Refactor RayCluster mutating webhook

Author: astefanutti

PROJECT

@@ -12,7 +12,7 @@ projectName: codeflare-operator
 repo: github.com/project-codeflare/codeflare-operator
 resources:
 - controller: true
-  domain: codeflare.dev
+  domain: ray.io
   group: ray
   kind: RayCluster
   path: github.com/project-codeflare/codeflare-operator/pkg/controllers

config/default/kustomization.yaml

@@ -16,13 +16,8 @@ commonLabels:
 bases:
   - ../rbac
   - ../manager
-  - ../webhook
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 # - ../prometheus
 
 resources:
   - metrics_service.yaml
-
-patches:
-- path: manager_webhook_patch.yaml
-- path: webhookcainjection_patch.yaml

config/openshift/kustomization.yaml

@@ -0,0 +1,22 @@
+# Adds namespace to all resources.
+namespace: openshift-operators
+
+# Value of this field is prepended to the
+# names of all resources, e.g. a deployment named
+# "wordpress" becomes "alices-wordpress".
+# Note that it should also match with the prefix (text before '-') of the namespace
+# field above.
+namePrefix: codeflare-operator-
+
+# Labels to add to all resources and selectors.
+commonLabels:
+  app.kubernetes.io/name: codeflare-operator
+  app.kubernetes.io/part-of: codeflare
+
+bases:
+  - ../default
+  - ../webhook
+
+patches:
+- path: manager_webhook_patch.yaml
+- path: webhookcainjection_patch.yaml

config/default/manager_webhook_patch.yaml renamed to config/openshift/manager_webhook_patch.yaml

@@ -147,8 +147,7 @@ func main() {
 	})
 	exitOnError(err, "unable to start manager")
 
-	rayClusterDefaulter := &controllers.RayClusterDefaulter{}
-	exitOnError(rayClusterDefaulter.SetupWebhookWithManager(mgr), "error setting up webhook")
+	exitOnError(controllers.SetupRayClusterWebhookWithManager(mgr, cfg.KubeRay), "error setting up RayCluster webhook")
 
 	ok, err := HasAPIResourceForGVK(kubeClient.DiscoveryClient, rayv1.GroupVersion.WithKind("RayCluster"))
 	if ok {

config/default/webhookcainjection_patch.yaml renamed to config/openshift/webhookcainjection_patch.yaml

@@ -23,6 +23,7 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/pointer"
 	ctrl "sigs.k8s.io/controller-runtime"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
@@ -33,105 +34,101 @@ import (
 // log is for logging in this package.
 var rayclusterlog = logf.Log.WithName("raycluster-resource")
 
-func (r *RayClusterDefaulter) SetupWebhookWithManager(mgr ctrl.Manager) error {
+func SetupRayClusterWebhookWithManager(mgr ctrl.Manager, cfg *config.KubeRayConfiguration) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(&rayv1.RayCluster{}).
-		WithDefaulter(&RayClusterDefaulter{
-			Config:                   r.Config,
-			rayDashboardOauthEnabled: r.isRayDashboardOAuthEnabledWebhook(),
+		WithDefaulter(&rayClusterDefaulter{
+			Config: cfg,
 		}).
 		Complete()
 }
 
-//+kubebuilder:webhook:path=/mutate-ray-io-v1-raycluster,mutating=true,failurePolicy=fail,sideEffects=None,groups=ray.io,resources=rayclusters,verbs=create;update,versions=v1,name=mraycluster.kb.io,admissionReviewVersions=v1
+// +kubebuilder:webhook:path=/mutate-ray-io-v1-raycluster,mutating=true,failurePolicy=fail,sideEffects=None,groups=ray.io,resources=rayclusters,verbs=create;update,versions=v1,name=mraycluster.kb.io,admissionReviewVersions=v1
 
-type RayClusterDefaulter struct {
-	Config                   *config.KubeRayConfiguration
-	rayDashboardOauthEnabled bool
+type rayClusterDefaulter struct {
+	Config *config.KubeRayConfiguration
 }
 
-var _ webhook.CustomDefaulter = &RayClusterDefaulter{}
+var _ webhook.CustomDefaulter = &rayClusterDefaulter{}
 
 // Default implements webhook.Defaulter so a webhook will be registered for the type
-func (r *RayClusterDefaulter) Default(ctx context.Context, obj runtime.Object) error {
+func (r *rayClusterDefaulter) Default(ctx context.Context, obj runtime.Object) error {
 	raycluster := obj.(*rayv1.RayCluster)
 
-	if r.rayDashboardOauthEnabled {
-		rayclusterlog.Info("default", "name", raycluster.Name)
-		// Check and add OAuth proxy if it does not exist.
-		alreadyExists := false
-		for _, container := range raycluster.Spec.HeadGroupSpec.Template.Spec.Containers {
-			if container.Name == "oauth-proxy" {
-				rayclusterlog.Info("OAuth sidecar already exists, no patch needed")
-				alreadyExists = true
-				break // exits the for loop
-			}
+	if !pointer.BoolDeref(r.Config.RayDashboardOAuthEnabled, true) {
+		return nil
+	}
+
+	// Check and add OAuth proxy if it does not exist
+	for _, container := range raycluster.Spec.HeadGroupSpec.Template.Spec.Containers {
+		if container.Name == "oauth-proxy" {
+			rayclusterlog.V(2).Info("OAuth sidecar already exists, no patch needed")
+			return nil
 		}
+	}
 
-		if !alreadyExists {
-			rayclusterlog.Info("Adding OAuth sidecar container")
-			// definition of the new container
-			newOAuthSidecar := corev1.Container{
-				Name:  "oauth-proxy",
-				Image: "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:1ea6a01bf3e63cdcf125c6064cbd4a4a270deaf0f157b3eabb78f60556840366",
-				Ports: []corev1.ContainerPort{
-					{ContainerPort: 8443, Name: "oauth-proxy"},
-				},
-				Args: []string{
-					"--https-address=:8443",
-					"--provider=openshift",
-					"--openshift-service-account=" + raycluster.Name + "-oauth-proxy",
-					"--upstream=http://localhost:8265",
-					"--tls-cert=/etc/tls/private/tls.crt",
-					"--tls-key=/etc/tls/private/tls.key",
-					"--cookie-secret=$(COOKIE_SECRET)",
-					"--openshift-delegate-urls={\"/\":{\"resource\":\"pods\",\"namespace\":\"default\",\"verb\":\"get\"}}",
-				},
-				VolumeMounts: []corev1.VolumeMount{
-					{
-						Name:      "proxy-tls-secret",
-						MountPath: "/etc/tls/private",
-						ReadOnly:  true,
-					},
-				},
-			}
-
-			// Adding the new OAuth sidecar container
-			raycluster.Spec.HeadGroupSpec.Template.Spec.Containers = append(raycluster.Spec.HeadGroupSpec.Template.Spec.Containers, newOAuthSidecar)
-
-			cookieSecret := corev1.EnvVar{
-				Name: "COOKIE_SECRET",
-				ValueFrom: &corev1.EnvVarSource{
-					SecretKeyRef: &corev1.SecretKeySelector{
-						LocalObjectReference: corev1.LocalObjectReference{
-							Name: raycluster.Name + "-oauth-config",
-						},
-						Key: "cookie_secret",
-					},
-				},
-			}
-
-			raycluster.Spec.HeadGroupSpec.Template.Spec.Containers[0].Env = append(
-				raycluster.Spec.HeadGroupSpec.Template.Spec.Containers[0].Env,
-				cookieSecret,
-			)
-
-			tlsSecretVolume := corev1.Volume{
-				Name: "proxy-tls-secret",
-				VolumeSource: corev1.VolumeSource{
-					Secret: &corev1.SecretVolumeSource{
-						SecretName: raycluster.Name + "-proxy-tls-secret",
-					},
+	rayclusterlog.V(2).Info("Adding OAuth sidecar container")
+	// definition of the new container
+	newOAuthSidecar := corev1.Container{
+		Name:  "oauth-proxy",
+		Image: "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:1ea6a01bf3e63cdcf125c6064cbd4a4a270deaf0f157b3eabb78f60556840366",
+		Ports: []corev1.ContainerPort{
+			{ContainerPort: 8443, Name: "oauth-proxy"},
+		},
+		Args: []string{
+			"--https-address=:8443",
+			"--provider=openshift",
+			"--openshift-service-account=" + raycluster.Name + "-oauth-proxy",
+			"--upstream=http://localhost:8265",
+			"--tls-cert=/etc/tls/private/tls.crt",
+			"--tls-key=/etc/tls/private/tls.key",
+			"--cookie-secret=$(COOKIE_SECRET)",
+			"--openshift-delegate-urls={\"/\":{\"resource\":\"pods\",\"namespace\":\"default\",\"verb\":\"get\"}}",
+		},
+		VolumeMounts: []corev1.VolumeMount{
+			{
+				Name:      "proxy-tls-secret",
+				MountPath: "/etc/tls/private",
+				ReadOnly:  true,
+			},
+		},
+	}
+
+	// Adding the new OAuth sidecar container
+	raycluster.Spec.HeadGroupSpec.Template.Spec.Containers = append(raycluster.Spec.HeadGroupSpec.Template.Spec.Containers, newOAuthSidecar)
+
+	cookieSecret := corev1.EnvVar{
+		Name: "COOKIE_SECRET",
+		ValueFrom: &corev1.EnvVarSource{
+			SecretKeyRef: &corev1.SecretKeySelector{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: raycluster.Name + "-oauth-config",
 				},
-			}
+				Key: "cookie_secret",
+			},
+		},
+	}
 
-			raycluster.Spec.HeadGroupSpec.Template.Spec.Volumes = append(raycluster.Spec.HeadGroupSpec.Template.Spec.Volumes, tlsSecretVolume)
+	raycluster.Spec.HeadGroupSpec.Template.Spec.Containers[0].Env = append(
+		raycluster.Spec.HeadGroupSpec.Template.Spec.Containers[0].Env,
+		cookieSecret,
+	)
+
+	tlsSecretVolume := corev1.Volume{
+		Name: "proxy-tls-secret",
+		VolumeSource: corev1.VolumeSource{
+			Secret: &corev1.SecretVolumeSource{
+				SecretName: raycluster.Name + "-proxy-tls-secret",
+			},
+		},
+	}
 
-			// Ensure the service account is set
-			if raycluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName == "" {
-				raycluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName = raycluster.Name + "-oauth-proxy"
-			}
-		}
+	raycluster.Spec.HeadGroupSpec.Template.Spec.Volumes = append(raycluster.Spec.HeadGroupSpec.Template.Spec.Volumes, tlsSecretVolume)
+
+	// Ensure the service account is set
+	if raycluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName == "" {
+		raycluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName = raycluster.Name + "-oauth-proxy"
 	}
+
 	return nil
 }

main.go

@@ -155,10 +155,3 @@ func (r *RayClusterReconciler) isRayDashboardOAuthEnabled() bool {
 	}
 	return true
 }
-
-func (r *RayClusterDefaulter) isRayDashboardOAuthEnabledWebhook() bool {
-	if r.Config != nil && r.Config.RayDashboardOAuthEnabled != nil {
-		return *r.Config.RayDashboardOAuthEnabled
-	}
-	return true
-}