Skip to content

Enable MTLS by default - Webhook #523

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Enable MTLS by default - Webhook #523

wants to merge 2 commits into from

Conversation

Bobbins228
Copy link
Contributor

@Bobbins228 Bobbins228 commented Apr 16, 2024
edited
Loading

Issue link

RHOAIENG-5086

What changes have been made

Added patch for create-cert Init Containers, env variables, ca volumes, volume mounts
Added validation for created resources

Verification steps

Setup

  • Ensure the Codeflare Operator is not installed on your cluster.
  • Clone the repo locally and clone this branch
  • Run make image-build -e IMG=quay.io/<quay-user>/<repo>:<tag>
  • Run make image-push -e IMG=quay.io/<quay-user>/<repo>:<tag>
  • Run make deploy IMG=quay.io/<quay-user>/<repo>:<tag> -e ENV="openshift"

Verify

You can create a Ray Cluster that is compatible with these changes (Both Oauth sidecar and mtls stuff) using this SDK PR

Once created:

  • Run these in your notebook to prep for testing the new mtls functionality
ray_dashboard_uri = cluster.cluster_dashboard_uri()
ray_cluster_uri = cluster.cluster_uri()
print(ray_dashboard_uri)
print(ray_cluster_uri)

from codeflare_sdk import generate_cert
cluster_name="cluster-name"
namespace="namespace"

generate_cert.generate_tls_cert(cluster_name, namespace)
generate_cert.export_env(cluster_name, namespace)

ray.init() should work with both the cluster_uri and the ray client URL

Checks

  • I've made sure the tests are passing.
  • Testing Strategy
    • Unit tests
    • Manual tests
    • Testing is not required for this change

@Bobbins228 Bobbins228 force-pushed the mtls-patchv2 branch 5 times, most recently from 05519da to 30ea56a Compare April 17, 2024 13:35
Fiona-Waters
Fiona-Waters reviewed Apr 17, 2024
View reviewed changes
Copy link
Contributor

@Fiona-Waters Fiona-Waters left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great! I was able to run it successfully - with oauth and create-cert containers being created. I could initialise ray with both the cluster_uri and the ray client URL.
I've left a couple of comments. Thanks Mark!

astefanutti
astefanutti reviewed Apr 17, 2024
View reviewed changes
KPostOffice
KPostOffice reviewed Apr 17, 2024
View reviewed changes
VanillaSpoon
VanillaSpoon approved these changes Apr 18, 2024
View reviewed changes
Copy link
Contributor

@VanillaSpoon VanillaSpoon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Apr 18, 2024
@Fiona-Waters
Copy link
Contributor

Re-verified with updated changes. Works as expected.
/lgtm

@openshift-ci openshift-ci bot removed the lgtm label Apr 18, 2024
astefanutti
astefanutti reviewed Apr 18, 2024
View reviewed changes
KPostOffice
KPostOffice reviewed Apr 18, 2024
View reviewed changes
@astefanutti
Copy link
Contributor

@Bobbins228 could you give this a final rebase, thanks a lot and sorry for all the iterations on this.

@Bobbins228
Added Mtls patch
45beca5 
(cherry picked from commit de2de96fc88022df783b637ccb145d1d73ba66ff)
@astefanutti
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Apr 19, 2024
@astefanutti
Copy link
Contributor

/approve

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Apr 19, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: astefanutti, VanillaSpoon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@astefanutti
Copy link
Contributor

Closing as superseded by #537.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@astefanutti astefanutti astefanutti left review comments

@franciscojavierarceo franciscojavierarceo franciscojavierarceo left review comments

@KPostOffice KPostOffice KPostOffice left review comments

@VanillaSpoon VanillaSpoon VanillaSpoon approved these changes

@Fiona-Waters Fiona-Waters Fiona-Waters left review comments

@anishasthana anishasthana Awaiting requested review from anishasthana

Assignees

@astefanutti astefanutti

@VanillaSpoon VanillaSpoon

@Fiona-Waters Fiona-Waters

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@Bobbins228 @Fiona-Waters @astefanutti @franciscojavierarceo @KPostOffice @VanillaSpoon @openshift-merge-robot