ugiordan force-pushed the feat/tls-intermediate-fallback branch 3 times, most recently from 429ac39 to 846c5a6 Compare July 7, 2026 16:16
…sient errors

Follow-up to feast-dev#6567. Two fixes:

1. Move NewTLSConfigFromProfile outside the if/else so it runs on all
   code paths. Previously, error paths skipped TLS configuration entirely,
   leaving the operator running with Go's bare defaults (no MinVersion,
   no cipher restrictions). Now all error paths explicitly fall back to
   the Intermediate TLS profile.

2. Handle transient API errors (ServiceUnavailable, Timeout,
   TooManyRequests) gracefully instead of crashing with os.Exit(1).
   These set tlsProfileFetched=true so the SecurityProfileWatcher
   self-heals when the API recovers.

Also adds a 10-second context timeout on bootstrap API calls and applies
the same transient error handling to the TLS adherence policy fetch.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Ugo Giordano <ugiordan@redhat.com>
@ugiordan ugiordan force-pushed the feat/tls-intermediate-fallback branch from 846c5a6 to 60296ac Compare July 7, 2026 16:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant