Created InitContainer & resources for mtls patch

Bobbins228 · Bobbins228 · commit 37629d8ee76c · 2024-04-16T15:14:26.000+01:00
diff --git a/config/default/webhookcainjection_patch.yaml b/config/default/webhookcainjection_patch.yaml
@@ -11,5 +11,5 @@ metadata:
     app.kubernetes.io/managed-by: kustomize
   name: mutating-webhook-configuration
   annotations:
-     service.beta.openshift.io/inject-cabundle: "true"
-     service.beta.openshift.io/serving-cert-secret-name: codeflare-operator-raycluster-webhook-cert
+    service.beta.openshift.io/inject-cabundle: "true"
+    service.beta.openshift.io/serving-cert-secret-name: codeflare-operator-raycluster-webhook-cert
diff --git a/config/webhook/service.yaml b/config/webhook/service.yaml
@@ -3,20 +3,20 @@ kind: Service
 metadata:
   labels:
     app.kubernetes.io/name: service
-    app.kubernetes.io/part-of: codeflare-operator 
+    app.kubernetes.io/part-of: codeflare-operator
     app.kubernetes.io/instance: webhook-service
     app.kubernetes.io/component: webhook
     app.kubernetes.io/created-by: codeflare-operator
     app.kubernetes.io/managed-by: kustomize
   name: webhook-service
   namespace: openshift-operators
   annotations:
-       service.beta.openshift.io/serving-cert-secret-name:  codeflare-operator-raycluster-webhook-cert
+    service.beta.openshift.io/serving-cert-secret-name: codeflare-operator-raycluster-webhook-cert
 spec:
   ports:
     - port: 443
       protocol: TCP
       targetPort: 9443
   selector:
-    app.kubernetes.io/part-of: codeflare 
+    app.kubernetes.io/part-of: codeflare
     app.kubernetes.io/name: codeflare-operator
diff --git a/pkg/controllers/raycluster_webhook.go b/pkg/controllers/raycluster_webhook.go
@@ -18,6 +18,7 @@ package controllers
 
 import (
 	"context"
+
 	rayv1 "github.com/ray-project/kuberay/ray-operator/apis/ray/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -26,8 +27,12 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 )
 
-// log is for logging in this package.
-var rayclusterlog = logf.Log.WithName("raycluster-resource")
+var (
+	NameConsoleLink      string = "console"
+	NamespaceConsoleLink string = "openshift-console"
+	// log is for logging in this package.
+	rayclusterlog = logf.Log.WithName("raycluster-resource")
+)
 
 func (r *RayClusterDefaulter) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
@@ -47,17 +52,36 @@ func (r *RayClusterDefaulter) Default(ctx context.Context, obj runtime.Object) e
 	raycluster := obj.(*rayv1.RayCluster)
 
 	rayclusterlog.Info("default", "name", raycluster.Name)
+	oauthExists := false
+	initHeadExists := false
+	workerHeadExists := false
 	// Check and add OAuth proxy if it does not exist.
-	alreadyExists := false
 	for _, container := range raycluster.Spec.HeadGroupSpec.Template.Spec.Containers {
 		if container.Name == "oauth-proxy" {
 			rayclusterlog.Info("OAuth sidecar already exists, no patch needed")
-			alreadyExists = true
+			oauthExists = true
+			break // exits the for loop
+		}
+	}
+
+	// Check for the create-cert Init Containers
+	for _, container := range raycluster.Spec.HeadGroupSpec.Template.Spec.InitContainers {
+		if container.Name == "create-cert" {
+			rayclusterlog.Info("Head Init Containers already exist, no patch needed")
+			initHeadExists = true
+			break // exits the for loop
+		}
+	}
+	// Check fot the create-cert Init Container WorkerGroupSpec
+	for _, container := range raycluster.Spec.WorkerGroupSpecs[0].Template.Spec.InitContainers {
+		if container.Name == "create-cert" {
+			rayclusterlog.Info("Worker Init Containers already exist, no patch needed")
+			workerHeadExists = true
 			break // exits the for loop
 		}
 	}
 
-	if !alreadyExists {
+	if !oauthExists {
 		rayclusterlog.Info("Adding OAuth sidecar container")
 		// definition of the new container
 		newOAuthSidecar := corev1.Container{
@@ -75,7 +99,6 @@ func (r *RayClusterDefaulter) Default(ctx context.Context, obj runtime.Object) e
 				"--tls-key=/etc/tls/private/tls.key",
 				"--cookie-secret=$(COOKIE_SECRET)",
 				"--openshift-delegate-urls={\"/\":{\"resource\":\"pods\",\"namespace\":\"default\",\"verb\":\"get\"}}",
-				"--added-label=True",
 			},
 			Env: []corev1.EnvVar{
 				{
@@ -118,5 +141,142 @@ func (r *RayClusterDefaulter) Default(ctx context.Context, obj runtime.Object) e
 			raycluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName = raycluster.Name + "-oauth-proxy"
 		}
 	}
+	mtlsPatch(raycluster, initHeadExists, workerHeadExists)
 	return nil
 }
+
+func mtlsPatch(raycluster *rayv1.RayCluster, initHeadExists bool, workerHeadExists bool) {
+
+	rayclusterlog.Info("creating json patch for RayCluster initContainers")
+
+	// Volume Mounts for the Init Containers
+	key_volumes := []corev1.VolumeMount{
+		{
+			Name:      "ca-vol",
+			MountPath: "/home/ray/workspace/ca",
+			ReadOnly:  true,
+		},
+		{
+			Name:      "server-cert",
+			MountPath: "/home/ray/workspace/tls",
+			ReadOnly:  false,
+		},
+	}
+
+	// Service name for basic interactive
+	svcDomain := raycluster.Name + "-head-svc." + raycluster.Namespace + ".svc"
+	// Ca Secret generated by the SDK
+	secretName := `ca-secret-` + raycluster.Name
+
+	// Env variables for Worker & Head Containers
+	envList := []corev1.EnvVar{
+		{
+			Name: "MY_POD_IP",
+			ValueFrom: &corev1.EnvVarSource{
+				FieldRef: &corev1.ObjectFieldSelector{
+					FieldPath: "status.podIP",
+				},
+			},
+		},
+		{
+			Name:  "RAY_USE_TLS",
+			Value: "1",
+		},
+		{
+			Name:  "RAY_TLS_SERVER_CERT",
+			Value: "/home/ray/workspace/tls/server.crt",
+		},
+		{
+			Name:  "RAY_TLS_SERVER_KEY",
+			Value: "/home/ray/workspace/tls/server.key",
+		},
+		{
+			Name:  "RAY_TLS_CA_CERT",
+			Value: "/home/ray/workspace/tls/ca.crt",
+		},
+	}
+
+	// Volumes for the main container of Head and worker
+	caVolumes := []corev1.Volume{
+		{
+			Name: "ca-vol",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: secretName,
+				},
+			},
+		},
+		{
+			Name: "server-cert",
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		},
+	}
+
+	if !initHeadExists {
+		domain := "random.com" // getDomainName()
+
+		rayClientRoute := "rayclient-" + raycluster.Name + "-" + raycluster.Namespace + "." + domain
+		initContainerHead := corev1.Container{
+			Name:  "create-cert",
+			Image: "quay.io/project-codeflare/ray:latest-py39-cu118",
+			Command: []string{
+				"sh",
+				"-c",
+				`cd /home/ray/workspace/tls && openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj '/CN=ray-head' && printf "authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nsubjectAltName = @alt_names\n[alt_names]\nDNS.1 = 127.0.0.1\nDNS.2 = localhost\nDNS.3 = ${FQ_RAY_IP}\nDNS.4 = $(awk 'END{print $1}' /etc/hosts)\nDNS.5 = ` + rayClientRoute + `\nDNS.6 = ` + svcDomain + `">./domain.ext && cp /home/ray/workspace/ca/* . && openssl x509 -req -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -days 365 -CAcreateserial -extfile domain.ext`,
+			},
+			VolumeMounts: key_volumes,
+		}
+
+		// Append the list of environment variables for the ray-head container
+		for index, container := range raycluster.Spec.HeadGroupSpec.Template.Spec.Containers {
+			if container.Name == "ray-head" {
+				raycluster.Spec.HeadGroupSpec.Template.Spec.Containers[index].Env = append(raycluster.Spec.HeadGroupSpec.Template.Spec.Containers[index].Env, envList...)
+			}
+		}
+
+		// Append the create-cert Init Container
+		raycluster.Spec.HeadGroupSpec.Template.Spec.InitContainers = append(raycluster.Spec.HeadGroupSpec.Template.Spec.InitContainers, initContainerHead)
+
+		// Append the CA volumes
+		raycluster.Spec.HeadGroupSpec.Template.Spec.Volumes = append(raycluster.Spec.HeadGroupSpec.Template.Spec.Volumes, caVolumes...)
+	}
+
+	if !workerHeadExists {
+		initContainerWorker := corev1.Container{
+			Name:  "create-cert",
+			Image: "quay.io/project-codeflare/ray:latest-py39-cu118",
+			Command: []string{
+				"sh",
+				"-c",
+				`cd /home/ray/workspace/tls && openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj '/CN=ray-head' && printf "authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nsubjectAltName = @alt_names\n[alt_names]\nDNS.1 = 127.0.0.1\nDNS.2 = localhost\nDNS.3 = ${FQ_RAY_IP}\nDNS.4 = $(awk 'END{print $1}' /etc/hosts)">./domain.ext && cp /home/ray/workspace/ca/* . && openssl x509 -req -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -days 365 -CAcreateserial -extfile domain.ext`,
+			},
+			VolumeMounts: key_volumes,
+		}
+		// Append the CA volumes
+		raycluster.Spec.WorkerGroupSpecs[0].Template.Spec.Volumes = append(raycluster.Spec.WorkerGroupSpecs[0].Template.Spec.Volumes, caVolumes...)
+		// Append the create-cert Init Container
+		raycluster.Spec.WorkerGroupSpecs[0].Template.Spec.InitContainers = append(raycluster.Spec.WorkerGroupSpecs[0].Template.Spec.InitContainers, initContainerWorker)
+
+		// Append the list of environment variables for the machine-learning container
+		for index, container := range raycluster.Spec.WorkerGroupSpecs[0].Template.Spec.Containers {
+			if container.Name == "machine-learning" {
+				raycluster.Spec.WorkerGroupSpecs[0].Template.Spec.Containers[index].Env = append(raycluster.Spec.WorkerGroupSpecs[0].Template.Spec.Containers[index].Env, envList...)
+			}
+		}
+	}
+}
+
+/*
+func getDomainName() (string, error) {
+	consoleRoute := &routev1.Route{}
+
+	if err := k8Client.Get(context.TODO(), types.NamespacedName{Name: NameConsoleLink, Namespace: NamespaceConsoleLink}, consoleRoute); err != nil {
+		return "error getting console route URL", err
+	}
+	domainIndex := strings.Index(consoleRoute.Spec.Host, ".")
+	consoleLinkDomain := consoleRoute.Spec.Host[domainIndex+1:]
+	return consoleLinkDomain, nil
+}
+*/
