Added Mtls patch

(cherry picked from commit de2de96fc88022df783b637ccb145d1d73ba66ff)

Review changes

Author: Bobbins228

config/rbac/role.yaml

@@ -17,6 +17,12 @@ rules:
   - subjectaccessreviews
   verbs:
   - create
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - ingresses
+  verbs:
+  - get
 - apiGroups:
   - ""
   resources:

main.go

@@ -47,6 +47,7 @@ import (
 	"sigs.k8s.io/yaml"
 
 	routev1 "github.com/openshift/api/route/v1"
+	clientset "github.com/openshift/client-go/config/clientset/versioned"
 
 	"github.com/project-codeflare/codeflare-operator/pkg/config"
 	"github.com/project-codeflare/codeflare-operator/pkg/controllers"
@@ -72,6 +73,8 @@ func init() {
 	utilruntime.Must(routev1.Install(scheme))
 }
 
+// +kubebuilder:rbac:groups=config.openshift.io,resources=ingresses,verbs=get;
+
 func main() {
 	var configMapName string
 	flag.StringVar(&configMapName, "config", "codeflare-operator-config",
@@ -116,6 +119,7 @@ func main() {
 		KubeRay: &config.KubeRayConfiguration{
 			RayDashboardOAuthEnabled: pointer.Bool(true),
 			IngressDomain:            "",
+			MTLSEnabled:              pointer.Bool(true),
 		},
 	}
 
@@ -150,6 +154,12 @@ func main() {
 	OpenShift := isOpenShift(ctx, kubeClient.DiscoveryClient)
 
 	if OpenShift {
+		if cfg.KubeRay.IngressDomain == "" {
+			configClient, err := clientset.NewForConfig(kubeConfig)
+			exitOnError(err, "unable to create Route Client Set")
+			cfg.KubeRay.IngressDomain, err = getClusterDomain(ctx, configClient)
+			exitOnError(err, cfg.KubeRay.IngressDomain)
+		}
 		// TODO: setup the RayCluster webhook on vanilla Kubernetes
 		exitOnError(controllers.SetupRayClusterWebhookWithManager(mgr, cfg.KubeRay), "error setting up RayCluster webhook")
 	}
@@ -274,3 +284,17 @@ func isOpenShift(ctx context.Context, dc discovery.DiscoveryInterface) bool {
 	logger.Info("We detected being on Vanilla Kubernetes!")
 	return false
 }
+
+func getClusterDomain(ctx context.Context, configClient *clientset.Clientset) (string, error) {
+	ingress, err := configClient.ConfigV1().Ingresses().Get(ctx, "cluster", metav1.GetOptions{})
+	if err != nil {
+		return "", fmt.Errorf("failed to get Ingress object: %v", err)
+	}
+
+	domain := ingress.Spec.Domain
+	if domain == "" {
+		return "", fmt.Errorf("domain is not set in the Ingress object")
+	}
+
+	return domain, nil
+}

pkg/config/config.go

@@ -35,6 +35,8 @@ type KubeRayConfiguration struct {
 	RayDashboardOAuthEnabled *bool `json:"rayDashboardOAuthEnabled,omitempty"`
 
 	IngressDomain string `json:"ingressDomain"`
+
+	MTLSEnabled *bool `json:"mTLSEnabled,omitempty"`
 }
 
 type ControllerManager struct {

pkg/controllers/raycluster_webhook.go

@@ -61,88 +61,54 @@ var _ webhook.CustomValidator = &rayClusterWebhook{}
 func (w *rayClusterWebhook) Default(ctx context.Context, obj runtime.Object) error {
 	rayCluster := obj.(*rayv1.RayCluster)
 
-	if !pointer.BoolDeref(w.Config.RayDashboardOAuthEnabled, true) {
-		return nil
+	oauthExists := false
+	initHeadExists := false
+	initWorkerExists := false
+
+	// Check for the create-cert Init Containers
+	for _, container := range rayCluster.Spec.HeadGroupSpec.Template.Spec.InitContainers {
+		if container.Name == "create-cert" {
+			rayclusterlog.V(2).Info("Head Init Containers already exist, no patch needed")
+			initHeadExists = true
+			break // exits the for loop
+		}
+	}
+	// Check fot the create-cert Init Container WorkerGroupSpec
+	for _, container := range rayCluster.Spec.WorkerGroupSpecs[0].Template.Spec.InitContainers {
+		if container.Name == "create-cert" {
+			rayclusterlog.V(2).Info("Worker Init Containers already exist, no patch needed")
+			initWorkerExists = true
+			break // exits the for loop
+		}
 	}
 
 	// Check and add OAuth proxy if it does not exist
 	for _, container := range rayCluster.Spec.HeadGroupSpec.Template.Spec.Containers {
 		if container.Name == "oauth-proxy" {
 			rayclusterlog.V(2).Info("OAuth sidecar already exists, no patch needed")
-			return nil
+			oauthExists = true
 		}
 	}
 
-	rayclusterlog.V(2).Info("Adding OAuth sidecar container")
-
-	newOAuthSidecar := corev1.Container{
-		Name:  "oauth-proxy",
-		Image: "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:1ea6a01bf3e63cdcf125c6064cbd4a4a270deaf0f157b3eabb78f60556840366",
-		Ports: []corev1.ContainerPort{
-			{ContainerPort: 8443, Name: "oauth-proxy"},
-		},
-		Env: []corev1.EnvVar{
-			{
-				Name: "COOKIE_SECRET",
-				ValueFrom: &corev1.EnvVarSource{
-					SecretKeyRef: &corev1.SecretKeySelector{
-						LocalObjectReference: corev1.LocalObjectReference{
-							Name: rayCluster.Name + "-oauth-config",
-						},
-						Key: "cookie_secret",
-					},
-				},
-			},
-		},
-		Args: []string{
-			"--https-address=:8443",
-			"--provider=openshift",
-			"--openshift-service-account=" + rayCluster.Name + "-oauth-proxy",
-			"--upstream=http://localhost:8265",
-			"--tls-cert=/etc/tls/private/tls.crt",
-			"--tls-key=/etc/tls/private/tls.key",
-			"--cookie-secret=$(COOKIE_SECRET)",
-			"--openshift-delegate-urls={\"/\":{\"resource\":\"pods\",\"namespace\":\"default\",\"verb\":\"get\"}}",
-		},
-		VolumeMounts: []corev1.VolumeMount{
-			{
-				Name:      "proxy-tls-secret",
-				MountPath: "/etc/tls/private",
-				ReadOnly:  true,
-			},
-		},
-	}
-
-	rayCluster.Spec.HeadGroupSpec.Template.Spec.Containers = append(rayCluster.Spec.HeadGroupSpec.Template.Spec.Containers, newOAuthSidecar)
-
-	tlsSecretVolume := corev1.Volume{
-		Name: "proxy-tls-secret",
-		VolumeSource: corev1.VolumeSource{
-			Secret: &corev1.SecretVolumeSource{
-				SecretName: rayCluster.Name + "-proxy-tls-secret",
-			},
-		},
+	if pointer.BoolDeref(w.Config.RayDashboardOAuthEnabled, true) {
+		oauthPatch(rayCluster, oauthExists)
 	}
-
-	rayCluster.Spec.HeadGroupSpec.Template.Spec.Volumes = append(rayCluster.Spec.HeadGroupSpec.Template.Spec.Volumes, tlsSecretVolume)
-
-	// Ensure the service account is set
-	if rayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName == "" {
-		rayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName = rayCluster.Name + "-oauth-proxy"
+	if pointer.BoolDeref(w.Config.MTLSEnabled, true) {
+		w.mTLSPatch(rayCluster, initHeadExists, initWorkerExists)
 	}
 
 	return nil
 }
 
 func (w *rayClusterWebhook) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
-	raycluster := obj.(*rayv1.RayCluster)
+	rayCluster := obj.(*rayv1.RayCluster)
 	var warnings admission.Warnings
 	var allErrors field.ErrorList
 	specPath := field.NewPath("spec")
 
-	if pointer.BoolDeref(raycluster.Spec.HeadGroupSpec.EnableIngress, false) {
+	if pointer.BoolDeref(rayCluster.Spec.HeadGroupSpec.EnableIngress, false) {
 		rayclusterlog.Info("Creating RayCluster resources with EnableIngress set to true or unspecified is not allowed")
-		allErrors = append(allErrors, field.Invalid(specPath.Child("headGroupSpec").Child("enableIngress"), raycluster.Spec.HeadGroupSpec.EnableIngress, "creating RayCluster resources with EnableIngress set to true or unspecified is not allowed"))
+		allErrors = append(allErrors, field.Invalid(specPath.Child("headGroupSpec").Child("enableIngress"), rayCluster.Spec.HeadGroupSpec.EnableIngress, "creating RayCluster resources with EnableIngress set to true or unspecified is not allowed"))
 	}
 
 	return warnings, allErrors.ToAggregate()
@@ -162,3 +128,184 @@ func (w *rayClusterWebhook) ValidateDelete(ctx context.Context, obj runtime.Obje
 	// Optional: Add delete validation logic here
 	return nil, nil
 }
+func oauthPatch(rayCluster *rayv1.RayCluster, oauthExists bool) {
+	if !oauthExists {
+		rayclusterlog.V(2).Info("Adding OAuth sidecar container")
+
+		newOAuthSidecar := corev1.Container{
+			Name:  "oauth-proxy",
+			Image: "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:1ea6a01bf3e63cdcf125c6064cbd4a4a270deaf0f157b3eabb78f60556840366",
+			Ports: []corev1.ContainerPort{
+				{ContainerPort: 8443, Name: "oauth-proxy"},
+			},
+			Env: []corev1.EnvVar{
+				{
+					Name: "COOKIE_SECRET",
+					ValueFrom: &corev1.EnvVarSource{
+						SecretKeyRef: &corev1.SecretKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: rayCluster.Name + "-oauth-config",
+							},
+							Key: "cookie_secret",
+						},
+					},
+				},
+			},
+			Args: []string{
+				"--https-address=:8443",
+				"--provider=openshift",
+				"--openshift-service-account=" + rayCluster.Name + "-oauth-proxy",
+				"--upstream=http://localhost:8265",
+				"--tls-cert=/etc/tls/private/tls.crt",
+				"--tls-key=/etc/tls/private/tls.key",
+				"--cookie-secret=$(COOKIE_SECRET)",
+				"--openshift-delegate-urls={\"/\":{\"resource\":\"pods\",\"namespace\":\"default\",\"verb\":\"get\"}}",
+			},
+			VolumeMounts: []corev1.VolumeMount{
+				{
+					Name:      "proxy-tls-secret",
+					MountPath: "/etc/tls/private",
+					ReadOnly:  true,
+				},
+			},
+		}
+
+		rayCluster.Spec.HeadGroupSpec.Template.Spec.Containers = append(rayCluster.Spec.HeadGroupSpec.Template.Spec.Containers, newOAuthSidecar)
+
+		tlsSecretVolume := corev1.Volume{
+			Name: "proxy-tls-secret",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: rayCluster.Name + "-proxy-tls-secret",
+				},
+			},
+		}
+
+		rayCluster.Spec.HeadGroupSpec.Template.Spec.Volumes = append(rayCluster.Spec.HeadGroupSpec.Template.Spec.Volumes, tlsSecretVolume)
+
+		// Ensure the service account is set
+		if rayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName == "" {
+			rayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName = rayCluster.Name + "-oauth-proxy"
+		}
+	}
+}
+
+func (w *rayClusterWebhook) mTLSPatch(rayCluster *rayv1.RayCluster, initHeadExists bool, initWorkerExists bool) {
+	rayclusterlog.V(2).Info("creating json patch for RayCluster initContainers")
+
+	// Volume Mounts for the Init Containers
+	key_volumes := []corev1.VolumeMount{
+		{
+			Name:      "ca-vol",
+			MountPath: "/home/ray/workspace/ca",
+			ReadOnly:  true,
+		},
+		{
+			Name:      "server-cert",
+			MountPath: "/home/ray/workspace/tls",
+			ReadOnly:  false,
+		},
+	}
+
+	// Service name for basic interactive
+	svcDomain := rayCluster.Name + "-head-svc." + rayCluster.Namespace + ".svc"
+	// Ca Secret generated by the SDK
+	secretName := `ca-secret-` + rayCluster.Name
+
+	// Env variables for Worker & Head Containers
+	envList := []corev1.EnvVar{
+		{
+			Name: "MY_POD_IP",
+			ValueFrom: &corev1.EnvVarSource{
+				FieldRef: &corev1.ObjectFieldSelector{
+					FieldPath: "status.podIP",
+				},
+			},
+		},
+		{
+			Name:  "RAY_USE_TLS",
+			Value: "1",
+		},
+		{
+			Name:  "RAY_TLS_SERVER_CERT",
+			Value: "/home/ray/workspace/tls/server.crt",
+		},
+		{
+			Name:  "RAY_TLS_SERVER_KEY",
+			Value: "/home/ray/workspace/tls/server.key",
+		},
+		{
+			Name:  "RAY_TLS_CA_CERT",
+			Value: "/home/ray/workspace/tls/ca.crt",
+		},
+	}
+
+	// Volumes for the main container of Head and worker
+	caVolumes := []corev1.Volume{
+		{
+			Name: "ca-vol",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: secretName,
+				},
+			},
+		},
+		{
+			Name: "server-cert",
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		},
+	}
+
+	if !initHeadExists {
+		rayClientRoute := "rayclient-" + rayCluster.Name + "-" + rayCluster.Namespace + "." + w.Config.IngressDomain
+		initContainerHead := corev1.Container{
+			Name:  "create-cert",
+			Image: "quay.io/project-codeflare/ray:latest-py39-cu118",
+			Command: []string{
+				"sh",
+				"-c",
+				`cd /home/ray/workspace/tls && openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj '/CN=ray-head' && printf "authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nsubjectAltName = @alt_names\n[alt_names]\nDNS.1 = 127.0.0.1\nDNS.2 = localhost\nDNS.3 = ${FQ_RAY_IP}\nDNS.4 = $(awk 'END{print $1}' /etc/hosts)\nDNS.5 = ` + rayClientRoute + `\nDNS.6 = ` + svcDomain + `">./domain.ext && cp /home/ray/workspace/ca/* . && openssl x509 -req -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -days 365 -CAcreateserial -extfile domain.ext`,
+			},
+			VolumeMounts: key_volumes,
+		}
+
+		// Append the list of environment variables for the ray-head container
+		for index, container := range rayCluster.Spec.HeadGroupSpec.Template.Spec.Containers {
+			if container.Name == "ray-head" {
+				rayCluster.Spec.HeadGroupSpec.Template.Spec.Containers[index].Env = append(rayCluster.Spec.HeadGroupSpec.Template.Spec.Containers[index].Env, envList...)
+			}
+		}
+
+		// Append the create-cert Init Container
+		rayCluster.Spec.HeadGroupSpec.Template.Spec.InitContainers = append(rayCluster.Spec.HeadGroupSpec.Template.Spec.InitContainers, initContainerHead)
+
+		// Append the CA volumes
+		rayCluster.Spec.HeadGroupSpec.Template.Spec.Volumes = append(rayCluster.Spec.HeadGroupSpec.Template.Spec.Volumes, caVolumes...)
+	}
+
+	if !initWorkerExists {
+		initContainerWorker := corev1.Container{
+			Name:  "create-cert",
+			Image: "quay.io/project-codeflare/ray:latest-py39-cu118",
+			Command: []string{
+				"sh",
+				"-c",
+				`cd /home/ray/workspace/tls && openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj '/CN=ray-head' && printf "authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nsubjectAltName = @alt_names\n[alt_names]\nDNS.1 = 127.0.0.1\nDNS.2 = localhost\nDNS.3 = ${FQ_RAY_IP}\nDNS.4 = $(awk 'END{print $1}' /etc/hosts)">./domain.ext && cp /home/ray/workspace/ca/* . && openssl x509 -req -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -days 365 -CAcreateserial -extfile domain.ext`,
+			},
+			VolumeMounts: key_volumes,
+		}
+		// Append the CA volumes
+		rayCluster.Spec.WorkerGroupSpecs[0].Template.Spec.Volumes = append(rayCluster.Spec.WorkerGroupSpecs[0].Template.Spec.Volumes, caVolumes...)
+		// Append the create-cert Init Container
+		rayCluster.Spec.WorkerGroupSpecs[0].Template.Spec.InitContainers = append(rayCluster.Spec.WorkerGroupSpecs[0].Template.Spec.InitContainers, initContainerWorker)
+
+		// Append the list of environment variables for the machine-learning container
+		for index, container := range rayCluster.Spec.WorkerGroupSpecs[0].Template.Spec.Containers {
+			if container.Name == "machine-learning" {
+				rayCluster.Spec.WorkerGroupSpecs[0].Template.Spec.Containers[index].Env = append(rayCluster.Spec.WorkerGroupSpecs[0].Template.Spec.Containers[index].Env, envList...)
+			}
+		}
+	}
+}