Starting Feast servers in TLS(SSL) Mode
TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are both protocols encrypts communications between a client and server to provide enhanced security.TLS or SSL words used interchangeably. This article is going to show the sample code to start all the feast servers such as online server, offline server, registry server and UI server in TLS mode. Also show examples related to feast clients to communicate with the feast servers started in TLS mode.
We assume you have basic understanding of feast terminology before going through this tutorial, if you are new to feast then we would recommend to go through existing starter tutorials of feast.
Obtaining a self-signed TLS certificate and key
In development mode we can generate a self-signed certificate for testing. In an actual production environment it is always recommended to get it from a trusted TLS certificate provider.
The above command will generate two files
key.pem
: certificate private keycert.pem
: certificate public key
You can use the public or private keys generated from above command in the rest of the sections in this tutorial.
Create the feast demo repo for the rest of the sections.
Create a feast repo and initialize using feast init
and feast apply
command and use this repo as a demo for subsequent sections.
You need to execute the feast cli commands from feast_repo_ssl_demo/feature_repo
directory created from the above feast init
command.
Starting feast online server (feature server) in TLS mode
To start the feature server in TLS mode, you need to provide the private and public keys using the --key
and --cert
arguments with the feast serve
command.
You will see the output something similar to as below. Note the server url starts in the https
mode.
Feast client connecting to remote online sever started in TLS mode.
Sometimes you may need to pass the self-signed public key to connect to the remote online server started in SSL mode if you have not added the public key to the certificate store.
feast client example: The registry is pointing to registry of remote feature store. If it is not accessible then should be configured to use remote registry.
cert
is an optional configuration to the public certificate path when the online server starts in TLS(SSL) mode. Typically, this file ends with *.crt
, *.cer
, or *.pem
.
Starting feast Registry server in TLS mode
To start the feature server in TLS mode, you need to provide the private and public keys using the --key
and --cert
arguments with the feast serve_registry
command.
You will see the output something similar to as below. Note the server url starts in the https
mode.
Feast client connecting to remote registry sever started in TLS mode.
Sometimes you may need to pass the self-signed public key to connect to the remote registry server started in SSL mode if you have not added the public key to the certificate store.
feast client example:
cert
is an optional configuration to the public certificate path when the registry server starts in TLS(SSL) mode. Typically, this file ends with *.crt
, *.cer
, or *.pem
.
Starting feast offline server in TLS mode
To start the offline server in TLS mode, you need to provide the private and public keys using the --key
and --cert
arguments with the feast serve_offline
command.
You will see the output something similar to as below. Note the server url starts in the https
mode.
Feast client connecting to remote offline sever started in TLS mode.
Sometimes you may need to pass the self-signed public key to connect to the remote registry server started in SSL mode if you have not added the public key to the certificate store. You have to add scheme
to https
.
feast client example:
cert
is an optional configuration to the public certificate path when the registry server starts in TLS(SSL) mode. Typically, this file ends with *.crt
, *.cer
, or *.pem
. scheme
should be https
. By default, it will be http
so you have to explicitly configure to https
if you are planning to connect to remote offline server which is started in TLS mode.
Starting feast UI server (react app) in TLS mode
To start the feast UI server in TLS mode, you need to provide the private and public keys using the --key
and --cert
arguments with the feast ui
command.
You will see the output something similar to as below. Note the server url starts in the https
mode.
Adding public key to CA trust store and configuring the feast to use the trust store.
You can pass the public key for SSL verification using the cert
parameter, however, it is sometimes difficult to maintain individual certificates and pass them individually. The alternative recommendation is to add the public certificate to CA trust store and set the path as an environment variable (e.g., FEAST_CA_CERT_FILE_PATH
). Feast will use the trust store path in the FEAST_CA_CERT_FILE_PATH
environment variable.
Last updated