Added mtls initContainer patch

Author: Bobbins228

raycluster_webhook/config/deployment.yaml

@@ -23,7 +23,7 @@ spec:
         runAsUser: 1234
       containers:
         - name: server
-          image: quay.io/rh_ee_egallina/altwebhook:v83
+          image: quay.io/mcampbel/webhook:v5
           imagePullPolicy: Always
           ports:
             - containerPort: 8443

raycluster_webhook/src/k8s_client.go

@@ -7,7 +7,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 )
 
-func createClientSet() *kubernetes.Clientset{
+func createClientSet() *kubernetes.Clientset {
 	k8sConfig = config.GetConfigOrDie()
 	clientSet, err := kubernetes.NewForConfig(k8sConfig)
 

raycluster_webhook/src/patches.go

@@ -2,13 +2,20 @@ package main
 
 import (
 	"fmt"
+	"strconv"
 
 	rayv1api "github.com/ray-project/kuberay/ray-operator/apis/ray/v1"
 	corev1 "k8s.io/api/core/v1"
 )
 
+var (
+	oauthExists      bool = false
+	initHeadExists   bool = false
+	workerHeadExists bool = false
+)
+
 func createPatch(rayCluster *rayv1api.RayCluster) ([]patchOperation, error) {
-	fmt.Printf("creating json patch for RayCluster")
+	fmt.Println("creating json patch for RayCluster")
 
 	var patches []patchOperation
 	rayclusterName := rayCluster.Name
@@ -20,64 +27,177 @@ func createPatch(rayCluster *rayv1api.RayCluster) ([]patchOperation, error) {
 			return patches, nil
 		}
 	}
+	// Check for the create-cert Init Containers
+	for _, container := range rayCluster.Spec.HeadGroupSpec.Template.Spec.InitContainers {
+		if container.Name == "create-cert" {
+			fmt.Println("Head Init Containers already exist, no patch needed")
+			//return patches, nil
+			initHeadExists = true
+		}
+	}
+	// Check fot the create-cert Init Container WorkerGroupSpec
+	for _, container := range rayCluster.Spec.WorkerGroupSpecs[0].Template.Spec.InitContainers {
+		if container.Name == "create-cert" {
+			fmt.Println("Worker Init Containers already exist, no patch needed")
+			//return patches, nil
+			workerHeadExists = true
+		}
+	}
 
-	// New OAuth sidecar configuration based on provided example
-	newOAuthSidecar := corev1.Container{
-		Name:  "oauth-proxy",
-		Image: "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:1ea6a01bf3e63cdcf125c6064cbd4a4a270deaf0f157b3eabb78f60556840366",
-		Ports: []corev1.ContainerPort{
-			{
-				ContainerPort: 8443,
-				Name:          "oauth-proxy",
+	if !oauthExists {
+		// New OAuth sidecar configuration based on provided example
+		newOAuthSidecar := corev1.Container{
+			Name:  "oauth-proxy",
+			Image: "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:1ea6a01bf3e63cdcf125c6064cbd4a4a270deaf0f157b3eabb78f60556840366",
+			Ports: []corev1.ContainerPort{
+				{
+					ContainerPort: 8443,
+					Name:          "oauth-proxy",
+				},
 			},
-		},
-		Args: []string{
-			"--https-address=:8443",
-			"--provider=openshift",
-			"--openshift-service-account=" + rayclusterName + "-oauth-proxy",
-			"--upstream=http://localhost:8265",
-			"--tls-cert=/etc/tls/private/tls.crt",
-			"--tls-key=/etc/tls/private/tls.key",
-			"--cookie-secret=$(COOKIE_SECRET)",
-			"--openshift-delegate-urls={\"/\":{\"resource\":\"pods\",\"namespace\":\"default\",\"verb\":\"get\"}}",
-		},
-		Env: []corev1.EnvVar{
-			{
-				Name: "COOKIE_SECRET",
-				ValueFrom: &corev1.EnvVarSource{
-					SecretKeyRef: &corev1.SecretKeySelector{
-						LocalObjectReference: corev1.LocalObjectReference{
-							Name: rayclusterName + "-oauth-config",
+			Args: []string{
+				"--https-address=:8443",
+				"--provider=openshift",
+				"--openshift-service-account=" + rayclusterName + "-oauth-proxy",
+				"--upstream=http://localhost:8265",
+				"--tls-cert=/etc/tls/private/tls.crt",
+				"--tls-key=/etc/tls/private/tls.key",
+				"--cookie-secret=$(COOKIE_SECRET)",
+				"--openshift-delegate-urls={\"/\":{\"resource\":\"pods\",\"namespace\":\"default\",\"verb\":\"get\"}}",
+			},
+			Env: []corev1.EnvVar{
+				{
+					Name: "COOKIE_SECRET",
+					ValueFrom: &corev1.EnvVarSource{
+						SecretKeyRef: &corev1.SecretKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: rayclusterName + "-oauth-config",
+							},
+							Key: "cookie_secret",
 						},
-						Key: "cookie_secret",
 					},
 				},
 			},
-		},
-		VolumeMounts: []corev1.VolumeMount{
-			{
-				Name:      "proxy-tls-secret",
-				MountPath: "/etc/tls/private",
-				ReadOnly:  true,
+			VolumeMounts: []corev1.VolumeMount{
+				{
+					Name:      "proxy-tls-secret",
+					MountPath: "/etc/tls/private",
+					ReadOnly:  true,
+				},
 			},
-		},
+		}
+
+		// Check if the service account is set, and if not, set it
+		if rayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName == "" {
+			patches = append(patches, patchOperation{
+				Op:    "add",
+				Path:  "/spec/headGroupSpec/template/spec/serviceAccountName",
+				Value: rayclusterName + "-oauth-proxy",
+			})
+		}
+
+		// Patch to add new OAuth sidecar
+		patches = append(patches, patchOperation{
+			Op:    "add",
+			Path:  "/spec/headGroupSpec/template/spec/containers/-",
+			Value: newOAuthSidecar,
+		})
+	}
+
+	patches, err := mtlsPatch(rayCluster, patches, initHeadExists, workerHeadExists)
+	if err != nil {
+		fmt.Errorf(err.Error())
+		return patches, err
 	}
 
-	// Check if the service account is set, and if not, set it
-	if rayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName == "" {
+	return patches, nil
+}
+
+func mtlsPatch(rayCluster *rayv1api.RayCluster, patches []patchOperation, initHeadExists bool, workerHeadExists bool) ([]patchOperation, error) {
+	fmt.Printf("creating json patch for RayCluster initContainers")
+	isLocalInteractive := annotationBoolVal(rayCluster, "sdk.codeflare.dev/local_interactive", false)
+	initContainerHead := corev1.Container{}
+
+	key_volumes := []corev1.VolumeMount{
+		{
+			Name:      "ca-vol",
+			MountPath: "/home/ray/workspace/ca",
+			ReadOnly:  true,
+		},
+		{
+			Name:      "server-cert",
+			MountPath: "/home/ray/workspace/tls",
+			ReadOnly:  false,
+		},
+	}
+	svcDomain := rayCluster.Name + "-head-svc." + rayCluster.Namespace
+	if !initHeadExists {
+		fmt.Println("PATCHING HEAD")
+		if isLocalInteractive {
+			// NEED INGRESS DOMAIN FIGURE THAT OUT ( ._.)
+			initContainerHead = corev1.Container{
+				Name:  "create-cert",
+				Image: "quay.io/project-codeflare/ray:latest-py39-cu118",
+				Command: []string{
+					"sh",
+					"-c",
+					`cd /home/ray/workspace/tls && openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj '/CN=ray-head' && printf 'authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nsubjectAltName = @alt_names\n[alt_names]\nDNS.1 = 127.0.0.1\nDNS.2 = localhost\nDNS.3 = ${FQ_RAY_IP}\nDNS.4 = $(awk 'END{print $1}' /etc/hosts)\nDNS.5 = rayclient-` + rayCluster.Name + `-` + rayCluster.Namespace + `-head-svc.default.svc > ./domain.ext && cp /home/ray/workspace/ca/* . && openssl x509 -req -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -days 365 -CAcreateserial -extfile domain.ext`,
+				},
+				VolumeMounts: key_volumes,
+			}
+		} else {
+			fmt.Printf("Creating init head for " + rayCluster.Name)
+			initContainerHead = corev1.Container{
+				Name:  "create-cert",
+				Image: "quay.io/project-codeflare/ray:latest-py39-cu118",
+				Command: []string{
+					"sh",
+					"-c",
+					`cd /home/ray/workspace/tls && openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj '/CN=ray-head' && printf "authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nsubjectAltName = @alt_names\n[alt_names]\nDNS.1 = 127.0.0.1\nDNS.2 = localhost\nDNS.3 = ${FQ_RAY_IP}\nDNS.4 = $(awk 'END{print $1}' /etc/hosts)\nDNS.5 = ` + svcDomain + `">./domain.ext && cp /home/ray/workspace/ca/* . && openssl x509 -req -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -days 365 -CAcreateserial -extfile domain.ext`,
+				},
+				VolumeMounts: key_volumes,
+			}
+		}
+		// Append HeadGroup init container
 		patches = append(patches, patchOperation{
 			Op:    "add",
-			Path:  "/spec/headGroupSpec/template/spec/serviceAccountName",
-			Value: rayclusterName + "-oauth-proxy",
+			Path:  "/spec/headGroupSpec/template/spec/initContainers/-",
+			Value: initContainerHead,
 		})
 	}
 
-	// Patch to add new OAuth sidecar
-	patches = append(patches, patchOperation{
-		Op:    "add",
-		Path:  "/spec/headGroupSpec/template/spec/containers/-",
-		Value: newOAuthSidecar,
-	})
+	if !workerHeadExists {
+		fmt.Println("PATCHING WORKER")
+		initContainerWorker := corev1.Container{
+			Name:  "create-cert",
+			Image: "quay.io/project-codeflare/ray:latest-py39-cu118",
+			Command: []string{
+				"sh",
+				"-c",
+				`cd /home/ray/workspace/tls && openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj '/CN=ray-head' && printf "authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nsubjectAltName = @alt_names\n[alt_names]\nDNS.1 = 127.0.0.1\nDNS.2 = localhost\nDNS.3 = ${FQ_RAY_IP}\nDNS.4 = $(awk 'END{print $1}' /etc/hosts)">./domain.ext && cp /home/ray/workspace/ca/* . && openssl x509 -req -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -days 365 -CAcreateserial -extfile domain.ext`,
+			},
+			VolumeMounts: key_volumes,
+		}
+		// Append WorkerGroup init container
+		patches = append(patches, patchOperation{
+			Op:    "add",
+			Path:  "/spec/workerGroupSpecs/0/template/spec/initContainers/-",
+			Value: initContainerWorker,
+		})
+	}
 
 	return patches, nil
 }
+
+func annotationBoolVal(cluster *rayv1api.RayCluster, annotation string, defaultValue bool) bool {
+	val, exists := cluster.ObjectMeta.Annotations[annotation]
+	if !exists || val == "" {
+		return defaultValue
+	}
+	boolVal, err := strconv.ParseBool(val)
+	if err != nil {
+		fmt.Errorf("Could not convert annotation value to bool", "annotation", annotation, "value", val)
+		return defaultValue
+	}
+	return boolVal
+}