Added Mtls patch

Bobbins228 · Bobbins228 · commit 88c964da3590 · 2024-04-17T17:39:00.000+01:00
(cherry picked from commit de2de96fc88022df783b637ccb145d1d73ba66ff)
diff --git a/main.go b/main.go
@@ -24,6 +24,7 @@ import (
 	"strings"
 	"time"
 
+	routev1ClientSet "github.com/openshift/client-go/route/clientset/versioned"
 	rayv1 "github.com/ray-project/kuberay/ray-operator/apis/ray/v1"
 	"go.uber.org/zap/zapcore"
 
@@ -56,12 +57,15 @@ import (
 )
 
 var (
-	scheme            = runtime.NewScheme()
-	setupLog          = ctrl.Log.WithName("setup")
-	OperatorVersion   = "UNKNOWN"
-	McadVersion       = "UNKNOWN"
-	InstaScaleVersion = "UNKNOWN"
-	BuildDate         = "UNKNOWN"
+	scheme                      = runtime.NewScheme()
+	setupLog                    = ctrl.Log.WithName("setup")
+	OperatorVersion             = "UNKNOWN"
+	McadVersion                 = "UNKNOWN"
+	InstaScaleVersion           = "UNKNOWN"
+	BuildDate                   = "UNKNOWN"
+	NameConsoleLink      string = "console"
+	NamespaceConsoleLink string = "openshift-console"
+	domain               string = ""
 )
 
 func init() {
@@ -150,8 +154,17 @@ func main() {
 	OpenShift := isOpenShift(ctx, kubeClient.DiscoveryClient)
 
 	if OpenShift {
+		if cfg.KubeRay.IngressDomain == "" {
+			routeClient, err := routev1ClientSet.NewForConfig(kubeConfig)
+			exitOnError(err, "unable to create Route Client Set")
+			domain, err = getOpenShiftDomainName(ctx, routeClient)
+			exitOnError(err, domain)
+		} else {
+			domain = cfg.KubeRay.IngressDomain
+		}
+
 		// TODO: setup the RayCluster webhook on vanilla Kubernetes
-		exitOnError(controllers.SetupRayClusterWebhookWithManager(mgr, cfg.KubeRay), "error setting up RayCluster webhook")
+		exitOnError(controllers.SetupRayClusterWebhookWithManager(mgr, cfg.KubeRay, domain), "error setting up RayCluster webhook")
 	}
 
 	ok, err := hasAPIResourceForGVK(kubeClient.DiscoveryClient, rayv1.GroupVersion.WithKind("RayCluster"))
@@ -274,3 +287,13 @@ func isOpenShift(ctx context.Context, dc discovery.DiscoveryInterface) bool {
 	logger.Info("We detected being on Vanilla Kubernetes!")
 	return false
 }
+
+func getOpenShiftDomainName(ctx context.Context, routeClient routev1ClientSet.Interface) (string, error) {
+	route, err := routeClient.RouteV1().Routes(NamespaceConsoleLink).Get(ctx, NameConsoleLink, metav1.GetOptions{})
+	if err != nil {
+		return "error getting console route URL", err
+	}
+	domainIndex := strings.Index(route.Spec.Host, ".")
+	consoleLinkDomain := route.Spec.Host[domainIndex+1:]
+	return consoleLinkDomain, nil
+}
diff --git a/pkg/controllers/raycluster_webhook.go b/pkg/controllers/raycluster_webhook.go
@@ -32,9 +32,13 @@ import (
 )
 
 // log is for logging in this package.
-var rayclusterlog = logf.Log.WithName("raycluster-resource")
+var (
+	rayclusterlog        = logf.Log.WithName("raycluster-resource")
+	baseDomain    string = ""
+)
 
-func SetupRayClusterWebhookWithManager(mgr ctrl.Manager, cfg *config.KubeRayConfiguration) error {
+func SetupRayClusterWebhookWithManager(mgr ctrl.Manager, cfg *config.KubeRayConfiguration, domain string) error {
+	baseDomain = domain
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(&rayv1.RayCluster{}).
 		WithDefaulter(&rayClusterDefaulter{
@@ -55,80 +59,226 @@ var _ webhook.CustomDefaulter = &rayClusterDefaulter{}
 func (r *rayClusterDefaulter) Default(ctx context.Context, obj runtime.Object) error {
 	raycluster := obj.(*rayv1.RayCluster)
 
+	oauthExists := false
+	initHeadExists := false
+	initWorkerExists := false
+
+	// Check for the create-cert Init Containers
+	for _, container := range raycluster.Spec.HeadGroupSpec.Template.Spec.InitContainers {
+		if container.Name == "create-cert" {
+			rayclusterlog.V(2).Info("Head Init Containers already exist, no patch needed")
+			initHeadExists = true
+			break // exits the for loop
+		}
+	}
+	// Check fot the create-cert Init Container WorkerGroupSpec
+	for _, container := range raycluster.Spec.WorkerGroupSpecs[0].Template.Spec.InitContainers {
+		if container.Name == "create-cert" {
+			rayclusterlog.V(2).Info("Worker Init Containers already exist, no patch needed")
+			initWorkerExists = true
+			break // exits the for loop
+		}
+	}
+
 	if !pointer.BoolDeref(r.Config.RayDashboardOAuthEnabled, true) {
+		// Still need to call init container patch even if oauth is disabled
+		mtlsPatch(raycluster, initHeadExists, initWorkerExists)
 		return nil
 	}
 
 	// Check and add OAuth proxy if it does not exist
 	for _, container := range raycluster.Spec.HeadGroupSpec.Template.Spec.Containers {
 		if container.Name == "oauth-proxy" {
 			rayclusterlog.V(2).Info("OAuth sidecar already exists, no patch needed")
-			return nil
+			oauthExists = true
 		}
 	}
+	if !oauthExists {
+		rayclusterlog.V(2).Info("Adding OAuth sidecar container")
+		// definition of the new container
+		newOAuthSidecar := corev1.Container{
+			Name:  "oauth-proxy",
+			Image: "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:1ea6a01bf3e63cdcf125c6064cbd4a4a270deaf0f157b3eabb78f60556840366",
+			Ports: []corev1.ContainerPort{
+				{ContainerPort: 8443, Name: "oauth-proxy"},
+			},
+			Args: []string{
+				"--https-address=:8443",
+				"--provider=openshift",
+				"--openshift-service-account=" + raycluster.Name + "-oauth-proxy",
+				"--upstream=http://localhost:8265",
+				"--tls-cert=/etc/tls/private/tls.crt",
+				"--tls-key=/etc/tls/private/tls.key",
+				"--cookie-secret=$(COOKIE_SECRET)",
+				"--openshift-delegate-urls={\"/\":{\"resource\":\"pods\",\"namespace\":\"default\",\"verb\":\"get\"}}",
+			},
+			VolumeMounts: []corev1.VolumeMount{
+				{
+					Name:      "proxy-tls-secret",
+					MountPath: "/etc/tls/private",
+					ReadOnly:  true,
+				},
+			},
+		}
 
-	rayclusterlog.V(2).Info("Adding OAuth sidecar container")
-	// definition of the new container
-	newOAuthSidecar := corev1.Container{
-		Name:  "oauth-proxy",
-		Image: "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:1ea6a01bf3e63cdcf125c6064cbd4a4a270deaf0f157b3eabb78f60556840366",
-		Ports: []corev1.ContainerPort{
-			{ContainerPort: 8443, Name: "oauth-proxy"},
-		},
-		Args: []string{
-			"--https-address=:8443",
-			"--provider=openshift",
-			"--openshift-service-account=" + raycluster.Name + "-oauth-proxy",
-			"--upstream=http://localhost:8265",
-			"--tls-cert=/etc/tls/private/tls.crt",
-			"--tls-key=/etc/tls/private/tls.key",
-			"--cookie-secret=$(COOKIE_SECRET)",
-			"--openshift-delegate-urls={\"/\":{\"resource\":\"pods\",\"namespace\":\"default\",\"verb\":\"get\"}}",
-		},
-		VolumeMounts: []corev1.VolumeMount{
-			{
-				Name:      "proxy-tls-secret",
-				MountPath: "/etc/tls/private",
-				ReadOnly:  true,
+		// Adding the new OAuth sidecar container
+		raycluster.Spec.HeadGroupSpec.Template.Spec.Containers = append(raycluster.Spec.HeadGroupSpec.Template.Spec.Containers, newOAuthSidecar)
+
+		cookieSecret := corev1.EnvVar{
+			Name: "COOKIE_SECRET",
+			ValueFrom: &corev1.EnvVarSource{
+				SecretKeyRef: &corev1.SecretKeySelector{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: raycluster.Name + "-oauth-config",
+					},
+					Key: "cookie_secret",
+				},
 			},
+		}
+
+		raycluster.Spec.HeadGroupSpec.Template.Spec.Containers[0].Env = append(
+			raycluster.Spec.HeadGroupSpec.Template.Spec.Containers[0].Env,
+			cookieSecret,
+		)
+
+		tlsSecretVolume := corev1.Volume{
+			Name: "proxy-tls-secret",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: raycluster.Name + "-proxy-tls-secret",
+				},
+			},
+		}
+
+		raycluster.Spec.HeadGroupSpec.Template.Spec.Volumes = append(raycluster.Spec.HeadGroupSpec.Template.Spec.Volumes, tlsSecretVolume)
+
+		// Ensure the service account is set
+		if raycluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName == "" {
+			raycluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName = raycluster.Name + "-oauth-proxy"
+		}
+	}
+
+	mtlsPatch(raycluster, initHeadExists, initWorkerExists)
+	return nil
+}
+
+func mtlsPatch(raycluster *rayv1.RayCluster, initHeadExists bool, initWorkerExists bool) {
+
+	rayclusterlog.V(2).Info("creating json patch for RayCluster initContainers")
+
+	// Volume Mounts for the Init Containers
+	key_volumes := []corev1.VolumeMount{
+		{
+			Name:      "ca-vol",
+			MountPath: "/home/ray/workspace/ca",
+			ReadOnly:  true,
+		},
+		{
+			Name:      "server-cert",
+			MountPath: "/home/ray/workspace/tls",
+			ReadOnly:  false,
 		},
 	}
 
-	// Adding the new OAuth sidecar container
-	raycluster.Spec.HeadGroupSpec.Template.Spec.Containers = append(raycluster.Spec.HeadGroupSpec.Template.Spec.Containers, newOAuthSidecar)
+	// Service name for basic interactive
+	svcDomain := raycluster.Name + "-head-svc." + raycluster.Namespace + ".svc"
+	// Ca Secret generated by the SDK
+	secretName := `ca-secret-` + raycluster.Name
 
-	cookieSecret := corev1.EnvVar{
-		Name: "COOKIE_SECRET",
-		ValueFrom: &corev1.EnvVarSource{
-			SecretKeyRef: &corev1.SecretKeySelector{
-				LocalObjectReference: corev1.LocalObjectReference{
-					Name: raycluster.Name + "-oauth-config",
+	// Env variables for Worker & Head Containers
+	envList := []corev1.EnvVar{
+		{
+			Name: "MY_POD_IP",
+			ValueFrom: &corev1.EnvVarSource{
+				FieldRef: &corev1.ObjectFieldSelector{
+					FieldPath: "status.podIP",
 				},
-				Key: "cookie_secret",
 			},
 		},
+		{
+			Name:  "RAY_USE_TLS",
+			Value: "1",
+		},
+		{
+			Name:  "RAY_TLS_SERVER_CERT",
+			Value: "/home/ray/workspace/tls/server.crt",
+		},
+		{
+			Name:  "RAY_TLS_SERVER_KEY",
+			Value: "/home/ray/workspace/tls/server.key",
+		},
+		{
+			Name:  "RAY_TLS_CA_CERT",
+			Value: "/home/ray/workspace/tls/ca.crt",
+		},
 	}
 
-	raycluster.Spec.HeadGroupSpec.Template.Spec.Containers[0].Env = append(
-		raycluster.Spec.HeadGroupSpec.Template.Spec.Containers[0].Env,
-		cookieSecret,
-	)
-
-	tlsSecretVolume := corev1.Volume{
-		Name: "proxy-tls-secret",
-		VolumeSource: corev1.VolumeSource{
-			Secret: &corev1.SecretVolumeSource{
-				SecretName: raycluster.Name + "-proxy-tls-secret",
+	// Volumes for the main container of Head and worker
+	caVolumes := []corev1.Volume{
+		{
+			Name: "ca-vol",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: secretName,
+				},
+			},
+		},
+		{
+			Name: "server-cert",
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
 			},
 		},
 	}
 
-	raycluster.Spec.HeadGroupSpec.Template.Spec.Volumes = append(raycluster.Spec.HeadGroupSpec.Template.Spec.Volumes, tlsSecretVolume)
+	if !initHeadExists {
+		rayClientRoute := "rayclient-" + raycluster.Name + "-" + raycluster.Namespace + "." + baseDomain
+		initContainerHead := corev1.Container{
+			Name:  "create-cert",
+			Image: "quay.io/project-codeflare/ray:latest-py39-cu118",
+			Command: []string{
+				"sh",
+				"-c",
+				`cd /home/ray/workspace/tls && openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj '/CN=ray-head' && printf "authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nsubjectAltName = @alt_names\n[alt_names]\nDNS.1 = 127.0.0.1\nDNS.2 = localhost\nDNS.3 = ${FQ_RAY_IP}\nDNS.4 = $(awk 'END{print $1}' /etc/hosts)\nDNS.5 = ` + rayClientRoute + `\nDNS.6 = ` + svcDomain + `">./domain.ext && cp /home/ray/workspace/ca/* . && openssl x509 -req -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -days 365 -CAcreateserial -extfile domain.ext`,
+			},
+			VolumeMounts: key_volumes,
+		}
+
+		// Append the list of environment variables for the ray-head container
+		for index, container := range raycluster.Spec.HeadGroupSpec.Template.Spec.Containers {
+			if container.Name == "ray-head" {
+				raycluster.Spec.HeadGroupSpec.Template.Spec.Containers[index].Env = append(raycluster.Spec.HeadGroupSpec.Template.Spec.Containers[index].Env, envList...)
+			}
+		}
+
+		// Append the create-cert Init Container
+		raycluster.Spec.HeadGroupSpec.Template.Spec.InitContainers = append(raycluster.Spec.HeadGroupSpec.Template.Spec.InitContainers, initContainerHead)
 
-	// Ensure the service account is set
-	if raycluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName == "" {
-		raycluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName = raycluster.Name + "-oauth-proxy"
+		// Append the CA volumes
+		raycluster.Spec.HeadGroupSpec.Template.Spec.Volumes = append(raycluster.Spec.HeadGroupSpec.Template.Spec.Volumes, caVolumes...)
 	}
 
-	return nil
+	if !initWorkerExists {
+		initContainerWorker := corev1.Container{
+			Name:  "create-cert",
+			Image: "quay.io/project-codeflare/ray:latest-py39-cu118",
+			Command: []string{
+				"sh",
+				"-c",
+				`cd /home/ray/workspace/tls && openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj '/CN=ray-head' && printf "authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nsubjectAltName = @alt_names\n[alt_names]\nDNS.1 = 127.0.0.1\nDNS.2 = localhost\nDNS.3 = ${FQ_RAY_IP}\nDNS.4 = $(awk 'END{print $1}' /etc/hosts)">./domain.ext && cp /home/ray/workspace/ca/* . && openssl x509 -req -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -days 365 -CAcreateserial -extfile domain.ext`,
+			},
+			VolumeMounts: key_volumes,
+		}
+		// Append the CA volumes
+		raycluster.Spec.WorkerGroupSpecs[0].Template.Spec.Volumes = append(raycluster.Spec.WorkerGroupSpecs[0].Template.Spec.Volumes, caVolumes...)
+		// Append the create-cert Init Container
+		raycluster.Spec.WorkerGroupSpecs[0].Template.Spec.InitContainers = append(raycluster.Spec.WorkerGroupSpecs[0].Template.Spec.InitContainers, initContainerWorker)
+
+		// Append the list of environment variables for the machine-learning container
+		for index, container := range raycluster.Spec.WorkerGroupSpecs[0].Template.Spec.Containers {
+			if container.Name == "machine-learning" {
+				raycluster.Spec.WorkerGroupSpecs[0].Template.Spec.Containers[index].Env = append(raycluster.Spec.WorkerGroupSpecs[0].Template.Spec.Containers[index].Env, envList...)
+			}
+		}
+	}
 }
