add raycluster controller to CFO

[KPostOffice]

Issue link

https://issues.redhat.com/browse/RHOAIENG-1992

What changes have been made

Added a controller to CFO operator which does a series of ServerSideApplies in order to create the requisite k8 resources for securing the RayDashboard

Verification steps

This PR does not implement the webhook required for automatically injecting the oauth sidecar into the RayCluster definition so that must be done by the user at this point.

TODO Provide a working RayCluster definition for validating the authenticated dashboard

Checks

• I've made sure the tests are passing.
• Testing Strategy
  • Unit tests
  • Manual tests
  • Testing is not required for this change

[anishasthana]

/retest

[KPostOffice]

I tested and made sure that all the expected resources are created. Still need to write unit tests and add a RayCluster def which with a OAuth sidecar that will work with the created resources

[KPostOffice]

apiVersion: ray.io/v1
kind: RayCluster
metadata:
  labels:
    controller-tools.k8s.io: '1.0'
  annotations:
    codeflare.dev/oauth: 'true'
  name: raytest
  namespace: default
spec:
  enableInTreeAutoscaling: false
  headGroupSpec:
    rayStartParams:
      block: 'true'
      dashboard-host: 0.0.0.0
      num-gpus: '0'
    serviceType: ClusterIP
    template:
      spec:
        containers:
        - env:
          - name: MY_POD_IP
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
          image: quay.io/project-codeflare/ray:latest-py39-cu118
          imagePullPolicy: Always
          lifecycle:
            preStop:
              exec:
                command:
                - /bin/sh
                - -c
                - ray stop
          name: ray-head
          ports:
          - containerPort: 6379
            name: gcs
          - containerPort: 8265
            name: dashboard
          - containerPort: 10001
            name: client
          resources:
            limits:
              cpu: 1
              memory: 8G
              nvidia.com/gpu: 0
            requests:
              cpu: 1
              memory: 8G
              nvidia.com/gpu: 0
        - args:
          - --https-address=:8443
          - --provider=openshift
          - --openshift-service-account=raytest
          - --upstream=http://localhost:8265
          - --tls-cert=/etc/tls/private/tls.crt
          - --tls-key=/etc/tls/private/tls.key
          - --cookie-secret=$(COOKIE_SECRET)
          - --openshift-delegate-urls={"/":{"resource":"pods","namespace":"default","verb":"get"}}
          image: registry.redhat.io/openshift4/ose-oauth-proxy@sha256:1ea6a01bf3e63cdcf125c6064cbd4a4a270deaf0f157b3eabb78f60556840366
          name: oauth-proxy
          ports:
          - containerPort: 8443
            name: oauth-proxy
          resources: {}
          volumeMounts:
          - mountPath: /etc/tls/private
            name: proxy-tls-secret
            readOnly: true
          env:
          - name: COOKIE_SECRET
            valueFrom:
              secretKeyRef:
                name: raytest-oauth-config
                key: cookie_secret
        imagePullSecrets: []
        serviceAccount: raytest
        volumes:
        - name: proxy-tls-secret
          secret:
            secretName: raytest-tls
  rayVersion: 2.7.0
  workerGroupSpecs:
  - groupName: small-group-raytest
    maxReplicas: 1
    minReplicas: 1
    rayStartParams:
      block: 'true'
      num-gpus: '0'
    replicas: 1
    template:
      metadata:
        annotations:
          key: value
        labels:
          key: value
      spec:
        containers:
        - env:
          - name: MY_POD_IP
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
          image: quay.io/project-codeflare/ray:latest-py39-cu118
          lifecycle:
            preStop:
              exec:
                command:
                - /bin/sh
                - -c
                - ray stop
          name: machine-learning
          resources:
            limits:
              cpu: 1
              memory: 4G
              nvidia.com/gpu: 0
            requests:
              cpu: 1
              memory: 4G
              nvidia.com/gpu: 0
        imagePullSecrets: []

Here is a well formatted RayCluster that can be used to test these changes. Run the controller using:

$ NAMESPACE=foobar make run

Then apply the yaml above. There should be a route in the same namespace on the cluster for the dashboard that is protected by an OAuth Proxy

[KPostOffice]

/hold

Still need to edit CI/makefile so that the new Envtest tests will run

[astefanutti]

Two points:

• Do we want to leverage static sidecar injection in the Kuberay deployment?
• Could we have a e2e test that run on OpenShift?

@sutaakar FYI.

[astefanutti]

Can we use a reference to import these CRDs as we do for MCAD: https://github.com/project-codeflare/codeflare-operator/blob/1264faabc1835b3aafb5e11fc31c4b1bbb9a1382/config/crd/mcad/kustomization.yaml#L4C6-L4C83

[KPostOffice]

We only need it for testing and I couldn't get envtest to work with remote files. I'm thinking of changing it so that it downloads them and cleans them up as part of the BeforeSuite and AfterSuite. It really only needs the route and the raycluster. Do we need to have the Ray CRDs applied as well before starting the controller?

[astefanutti]

Ah I missed that envtest cannot use Kustomize reference mechanism.

For the dependency on the RayCluster API and the KubeRay CRD, I have some ideas that I need to formalise, but in the short term, what we can do is only start the controller when the API is present in the cluster.

[KPostOffice]

This can cause race conditions when both components are enabled. If CFO starts before KubeRay, then this Reconciler will never start despite the API being present soon after

[astefanutti]

Right, but on the other hand, the CFO will never work if KubeRay is not installed. I don't think there is an ideal solution to this problem in the short term. We can document the CFO has to be restarted after KubeRay is installed, until we rework the deployment strategy.

My current thinking is that this controller should be deployed along side KubeRay, e.g. in a sidecar container.

[Bobbins228]

Tested this with Christians work on the SDK works as expected

/lgtm

[KPostOffice]

I changed adding the taint to be info level in the case of an error since errors are not unexpected due to the two controllers managing the resource

[KPostOffice]

/unhold

[Bobbins228]

/lgtm

@Bobbins228 has lgtm'd it.

[astefanutti]

Maybe a nit, but I'm not sure that's the right domain here if it's needed.

[astefanutti]

Isn't it simpler to ignore not found error on delete?

[astefanutti]

I'd suggest to structure the configuration a bit, in a dedicated struct.

[astefanutti]

That can be removed?

[astefanutti]

That can be removed?

[astefanutti]

May I suggest something like openshift.ai/oauth-proxy? In case we move the controller outside codeflare.

[astefanutti]

Ah I should have been more specific. Here for the first level it's about controller, so that'd be KubeRay.

[KPostOffice]

Ahh, got it. Will fix

[astefanutti]

Can this be RayClusterDashboardOAuthEnabled as other endpoints might require different configuration.

[astefanutti]

json:"authorization,omitempty" -> json:"kuberay,omitempty"

[astefanutti]

json:"rayClusterOAuth,omitempty" -> json:"rayClusterOAuthEnabled,omitempty"

[astefanutti]

/lgtm

[astefanutti]

LGTM, we may want to be more fine-grained to enable the creation of Route without OAuth, but that can be done later.

[astefanutti]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: astefanutti

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [astefanutti]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment