Skip to content

init container needs the same TLS volume mounts as the main container when using TLS-enabled remote registries #6197

Closed
#6199
Closed
init container needs the same TLS volume mounts as the main container when using TLS-enabled remote registries#6197
#6199
Assignees
ntkathole
Labels
kind/bugpriority/p2
@ntkathole

Description

@ntkathole
ntkathole
opened on Mar 30, 2026

Expected Behavior

The feast-apply init container should have the registry-tls volume mounted at /tls/registry/ so it can read the CA certificate and establish a TLS connection to the remote registry.

Current Behavior

When a FeatureStore CR is configured with a remote registry that has TLS enabled (spec.services.registry.remote.tls), the feast-apply init container fails with a FileNotFoundError because the TLS CA certificate volume is not mounted in the init container.

The operator correctly:

Generates the feature_store.yaml with cert: /tls/registry/ for the remote registry
Creates a registry-tls volume from the referenced ConfigMap
Mounts the volume in the main online container at /tls/registry/
But it does not mount the registry-tls volume in the feast-apply init container, which also needs to connect to the remote registry over gRPC+TLS to run feast apply.

Steps to reproduce

  1. Create a FeatureStore with a local registry serving over gRPC+TLS:
apiVersion: feast.dev/v1
kind: FeatureStore
metadata:
  name: test
  namespace: feast-test
spec:
  feastProject: test
  services:
    onlineStore: {}
    registry:
      local:
        server:
          grpc: true
          restAPI: true
  1. Create a second FeatureStore that uses the first one's registry as a remote registry with TLS:
apiVersion: feast.dev/v1
kind: FeatureStore
metadata:
  name: test1
  namespace: feast-test
spec:
  feastProject: test1
  services:
    onlineStore: {}
    registry:
      remote:
        hostname: feast-test-registry.feast-test.svc.cluster.local:443
        tls:
          certName: service-ca.crt
          configMapRef:
            name: feast-test-client-ca
  1. Observe the feast-test1 pod stuck in Init:CrashLoopBackOff.

Specifications

  • Version:
  • Platform:
  • Subsystem:

Possible Solution

When building the deployment spec, add the registry-tls volume mount to the feast-apply (and potentially feast-init) init containers when a remote registry with TLS is configured. The init containers need the same TLS volume mounts as the main container to connect to TLS-enabled services.

Metadata

Metadata

Assignees

Labels

kind/bugpriority/p2

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions