@@ -676,14 +676,20 @@ func (feast *FeastServices) setService(svc *corev1.Service, feastType FeastServi
676676 restEnabled := feast .isRegistryRestEnabled ()
677677
678678 if grpcEnabled && restEnabled {
679- // Both services enabled: Use gRPC service name as primary, add REST as SAN
680- grpcSvcName := feast .initFeastSvc (RegistryFeastType ).Name
681- svc .Annotations ["service.beta.openshift.io/serving-cert-secret-name" ] = grpcSvcName + tlsNameSuffix
682-
683- // Add Subject Alternative Names (SANs) for both services
684- grpcHostname := grpcSvcName + "." + svc .Namespace + ".svc.cluster.local"
685- restHostname := feast .GetFeastRestServiceName (RegistryFeastType ) + "." + svc .Namespace + ".svc.cluster.local"
686- svc .Annotations ["service.beta.openshift.io/serving-cert-sans" ] = grpcHostname + "," + restHostname
679+ // Both services enabled: Only set TLS annotation on gRPC service to ensure
680+ // OpenShift creates certificate with gRPC service name as CN (not REST service name)
681+ // The certificate will include both hostnames as SANs
682+ if ! isRestService {
683+ grpcSvcName := feast .initFeastSvc (RegistryFeastType ).Name
684+ svc .Annotations ["service.beta.openshift.io/serving-cert-secret-name" ] = grpcSvcName + tlsNameSuffix
685+
686+ // Add Subject Alternative Names (SANs) for both services
687+ grpcHostname := grpcSvcName + "." + svc .Namespace + ".svc.cluster.local"
688+ restHostname := feast .GetFeastRestServiceName (RegistryFeastType ) + "." + svc .Namespace + ".svc.cluster.local"
689+ svc .Annotations ["service.beta.openshift.io/serving-cert-sans" ] = grpcHostname + "," + restHostname
690+ }
691+ // REST service should not have the annotation - it will use the same certificate
692+ // from the gRPC service secret (mounted in the pod)
687693 } else if grpcEnabled && ! restEnabled {
688694 // Only gRPC enabled: Use gRPC service name
689695 grpcSvcName := feast .initFeastSvc (RegistryFeastType ).Name
0 commit comments