add hash to end of resource names to avoid name clash

Signed-off-by: Kevin <[email protected]>

Author: KPostOffice

pkg/controllers/raycluster_controller.go

@@ -304,7 +304,10 @@ func isMTLSEnabled(cfg *config.KubeRayConfiguration) bool {
 }
 
 func crbNameFromCluster(cluster *rayv1.RayCluster) string {
-	return cluster.Name + "-" + cluster.Namespace + "-auth" // NOTE: potential naming conflicts ie {name: foo, ns: bar-baz} and {name: foo-bar, ns: baz}
+	if val, ok := cluster.GetAnnotations()[newNameAnnotation]; ok && val == "true" {
+		return RCCUniqueName(cluster.Name + "-" + cluster.Namespace + "-auth")
+	}
+	return cluster.Name + "-" + cluster.Namespace + "-auth"
 }
 
 func desiredOAuthClusterRoleBinding(cluster *rayv1.RayCluster) *rbacv1ac.ClusterRoleBindingApplyConfiguration {
@@ -326,6 +329,9 @@ func desiredOAuthClusterRoleBinding(cluster *rayv1.RayCluster) *rbacv1ac.Cluster
 }
 
 func oauthServiceAccountNameFromCluster(cluster *rayv1.RayCluster) string {
+	if val, ok := cluster.GetAnnotations()[newNameAnnotation]; ok && val == "true" {
+		return RCCUniqueName(cluster.Name + "-oauth-proxy")
+	}
 	return cluster.Name + "-oauth-proxy"
 }
 
@@ -363,10 +369,16 @@ func desiredClusterRoute(cluster *rayv1.RayCluster) *routev1ac.RouteApplyConfigu
 }
 
 func oauthServiceNameFromCluster(cluster *rayv1.RayCluster) string {
+	if val, ok := cluster.GetAnnotations()[newNameAnnotation]; ok && val == "true" {
+		return RCCUniqueName(cluster.Name + "-oauth")
+	}
 	return cluster.Name + "-oauth"
 }
 
 func oauthServiceTLSSecretName(cluster *rayv1.RayCluster) string {
+	if val, ok := cluster.GetAnnotations()[newNameAnnotation]; ok && val == "true" {
+		return RCCUniqueName(cluster.Name + "-proxy-tls-secret")
+	}
 	return cluster.Name + "-proxy-tls-secret"
 }
 
@@ -389,6 +401,9 @@ func desiredOAuthService(cluster *rayv1.RayCluster) *corev1ac.ServiceApplyConfig
 }
 
 func oauthSecretNameFromCluster(cluster *rayv1.RayCluster) string {
+	if val, ok := cluster.GetAnnotations()[newNameAnnotation]; ok && val == "true" {
+		return RCCUniqueName(cluster.Name + "-oauth-config")
+	}
 	return cluster.Name + "-oauth-config"
 }
 
@@ -406,6 +421,9 @@ func desiredOAuthSecret(cluster *rayv1.RayCluster, cookieSalt string) *corev1ac.
 }
 
 func caSecretNameFromCluster(cluster *rayv1.RayCluster) string {
+	if val, ok := cluster.GetAnnotations()[newNameAnnotation]; ok && val == "true" {
+		return RCCUniqueName(cluster.Name + "-ca-secret")
+	}
 	return "ca-secret-" + cluster.Name
 }
 
@@ -462,8 +480,17 @@ func generateCACertificate() ([]byte, []byte, error) {
 	return privateKeyPem, certPem, nil
 }
 
+func workerNWPNameFromCluster(cluster *rayv1.RayCluster) string {
+	if val, ok := cluster.GetAnnotations()[newNameAnnotation]; ok && val == "true" {
+		return RCCUniqueName(cluster.Name + "-workers")
+	}
+	return cluster.Name + "-workers"
+}
+
 func desiredWorkersNetworkPolicy(cluster *rayv1.RayCluster) *networkingv1ac.NetworkPolicyApplyConfiguration {
-	return networkingv1ac.NetworkPolicy(cluster.Name+"-workers", cluster.Namespace).
+	return networkingv1ac.NetworkPolicy(
+		workerNWPNameFromCluster(cluster), cluster.Namespace,
+	).
 		WithLabels(map[string]string{RayClusterNameLabel: cluster.Name}).
 		WithSpec(networkingv1ac.NetworkPolicySpec().
 			WithPodSelector(metav1ac.LabelSelector().WithMatchLabels(map[string]string{"ray.io/cluster": cluster.Name, "ray.io/node-type": "worker"})).
@@ -477,14 +504,21 @@ func desiredWorkersNetworkPolicy(cluster *rayv1.RayCluster) *networkingv1ac.Netw
 		WithOwnerReferences(ownerRefForRayCluster(cluster))
 }
 
+func headNWPNameFromCluster(cluster *rayv1.RayCluster) string {
+	if val, ok := cluster.GetAnnotations()[newNameAnnotation]; ok && val == "true" {
+		return RCCUniqueName(cluster.Name + "-head")
+	}
+	return cluster.Name + "-head"
+}
+
 func desiredHeadNetworkPolicy(cluster *rayv1.RayCluster, cfg *config.KubeRayConfiguration, kubeRayNamespaces []string) *networkingv1ac.NetworkPolicyApplyConfiguration {
 	allSecuredPorts := []*networkingv1ac.NetworkPolicyPortApplyConfiguration{
 		networkingv1ac.NetworkPolicyPort().WithProtocol(corev1.ProtocolTCP).WithPort(intstr.FromInt(8443)),
 	}
 	if ptr.Deref(cfg.MTLSEnabled, true) {
 		allSecuredPorts = append(allSecuredPorts, networkingv1ac.NetworkPolicyPort().WithProtocol(corev1.ProtocolTCP).WithPort(intstr.FromInt(10001)))
 	}
-	return networkingv1ac.NetworkPolicy(cluster.Name+"-head", cluster.Namespace).
+	return networkingv1ac.NetworkPolicy(headNWPNameFromCluster(cluster), cluster.Namespace).
 		WithLabels(map[string]string{RayClusterNameLabel: cluster.Name}).
 		WithSpec(networkingv1ac.NetworkPolicySpec().
 			WithPodSelector(metav1ac.LabelSelector().WithMatchLabels(map[string]string{"ray.io/cluster": cluster.Name, "ray.io/node-type": "head"})).
@@ -619,3 +653,7 @@ func (r *RayClusterReconciler) SetupWithManager(mgr ctrl.Manager) error {
 
 	return controller.Complete(r)
 }
+
+func RCCUniqueName(s string) string {
+	return s + "-" + seededHash(controllerName, s)
+}

pkg/controllers/raycluster_webhook.go

@@ -38,6 +38,7 @@ const (
 	oauthProxyContainerName = "oauth-proxy"
 	oauthProxyVolumeName    = "proxy-tls-secret"
 	initContainerName       = "create-cert"
+	newNameAnnotation       = "ray.openshift.ai/hashed-names"
 )
 
 // log is for logging in this package.
@@ -68,13 +69,18 @@ var _ webhook.CustomValidator = &rayClusterWebhook{}
 func (w *rayClusterWebhook) Default(ctx context.Context, obj runtime.Object) error {
 	rayCluster := obj.(*rayv1.RayCluster)
 
+	// add annotation to use new names
+	annotations := rayCluster.GetAnnotations()
+	annotations[newNameAnnotation] = "true"
+	rayCluster.SetAnnotations(annotations)
+
 	if ptr.Deref(w.Config.RayDashboardOAuthEnabled, true) {
 		rayclusterlog.V(2).Info("Adding OAuth sidecar container")
 		rayCluster.Spec.HeadGroupSpec.Template.Spec.Containers = upsert(rayCluster.Spec.HeadGroupSpec.Template.Spec.Containers, oauthProxyContainer(rayCluster), withContainerName(oauthProxyContainerName))
 
 		rayCluster.Spec.HeadGroupSpec.Template.Spec.Volumes = upsert(rayCluster.Spec.HeadGroupSpec.Template.Spec.Volumes, oauthProxyTLSSecretVolume(rayCluster), withVolumeName(oauthProxyVolumeName))
 
-		rayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName = rayCluster.Name + "-oauth-proxy"
+		rayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName = oauthServiceAccountNameFromCluster(rayCluster)
 	}
 
 	if ptr.Deref(w.Config.MTLSEnabled, true) {
@@ -218,7 +224,7 @@ func validateIngress(rayCluster *rayv1.RayCluster) field.ErrorList {
 func validateHeadGroupServiceAccountName(rayCluster *rayv1.RayCluster) field.ErrorList {
 	var allErrors field.ErrorList
 
-	if rayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName != rayCluster.Name+"-oauth-proxy" {
+	if rayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName != oauthServiceAccountNameFromCluster(rayCluster) {
 		allErrors = append(allErrors, field.Invalid(
 			field.NewPath("spec", "headGroupSpec", "template", "spec", "serviceAccountName"),
 			rayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName,
@@ -241,7 +247,7 @@ func oauthProxyContainer(rayCluster *rayv1.RayCluster) corev1.Container {
 				ValueFrom: &corev1.EnvVarSource{
 					SecretKeyRef: &corev1.SecretKeySelector{
 						LocalObjectReference: corev1.LocalObjectReference{
-							Name: rayCluster.Name + "-oauth-config",
+							Name: oauthSecretNameFromCluster(rayCluster),
 						},
 						Key: "cookie_secret",
 					},
@@ -251,7 +257,7 @@ func oauthProxyContainer(rayCluster *rayv1.RayCluster) corev1.Container {
 		Args: []string{
 			"--https-address=:8443",
 			"--provider=openshift",
-			"--openshift-service-account=" + rayCluster.Name + "-oauth-proxy",
+			"--openshift-service-account=" + oauthServiceAccountNameFromCluster(rayCluster),
 			"--upstream=http://localhost:8265",
 			"--tls-cert=/etc/tls/private/tls.crt",
 			"--tls-key=/etc/tls/private/tls.key",
@@ -273,7 +279,7 @@ func oauthProxyTLSSecretVolume(rayCluster *rayv1.RayCluster) corev1.Volume {
 		Name: oauthProxyVolumeName,
 		VolumeSource: corev1.VolumeSource{
 			Secret: &corev1.SecretVolumeSource{
-				SecretName: rayCluster.Name + "-proxy-tls-secret",
+				SecretName: oauthServiceTLSSecretName(rayCluster),
 			},
 		},
 	}
@@ -329,7 +335,7 @@ func caVolumes(rayCluster *rayv1.RayCluster) []corev1.Volume {
 			Name: "ca-vol",
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
-					SecretName: `ca-secret-` + rayCluster.Name,
+					SecretName: caSecretNameFromCluster(rayCluster),
 				},
 			},
 		},
@@ -343,9 +349,9 @@ func caVolumes(rayCluster *rayv1.RayCluster) []corev1.Volume {
 }
 
 func rayHeadInitContainer(rayCluster *rayv1.RayCluster, config *config.KubeRayConfiguration) corev1.Container {
-	rayClientRoute := "rayclient-" + rayCluster.Name + "-" + rayCluster.Namespace + "." + config.IngressDomain
+	rayClientRoute := rayClientNameFromCluster(rayCluster) + "-" + rayCluster.Namespace + "." + config.IngressDomain
 	// Service name for basic interactive
-	svcDomain := rayCluster.Name + "-head-svc." + rayCluster.Namespace + ".svc"
+	svcDomain := serviceNameFromCluster(rayCluster) + "." + rayCluster.Namespace + ".svc"
 
 	initContainerHead := corev1.Container{
 		Name:  "create-cert",

pkg/controllers/raycluster_webhook_test.go

@@ -124,7 +124,7 @@ func TestRayClusterWebhookDefault(t *testing.T) {
 
 	t.Run("Expected required service account name for the head group", func(t *testing.T) {
 		test.Expect(validRayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName).
-			To(Equal(validRayCluster.Name+"-oauth-proxy"),
+			To(Equal(oauthServiceAccountNameFromCluster(validRayCluster)),
 				"Expected the service account name to be set correctly")
 	})
 
@@ -230,7 +230,13 @@ func TestRayClusterWebhookDefault(t *testing.T) {
 
 func TestValidateCreate(t *testing.T) {
 	test := support.NewTest(t)
-
+	emptyRayCluster := &rayv1.RayCluster{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      rayClusterName,
+			Namespace: namespace,
+		},
+		Spec: rayv1.RayClusterSpec{},
+	}
 	validRayCluster := &rayv1.RayCluster{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      rayClusterName,
@@ -253,7 +259,7 @@ func TestValidateCreate(t *testing.T) {
 										ValueFrom: &corev1.EnvVarSource{
 											SecretKeyRef: &corev1.SecretKeySelector{
 												LocalObjectReference: corev1.LocalObjectReference{
-													Name: rayClusterName + "-oauth-config",
+													Name: oauthSecretNameFromCluster(emptyRayCluster),
 												},
 												Key: "cookie_secret",
 											},
@@ -263,7 +269,7 @@ func TestValidateCreate(t *testing.T) {
 								Args: []string{
 									"--https-address=:8443",
 									"--provider=openshift",
-									"--openshift-service-account=" + rayClusterName + "-oauth-proxy",
+									"--openshift-service-account=" + oauthServiceAccountNameFromCluster(emptyRayCluster),
 									"--upstream=http://localhost:8265",
 									"--tls-cert=/etc/tls/private/tls.crt",
 									"--tls-key=/etc/tls/private/tls.key",
@@ -284,12 +290,12 @@ func TestValidateCreate(t *testing.T) {
 								Name: oauthProxyVolumeName,
 								VolumeSource: corev1.VolumeSource{
 									Secret: &corev1.SecretVolumeSource{
-										SecretName: rayClusterName + "-proxy-tls-secret",
+										SecretName: oauthServiceTLSSecretName(emptyRayCluster),
 									},
 								},
 							},
 						},
-						ServiceAccountName: rayClusterName + "-oauth-proxy",
+						ServiceAccountName: oauthServiceAccountNameFromCluster(emptyRayCluster),
 					},
 				},
 				RayStartParams: map[string]string{},
@@ -351,7 +357,15 @@ func TestValidateCreate(t *testing.T) {
 
 func TestValidateUpdate(t *testing.T) {
 	test := support.NewTest(t)
-
+	emptyRayCluster := &rayv1.RayCluster{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      rayClusterName,
+			Namespace: namespace,
+		},
+		Spec: rayv1.RayClusterSpec{},
+	}
+	rayClientRoute := rayClientNameFromCluster(emptyRayCluster) + "-" + emptyRayCluster.Namespace + "." + rcWebhook.Config.IngressDomain
+	svcDomain := serviceNameFromCluster(emptyRayCluster) + "." + emptyRayCluster.Namespace + ".svc"
 	validRayCluster := &rayv1.RayCluster{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      rayClusterName,
@@ -374,7 +388,7 @@ func TestValidateUpdate(t *testing.T) {
 										ValueFrom: &corev1.EnvVarSource{
 											SecretKeyRef: &corev1.SecretKeySelector{
 												LocalObjectReference: corev1.LocalObjectReference{
-													Name: rayClusterName + "-oauth-config",
+													Name: oauthSecretNameFromCluster(emptyRayCluster),
 												},
 												Key: "cookie_secret",
 											},
@@ -396,7 +410,7 @@ func TestValidateUpdate(t *testing.T) {
 								Args: []string{
 									"--https-address=:8443",
 									"--provider=openshift",
-									"--openshift-service-account=" + rayClusterName + "-oauth-proxy",
+									"--openshift-service-account=" + oauthServiceAccountNameFromCluster(emptyRayCluster),
 									"--upstream=http://localhost:8265",
 									"--tls-cert=/etc/tls/private/tls.crt",
 									"--tls-key=/etc/tls/private/tls.key",
@@ -419,7 +433,7 @@ func TestValidateUpdate(t *testing.T) {
 								Command: []string{
 									"sh",
 									"-c",
-									`cd /home/ray/workspace/tls && openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj '/CN=ray-head' && printf "authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nsubjectAltName = @alt_names\n[alt_names]\nDNS.1 = 127.0.0.1\nDNS.2 = localhost\nDNS.3 = ${FQ_RAY_IP}\nDNS.4 = $(awk 'END{print $1}' /etc/hosts)\nDNS.5 = rayclient-` + rayClusterName + `-` + namespace + `.\nDNS.6 = ` + rayClusterName + `-head-svc.` + namespace + `.svc` + `">./domain.ext && cp /home/ray/workspace/ca/* . && openssl x509 -req -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -days 365 -CAcreateserial -extfile domain.ext`,
+									`cd /home/ray/workspace/tls && openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj '/CN=ray-head' && printf "authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nsubjectAltName = @alt_names\n[alt_names]\nDNS.1 = 127.0.0.1\nDNS.2 = localhost\nDNS.3 = ${FQ_RAY_IP}\nDNS.4 = $(awk 'END{print $1}' /etc/hosts)\nDNS.5 = ` + rayClientRoute + `\nDNS.6 = ` + svcDomain + `">./domain.ext && cp /home/ray/workspace/ca/* . && openssl x509 -req -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -days 365 -CAcreateserial -extfile domain.ext`,
 								},
 								VolumeMounts: []corev1.VolumeMount{
 									{
@@ -440,15 +454,15 @@ func TestValidateUpdate(t *testing.T) {
 								Name: oauthProxyVolumeName,
 								VolumeSource: corev1.VolumeSource{
 									Secret: &corev1.SecretVolumeSource{
-										SecretName: rayClusterName + "-proxy-tls-secret",
+										SecretName: oauthServiceTLSSecretName(emptyRayCluster),
 									},
 								},
 							},
 							{
 								Name: "ca-vol",
 								VolumeSource: corev1.VolumeSource{
 									Secret: &corev1.SecretVolumeSource{
-										SecretName: `ca-secret-` + rayClusterName,
+										SecretName: caSecretNameFromCluster(emptyRayCluster),
 									},
 								},
 							},
@@ -459,7 +473,7 @@ func TestValidateUpdate(t *testing.T) {
 								},
 							},
 						},
-						ServiceAccountName: rayClusterName + "-oauth-proxy",
+						ServiceAccountName: oauthServiceAccountNameFromCluster(emptyRayCluster),
 					},
 				},
 				RayStartParams: map[string]string{},
@@ -505,7 +519,7 @@ func TestValidateUpdate(t *testing.T) {
 									Name: "ca-vol",
 									VolumeSource: corev1.VolumeSource{
 										Secret: &corev1.SecretVolumeSource{
-											SecretName: `ca-secret-` + rayClusterName,
+											SecretName: caSecretNameFromCluster(emptyRayCluster),
 										},
 									},
 								},

pkg/controllers/support.go

@@ -1,6 +1,8 @@
 package controllers
 
 import (
+	"crypto/sha256"
+	"fmt"
 	"os"
 
 	"github.com/go-logr/logr"
@@ -209,3 +211,11 @@ func ownerRefForRayCluster(cluster *rayv1.RayCluster) *v1.OwnerReferenceApplyCon
 		WithUID(cluster.UID).
 		WithController(true)
 }
+
+var (
+	hashLength = 8
+)
+
+func seededHash(seed string, s string) string {
+	return fmt.Sprintf("%x", sha256.Sum256([]byte(seed+s)))[:hashLength]
+}