From 818a03167c76e4b32d8b22771851fbb18b79efe5 Mon Sep 17 00:00:00 2001
From: ntkathole <nikhilkathole2683@gmail.com>
Date: Thu, 6 Nov 2025 18:58:35 +0530
Subject: [PATCH] fix: Set TLS certificate annotation only on gRPC service

Signed-off-by: ntkathole <nikhilkathole2683@gmail.com>
---
 .../internal/controller/services/services.go  | 22 ++++++++++++-------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/infra/feast-operator/internal/controller/services/services.go b/infra/feast-operator/internal/controller/services/services.go
index 3b14f9c49db..6f2fa243ea5 100644
--- a/infra/feast-operator/internal/controller/services/services.go
+++ b/infra/feast-operator/internal/controller/services/services.go
@@ -676,14 +676,20 @@ func (feast *FeastServices) setService(svc *corev1.Service, feastType FeastServi
 			restEnabled := feast.isRegistryRestEnabled()
 
 			if grpcEnabled && restEnabled {
-				// Both services enabled: Use gRPC service name as primary, add REST as SAN
-				grpcSvcName := feast.initFeastSvc(RegistryFeastType).Name
-				svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = grpcSvcName + tlsNameSuffix
-
-				// Add Subject Alternative Names (SANs) for both services
-				grpcHostname := grpcSvcName + "." + svc.Namespace + ".svc.cluster.local"
-				restHostname := feast.GetFeastRestServiceName(RegistryFeastType) + "." + svc.Namespace + ".svc.cluster.local"
-				svc.Annotations["service.beta.openshift.io/serving-cert-sans"] = grpcHostname + "," + restHostname
+				// Both services enabled: Only set TLS annotation on gRPC service to ensure
+				// OpenShift creates certificate with gRPC service name as CN (not REST service name)
+				// The certificate will include both hostnames as SANs
+				if !isRestService {
+					grpcSvcName := feast.initFeastSvc(RegistryFeastType).Name
+					svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = grpcSvcName + tlsNameSuffix
+
+					// Add Subject Alternative Names (SANs) for both services
+					grpcHostname := grpcSvcName + "." + svc.Namespace + ".svc.cluster.local"
+					restHostname := feast.GetFeastRestServiceName(RegistryFeastType) + "." + svc.Namespace + ".svc.cluster.local"
+					svc.Annotations["service.beta.openshift.io/serving-cert-sans"] = grpcHostname + "," + restHostname
+				}
+				// REST service should not have the annotation - it will use the same certificate
+				// from the gRPC service secret (mounted in the pod)
 			} else if grpcEnabled && !restEnabled {
 				// Only gRPC enabled: Use gRPC service name
 				grpcSvcName := feast.initFeastSvc(RegistryFeastType).Name