Skip to content

Commit 7f00118

Browse files
KPostOfficeopenshift-merge-bot[bot]
KPostOffice
authored and
openshift-merge-bot[bot]
committed
add hash to end of resource names to avoid name clash
also added a version annotation to raycluster for the CFO version Signed-off-by: Kevin <[email protected]>
1 parent 8057522 commit 7f00118

File tree

5 files changed

+347
-55
lines changed

5 files changed

+347
-55
lines changed

main.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -248,7 +248,7 @@ func setupRayClusterController(mgr ctrl.Manager, cfg *config.CodeFlareOperatorCo
248248
<-certsReady
249249
setupLog.Info("Certs ready")
250250

251-
err := controllers.SetupRayClusterWebhookWithManager(mgr, cfg.KubeRay)
251+
err := controllers.SetupRayClusterWebhookWithManager(mgr, cfg.KubeRay, OperatorVersion)
252252
if err != nil {
253253
return err
254254
}

pkg/controllers/raycluster_controller.go

Lines changed: 52 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -114,6 +114,12 @@ var (
114114
// For more details, check Reconcile and its Result here:
115115
// - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/reconcile
116116

117+
func shouldUseOldName(cluster *rayv1.RayCluster) bool {
118+
// hashed name code was added in the same commit as the version annotation
119+
_, ok := cluster.GetAnnotations()[versionAnnotation]
120+
return !ok
121+
}
122+
117123
func (r *RayClusterReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
118124
logger := ctrl.LoggerFrom(ctx)
119125

@@ -304,7 +310,10 @@ func isMTLSEnabled(cfg *config.KubeRayConfiguration) bool {
304310
}
305311

306312
func crbNameFromCluster(cluster *rayv1.RayCluster) string {
307-
return cluster.Name + "-" + cluster.Namespace + "-auth" // NOTE: potential naming conflicts ie {name: foo, ns: bar-baz} and {name: foo-bar, ns: baz}
313+
if shouldUseOldName(cluster) {
314+
return cluster.Name + "-" + cluster.Namespace + "-auth"
315+
}
316+
return RCCUniqueName(cluster.Name + "-" + cluster.Namespace + "-auth")
308317
}
309318

310319
func desiredOAuthClusterRoleBinding(cluster *rayv1.RayCluster) *rbacv1ac.ClusterRoleBindingApplyConfiguration {
@@ -326,7 +335,10 @@ func desiredOAuthClusterRoleBinding(cluster *rayv1.RayCluster) *rbacv1ac.Cluster
326335
}
327336

328337
func oauthServiceAccountNameFromCluster(cluster *rayv1.RayCluster) string {
329-
return cluster.Name + "-oauth-proxy"
338+
if shouldUseOldName(cluster) {
339+
return cluster.Name + "-oauth-proxy"
340+
}
341+
return RCCUniqueName(cluster.Name + "-oauth-proxy")
330342
}
331343

332344
func desiredServiceAccount(cluster *rayv1.RayCluster) *corev1ac.ServiceAccountApplyConfiguration {
@@ -363,11 +375,17 @@ func desiredClusterRoute(cluster *rayv1.RayCluster) *routev1ac.RouteApplyConfigu
363375
}
364376

365377
func oauthServiceNameFromCluster(cluster *rayv1.RayCluster) string {
366-
return cluster.Name + "-oauth"
378+
if shouldUseOldName(cluster) {
379+
return cluster.Name + "-oauth"
380+
}
381+
return RCCUniqueName(cluster.Name + "-oauth")
367382
}
368383

369384
func oauthServiceTLSSecretName(cluster *rayv1.RayCluster) string {
370-
return cluster.Name + "-proxy-tls-secret"
385+
if shouldUseOldName(cluster) {
386+
return cluster.Name + "-proxy-tls-secret"
387+
}
388+
return RCCUniqueName(cluster.Name + "-proxy-tls-secret")
371389
}
372390

373391
func desiredOAuthService(cluster *rayv1.RayCluster) *corev1ac.ServiceApplyConfiguration {
@@ -389,7 +407,10 @@ func desiredOAuthService(cluster *rayv1.RayCluster) *corev1ac.ServiceApplyConfig
389407
}
390408

391409
func oauthSecretNameFromCluster(cluster *rayv1.RayCluster) string {
392-
return cluster.Name + "-oauth-config"
410+
if shouldUseOldName(cluster) {
411+
return cluster.Name + "-oauth-config"
412+
}
413+
return RCCUniqueName(cluster.Name + "-oauth-config")
393414
}
394415

395416
// desiredOAuthSecret defines the desired OAuth secret object
@@ -406,7 +427,10 @@ func desiredOAuthSecret(cluster *rayv1.RayCluster, cookieSalt string) *corev1ac.
406427
}
407428

408429
func caSecretNameFromCluster(cluster *rayv1.RayCluster) string {
409-
return "ca-secret-" + cluster.Name
430+
if shouldUseOldName(cluster) {
431+
return "ca-secret-" + cluster.Name
432+
}
433+
return RCCUniqueName(cluster.Name + "-ca-secret")
410434
}
411435

412436
func desiredCASecret(cluster *rayv1.RayCluster, key, cert []byte) *corev1ac.SecretApplyConfiguration {
@@ -462,8 +486,17 @@ func generateCACertificate() ([]byte, []byte, error) {
462486
return privateKeyPem, certPem, nil
463487
}
464488

489+
func workerNWPNameFromCluster(cluster *rayv1.RayCluster) string {
490+
if shouldUseOldName(cluster) {
491+
return cluster.Name + "-workers"
492+
}
493+
return RCCUniqueName(cluster.Name + "-workers")
494+
}
495+
465496
func desiredWorkersNetworkPolicy(cluster *rayv1.RayCluster) *networkingv1ac.NetworkPolicyApplyConfiguration {
466-
return networkingv1ac.NetworkPolicy(cluster.Name+"-workers", cluster.Namespace).
497+
return networkingv1ac.NetworkPolicy(
498+
workerNWPNameFromCluster(cluster), cluster.Namespace,
499+
).
467500
WithLabels(map[string]string{RayClusterNameLabel: cluster.Name}).
468501
WithSpec(networkingv1ac.NetworkPolicySpec().
469502
WithPodSelector(metav1ac.LabelSelector().WithMatchLabels(map[string]string{"ray.io/cluster": cluster.Name, "ray.io/node-type": "worker"})).
@@ -477,14 +510,21 @@ func desiredWorkersNetworkPolicy(cluster *rayv1.RayCluster) *networkingv1ac.Netw
477510
WithOwnerReferences(ownerRefForRayCluster(cluster))
478511
}
479512

513+
func headNWPNameFromCluster(cluster *rayv1.RayCluster) string {
514+
if shouldUseOldName(cluster) {
515+
return cluster.Name + "-head"
516+
}
517+
return RCCUniqueName(cluster.Name + "-head")
518+
}
519+
480520
func desiredHeadNetworkPolicy(cluster *rayv1.RayCluster, cfg *config.KubeRayConfiguration, kubeRayNamespaces []string) *networkingv1ac.NetworkPolicyApplyConfiguration {
481521
allSecuredPorts := []*networkingv1ac.NetworkPolicyPortApplyConfiguration{
482522
networkingv1ac.NetworkPolicyPort().WithProtocol(corev1.ProtocolTCP).WithPort(intstr.FromInt(8443)),
483523
}
484524
if ptr.Deref(cfg.MTLSEnabled, true) {
485525
allSecuredPorts = append(allSecuredPorts, networkingv1ac.NetworkPolicyPort().WithProtocol(corev1.ProtocolTCP).WithPort(intstr.FromInt(10001)))
486526
}
487-
return networkingv1ac.NetworkPolicy(cluster.Name+"-head", cluster.Namespace).
527+
return networkingv1ac.NetworkPolicy(headNWPNameFromCluster(cluster), cluster.Namespace).
488528
WithLabels(map[string]string{RayClusterNameLabel: cluster.Name}).
489529
WithSpec(networkingv1ac.NetworkPolicySpec().
490530
WithPodSelector(metav1ac.LabelSelector().WithMatchLabels(map[string]string{"ray.io/cluster": cluster.Name, "ray.io/node-type": "head"})).
@@ -619,3 +659,7 @@ func (r *RayClusterReconciler) SetupWithManager(mgr ctrl.Manager) error {
619659

620660
return controller.Complete(r)
621661
}
662+
663+
func RCCUniqueName(s string) string {
664+
return s + "-" + seededHash(controllerName, s)
665+
}

pkg/controllers/raycluster_webhook.go

Lines changed: 23 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -38,14 +38,16 @@ const (
3838
oauthProxyContainerName = "oauth-proxy"
3939
oauthProxyVolumeName = "proxy-tls-secret"
4040
initContainerName = "create-cert"
41+
versionAnnotation = "ray.openshift.ai/version"
4142
)
4243

4344
// log is for logging in this package.
4445
var rayclusterlog = logf.Log.WithName("raycluster-resource")
4546

46-
func SetupRayClusterWebhookWithManager(mgr ctrl.Manager, cfg *config.KubeRayConfiguration) error {
47+
func SetupRayClusterWebhookWithManager(mgr ctrl.Manager, cfg *config.KubeRayConfiguration, operatorVersion string) error {
4748
rayClusterWebhookInstance := &rayClusterWebhook{
48-
Config: cfg,
49+
Config: cfg,
50+
OperatorVersion: operatorVersion,
4951
}
5052
return ctrl.NewWebhookManagedBy(mgr).
5153
For(&rayv1.RayCluster{}).
@@ -58,23 +60,33 @@ func SetupRayClusterWebhookWithManager(mgr ctrl.Manager, cfg *config.KubeRayConf
5860
// +kubebuilder:webhook:path=/validate-ray-io-v1-raycluster,mutating=false,failurePolicy=fail,sideEffects=None,groups=ray.io,resources=rayclusters,verbs=create;update,versions=v1,name=vraycluster.ray.openshift.ai,admissionReviewVersions=v1
5961

6062
type rayClusterWebhook struct {
61-
Config *config.KubeRayConfiguration
63+
Config *config.KubeRayConfiguration
64+
OperatorVersion string
6265
}
6366

6467
var _ webhook.CustomDefaulter = &rayClusterWebhook{}
6568
var _ webhook.CustomValidator = &rayClusterWebhook{}
6669

6770
// Default implements webhook.Defaulter so a webhook will be registered for the type
6871
func (w *rayClusterWebhook) Default(ctx context.Context, obj runtime.Object) error {
72+
logger := ctrl.LoggerFrom(ctx)
6973
rayCluster := obj.(*rayv1.RayCluster)
7074

75+
// add annotation to use new names
76+
annotations := rayCluster.GetAnnotations()
77+
if annotations == nil {
78+
annotations = make(map[string]string)
79+
}
80+
annotations[versionAnnotation] = w.OperatorVersion
81+
rayCluster.SetAnnotations(annotations)
82+
logger.Info("Ray Cluster annotations", "annotations", rayCluster.GetAnnotations())
7183
if ptr.Deref(w.Config.RayDashboardOAuthEnabled, true) {
7284
rayclusterlog.V(2).Info("Adding OAuth sidecar container")
7385
rayCluster.Spec.HeadGroupSpec.Template.Spec.Containers = upsert(rayCluster.Spec.HeadGroupSpec.Template.Spec.Containers, oauthProxyContainer(rayCluster), withContainerName(oauthProxyContainerName))
7486

7587
rayCluster.Spec.HeadGroupSpec.Template.Spec.Volumes = upsert(rayCluster.Spec.HeadGroupSpec.Template.Spec.Volumes, oauthProxyTLSSecretVolume(rayCluster), withVolumeName(oauthProxyVolumeName))
7688

77-
rayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName = rayCluster.Name + "-oauth-proxy"
89+
rayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName = oauthServiceAccountNameFromCluster(rayCluster)
7890
}
7991

8092
if ptr.Deref(w.Config.MTLSEnabled, true) {
@@ -218,7 +230,7 @@ func validateIngress(rayCluster *rayv1.RayCluster) field.ErrorList {
218230
func validateHeadGroupServiceAccountName(rayCluster *rayv1.RayCluster) field.ErrorList {
219231
var allErrors field.ErrorList
220232

221-
if rayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName != rayCluster.Name+"-oauth-proxy" {
233+
if rayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName != oauthServiceAccountNameFromCluster(rayCluster) {
222234
allErrors = append(allErrors, field.Invalid(
223235
field.NewPath("spec", "headGroupSpec", "template", "spec", "serviceAccountName"),
224236
rayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName,
@@ -241,7 +253,7 @@ func oauthProxyContainer(rayCluster *rayv1.RayCluster) corev1.Container {
241253
ValueFrom: &corev1.EnvVarSource{
242254
SecretKeyRef: &corev1.SecretKeySelector{
243255
LocalObjectReference: corev1.LocalObjectReference{
244-
Name: rayCluster.Name + "-oauth-config",
256+
Name: oauthSecretNameFromCluster(rayCluster),
245257
},
246258
Key: "cookie_secret",
247259
},
@@ -251,7 +263,7 @@ func oauthProxyContainer(rayCluster *rayv1.RayCluster) corev1.Container {
251263
Args: []string{
252264
"--https-address=:8443",
253265
"--provider=openshift",
254-
"--openshift-service-account=" + rayCluster.Name + "-oauth-proxy",
266+
"--openshift-service-account=" + oauthServiceAccountNameFromCluster(rayCluster),
255267
"--upstream=http://localhost:8265",
256268
"--tls-cert=/etc/tls/private/tls.crt",
257269
"--tls-key=/etc/tls/private/tls.key",
@@ -273,7 +285,7 @@ func oauthProxyTLSSecretVolume(rayCluster *rayv1.RayCluster) corev1.Volume {
273285
Name: oauthProxyVolumeName,
274286
VolumeSource: corev1.VolumeSource{
275287
Secret: &corev1.SecretVolumeSource{
276-
SecretName: rayCluster.Name + "-proxy-tls-secret",
288+
SecretName: oauthServiceTLSSecretName(rayCluster),
277289
},
278290
},
279291
}
@@ -329,7 +341,7 @@ func caVolumes(rayCluster *rayv1.RayCluster) []corev1.Volume {
329341
Name: "ca-vol",
330342
VolumeSource: corev1.VolumeSource{
331343
Secret: &corev1.SecretVolumeSource{
332-
SecretName: `ca-secret-` + rayCluster.Name,
344+
SecretName: caSecretNameFromCluster(rayCluster),
333345
},
334346
},
335347
},
@@ -343,9 +355,9 @@ func caVolumes(rayCluster *rayv1.RayCluster) []corev1.Volume {
343355
}
344356

345357
func rayHeadInitContainer(rayCluster *rayv1.RayCluster, config *config.KubeRayConfiguration) corev1.Container {
346-
rayClientRoute := "rayclient-" + rayCluster.Name + "-" + rayCluster.Namespace + "." + config.IngressDomain
358+
rayClientRoute := rayClientNameFromCluster(rayCluster) + "-" + rayCluster.Namespace + "." + config.IngressDomain
347359
// Service name for basic interactive
348-
svcDomain := rayCluster.Name + "-head-svc." + rayCluster.Namespace + ".svc"
360+
svcDomain := serviceNameFromCluster(rayCluster) + "." + rayCluster.Namespace + ".svc"
349361

350362
initContainerHead := corev1.Container{
351363
Name: "create-cert",

0 commit comments

Comments
 (0)