add: webhook configuration along with CO kustomize and address feedback

VanillaSpoon · VanillaSpoon · commit 5cb51fc8aeba · 2024-04-12T12:48:36.000+01:00
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -16,6 +16,7 @@ commonLabels:
 bases:
 - ../rbac
 - ../manager
+- ../raycluster_webhook
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 # - ../prometheus
 
diff --git a/config/raycluster_webhook/cluster_role.yaml b/config/raycluster_webhook/cluster_role.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: raycluster-mutating-webhook
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["ray.io"]
+    resources: ["rayclusters"]
+    verbs: ["get", "watch", "list", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
+
diff --git a/config/raycluster_webhook/cluster_role_binding.yaml b/config/raycluster_webhook/cluster_role_binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: raycluster-mutating-webhook
+subjects:
+  - kind: ServiceAccount
+    name: raycluster-mutating-webhook
+    namespace: system
+roleRef:
+  kind: ClusterRole
+  name: raycluster-mutating-webhook
+  apiGroup: rbac.authorization.k8s.io
diff --git a/config/raycluster_webhook/deployment.yaml b/config/raycluster_webhook/deployment.yaml
@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: raycluster-mutating-webhook
+  namespace: system
+  labels:
+    app: raycluster-mutating-webhook
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: raycluster-mutating-webhook
+  template:
+    metadata:
+      labels:
+        app: raycluster-mutating-webhook
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: raycluster-mutating-webhook
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1234
+      containers:
+        - name: server
+          image: quay.io/rh_ee_egallina/altwebhook:v89
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8443
+              name: tls
+            - containerPort: 80
+              name: metrics
+          volumeMounts:
+            - name: webhook-tls-certs
+              mountPath: /etc/webhook/certs
+              readOnly: true
+      volumes:
+        - name: webhook-tls-certs
+          secret:
+            secretName: raycluster-webhook-cert
diff --git a/config/raycluster_webhook/kustomization.yaml b/config/raycluster_webhook/kustomization.yaml
@@ -0,0 +1,12 @@
+resources:
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to update RoleBinding and ClusterRoleBinding
+# subjects if changing service account names.
+- deployment.yaml
+- service_account.yaml
+- cluster_role.yaml
+- cluster_role_binding.yaml
+- service.yaml
+- mutating_webhook_configuration.yaml
diff --git a/config/raycluster_webhook/mutating_webhook_configuration.yaml b/config/raycluster_webhook/mutating_webhook_configuration.yaml
@@ -0,0 +1,23 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: raycluster-mutating-webhook
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true"
+webhooks:
+  - name: raycluster-mutating-webhook.codeflare.com
+    admissionReviewVersions: ["v1beta1"]
+    sideEffects: None
+    timeoutSeconds: 30
+    failurePolicy: Ignore
+    clientConfig:
+      caBundle: Cg==
+      service:
+        name: raycluster-mutating-webhook
+        namespace: system
+        path: "/mutate"
+    rules:
+      - operations: ["CREATE", "UPDATE"]
+        apiGroups: ["ray.io"]
+        apiVersions: ["v1"]
+        resources: ["rayclusters"]
diff --git a/config/raycluster_webhook/service.yaml b/config/raycluster_webhook/service.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: raycluster-mutating-webhook
+  namespace: system
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: raycluster-webhook-cert
+spec:
+  selector:
+    app: raycluster-mutating-webhook
+  ports:
+    - port: 443
+      targetPort: tls
+      name: application
+    - port: 80
+      targetPort: metrics
+      name: metrics
diff --git a/config/raycluster_webhook/service_account.yaml b/config/raycluster_webhook/service_account.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: raycluster-mutating-webhook
+  namespace: system
+
diff --git a/raycluster_webhook/src/patches.go b/raycluster_webhook/src/patches.go
@@ -79,5 +79,21 @@ func createPatch(rayCluster *rayv1api.RayCluster) ([]patchOperation, error) {
 		Value: newOAuthSidecar,
 	})
 
+	tlsSecretVolume := corev1.Volume{
+		Name: "proxy-tls-secret",
+		VolumeSource: corev1.VolumeSource{
+			Secret: &corev1.SecretVolumeSource{
+				SecretName: rayclusterName + "-proxy-tls-secret",
+			},
+		},
+	}
+
+	// Patch to add new volume
+	patches = append(patches, patchOperation{
+		Op:    "add",
+		Path:  "/spec/headGroupSpec/template/spec/volumes/-",
+		Value: tlsSecretVolume,
+	})
+
 	return patches, nil
 }
