Use deep semantic comparison in RayCluster validation webhook

astefanutti · openshift-merge-bot[bot] · commit 1c85429226d0 · 2024-04-18T14:38:45.000Z
diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
@@ -21,7 +21,6 @@ webhooks:
     - v1
     operations:
     - CREATE
-    - UPDATE
     resources:
     - rayclusters
   sideEffects: None
diff --git a/pkg/controllers/raycluster_webhook.go b/pkg/controllers/raycluster_webhook.go
@@ -33,6 +33,11 @@ import (
 	"github.com/project-codeflare/codeflare-operator/pkg/config"
 )
 
+const (
+	oauthProxyContainerName = "oauth-proxy"
+	oauthProxyVolumeName    = "proxy-tls-secret"
+)
+
 // log is for logging in this package.
 var rayclusterlog = logf.Log.WithName("raycluster-resource")
 
@@ -47,7 +52,7 @@ func SetupRayClusterWebhookWithManager(mgr ctrl.Manager, cfg *config.KubeRayConf
 		Complete()
 }
 
-// +kubebuilder:webhook:path=/mutate-ray-io-v1-raycluster,mutating=true,failurePolicy=fail,sideEffects=None,groups=ray.io,resources=rayclusters,verbs=create;update,versions=v1,name=mraycluster.kb.io,admissionReviewVersions=v1
+// +kubebuilder:webhook:path=/mutate-ray-io-v1-raycluster,mutating=true,failurePolicy=fail,sideEffects=None,groups=ray.io,resources=rayclusters,verbs=create,versions=v1,name=mraycluster.kb.io,admissionReviewVersions=v1
 // +kubebuilder:webhook:path=/validate-ray-io-v1-raycluster,mutating=false,failurePolicy=fail,sideEffects=None,groups=ray.io,resources=rayclusters,verbs=create;update,versions=v1,name=vraycluster.kb.io,admissionReviewVersions=v1
 
 type rayClusterWebhook struct {
@@ -65,18 +70,105 @@ func (w *rayClusterWebhook) Default(ctx context.Context, obj runtime.Object) err
 		return nil
 	}
 
-	// Check and add OAuth proxy if it does not exist
-	for _, container := range rayCluster.Spec.HeadGroupSpec.Template.Spec.Containers {
-		if container.Name == "oauth-proxy" {
-			rayclusterlog.V(2).Info("OAuth sidecar already exists, no patch needed")
-			return nil
-		}
+	rayclusterlog.V(2).Info("Adding OAuth sidecar container")
+
+	rayCluster.Spec.HeadGroupSpec.Template.Spec.Containers = upsert(rayCluster.Spec.HeadGroupSpec.Template.Spec.Containers, oauthProxyContainer(rayCluster), withContainerName(oauthProxyContainerName))
+
+	rayCluster.Spec.HeadGroupSpec.Template.Spec.Volumes = upsert(rayCluster.Spec.HeadGroupSpec.Template.Spec.Volumes, oauthProxyTLSSecretVolume(rayCluster), withVolumeName(oauthProxyVolumeName))
+
+	rayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName = rayCluster.Name + "-oauth-proxy"
+
+	return nil
+}
+
+func (w *rayClusterWebhook) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	rayCluster := obj.(*rayv1.RayCluster)
+
+	var warnings admission.Warnings
+	var allErrors field.ErrorList
+
+	allErrors = append(allErrors, validateIngress(rayCluster)...)
+
+	return warnings, allErrors.ToAggregate()
+}
+
+func (w *rayClusterWebhook) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
+	rayCluster := newObj.(*rayv1.RayCluster)
+
+	var warnings admission.Warnings
+	var allErrors field.ErrorList
+
+	if !rayCluster.DeletionTimestamp.IsZero() {
+		// Object is being deleted, skip validations
+		return nil, nil
+	}
+
+	allErrors = append(allErrors, validateIngress(rayCluster)...)
+	allErrors = append(allErrors, validateOAuthProxyContainer(rayCluster)...)
+	allErrors = append(allErrors, validateOAuthProxyVolume(rayCluster)...)
+	allErrors = append(allErrors, validateHeadGroupServiceAccountName(rayCluster)...)
+
+	return warnings, allErrors.ToAggregate()
+}
+
+func (w *rayClusterWebhook) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	// Optional: Add delete validation logic here
+	return nil, nil
+}
+
+func validateOAuthProxyContainer(rayCluster *rayv1.RayCluster) field.ErrorList {
+	var allErrors field.ErrorList
+
+	if err := contains(rayCluster.Spec.HeadGroupSpec.Template.Spec.Containers, oauthProxyContainer(rayCluster), byContainerName,
+		field.NewPath("spec", "headGroupSpec", "template", "spec", "containers"),
+		"OAuth Proxy container is immutable"); err != nil {
+		allErrors = append(allErrors, err)
 	}
 
-	rayclusterlog.V(2).Info("Adding OAuth sidecar container")
+	return allErrors
+}
+
+func validateOAuthProxyVolume(rayCluster *rayv1.RayCluster) field.ErrorList {
+	var allErrors field.ErrorList
 
-	newOAuthSidecar := corev1.Container{
-		Name:  "oauth-proxy",
+	if err := contains(rayCluster.Spec.HeadGroupSpec.Template.Spec.Volumes, oauthProxyTLSSecretVolume(rayCluster), byVolumeName,
+		field.NewPath("spec", "headGroupSpec", "template", "spec", "volumes"),
+		"OAuth Proxy TLS Secret volume is immutable"); err != nil {
+		allErrors = append(allErrors, err)
+	}
+
+	return allErrors
+}
+
+func validateIngress(rayCluster *rayv1.RayCluster) field.ErrorList {
+	var allErrors field.ErrorList
+
+	if pointer.BoolDeref(rayCluster.Spec.HeadGroupSpec.EnableIngress, false) {
+		allErrors = append(allErrors, field.Invalid(
+			field.NewPath("spec", "headGroupSpec", "enableIngress"),
+			rayCluster.Spec.HeadGroupSpec.EnableIngress,
+			"RayCluster resources with EnableIngress set to true or unspecified is not allowed"))
+	}
+
+	return allErrors
+}
+
+func validateHeadGroupServiceAccountName(rayCluster *rayv1.RayCluster) field.ErrorList {
+	var allErrors field.ErrorList
+
+	if rayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName != rayCluster.Name+"-oauth-proxy" {
+		allErrors = append(allErrors, field.Invalid(
+			field.NewPath("spec", "headGroupSpec", "template", "spec", "serviceAccountName"),
+			rayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName,
+			"RayCluster head group service account is immutable"))
+	}
+
+	return allErrors
+}
+
+func oauthProxyContainer(rayCluster *rayv1.RayCluster) corev1.Container {
+	return corev1.Container{
+		Name:  oauthProxyContainerName,
 		Image: "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:1ea6a01bf3e63cdcf125c6064cbd4a4a270deaf0f157b3eabb78f60556840366",
 		Ports: []corev1.ContainerPort{
 			{ContainerPort: 8443, Name: "oauth-proxy"},
@@ -106,59 +198,21 @@ func (w *rayClusterWebhook) Default(ctx context.Context, obj runtime.Object) err
 		},
 		VolumeMounts: []corev1.VolumeMount{
 			{
-				Name:      "proxy-tls-secret",
+				Name:      oauthProxyVolumeName,
 				MountPath: "/etc/tls/private",
 				ReadOnly:  true,
 			},
 		},
 	}
+}
 
-	rayCluster.Spec.HeadGroupSpec.Template.Spec.Containers = append(rayCluster.Spec.HeadGroupSpec.Template.Spec.Containers, newOAuthSidecar)
-
-	tlsSecretVolume := corev1.Volume{
-		Name: "proxy-tls-secret",
+func oauthProxyTLSSecretVolume(rayCluster *rayv1.RayCluster) corev1.Volume {
+	return corev1.Volume{
+		Name: oauthProxyVolumeName,
 		VolumeSource: corev1.VolumeSource{
 			Secret: &corev1.SecretVolumeSource{
 				SecretName: rayCluster.Name + "-proxy-tls-secret",
 			},
 		},
 	}
-
-	rayCluster.Spec.HeadGroupSpec.Template.Spec.Volumes = append(rayCluster.Spec.HeadGroupSpec.Template.Spec.Volumes, tlsSecretVolume)
-
-	// Ensure the service account is set
-	if rayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName == "" {
-		rayCluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName = rayCluster.Name + "-oauth-proxy"
-	}
-
-	return nil
-}
-
-func (w *rayClusterWebhook) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
-	raycluster := obj.(*rayv1.RayCluster)
-	var warnings admission.Warnings
-	var allErrors field.ErrorList
-	specPath := field.NewPath("spec")
-
-	if pointer.BoolDeref(raycluster.Spec.HeadGroupSpec.EnableIngress, false) {
-		rayclusterlog.Info("Creating RayCluster resources with EnableIngress set to true or unspecified is not allowed")
-		allErrors = append(allErrors, field.Invalid(specPath.Child("headGroupSpec").Child("enableIngress"), raycluster.Spec.HeadGroupSpec.EnableIngress, "creating RayCluster resources with EnableIngress set to true or unspecified is not allowed"))
-	}
-
-	return warnings, allErrors.ToAggregate()
-}
-
-func (w *rayClusterWebhook) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
-	newRayCluster := newObj.(*rayv1.RayCluster)
-	if !newRayCluster.DeletionTimestamp.IsZero() {
-		// Object is being deleted, skip validations
-		return nil, nil
-	}
-	warnings, err := w.ValidateCreate(ctx, newRayCluster)
-	return warnings, err
-}
-
-func (w *rayClusterWebhook) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
-	// Optional: Add delete validation logic here
-	return nil, nil
 }
diff --git a/pkg/controllers/support.go b/pkg/controllers/support.go
@@ -3,9 +3,11 @@ package controllers
 import (
 	rayv1 "github.com/ray-project/kuberay/ray-operator/apis/ray/v1"
 
+	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
-	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/validation/field"
 	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
 	networkingv1ac "k8s.io/client-go/applyconfigurations/networking/v1"
 
@@ -29,7 +31,6 @@ func desiredRayClientRoute(cluster *rayv1.RayCluster) *routeapply.RouteApplyConf
 		)
 }
 
-// Create an Ingress object for the RayCluster
 func desiredRayClientIngress(cluster *rayv1.RayCluster, ingressHost string) *networkingv1ac.IngressApplyConfiguration {
 	return networkingv1ac.Ingress(rayClientNameFromCluster(cluster), cluster.Namespace).
 		WithLabels(map[string]string{"ray.io/cluster-name": cluster.Name}).
@@ -42,7 +43,7 @@ func desiredRayClientIngress(cluster *rayv1.RayCluster, ingressHost string) *net
 			WithAPIVersion(cluster.APIVersion).
 			WithKind(cluster.Kind).
 			WithName(cluster.Name).
-			WithUID(types.UID(cluster.UID))).
+			WithUID(cluster.UID)).
 		WithSpec(networkingv1ac.IngressSpec().
 			WithIngressClassName("nginx").
 			WithRules(networkingv1ac.IngressRule().
@@ -65,15 +66,14 @@ func desiredRayClientIngress(cluster *rayv1.RayCluster, ingressHost string) *net
 		)
 }
 
-// Create an Ingress object for the RayCluster
 func desiredClusterIngress(cluster *rayv1.RayCluster, ingressHost string) *networkingv1ac.IngressApplyConfiguration {
 	return networkingv1ac.Ingress(dashboardNameFromCluster(cluster), cluster.Namespace).
 		WithLabels(map[string]string{"ray.io/cluster-name": cluster.Name}).
 		WithOwnerReferences(v1.OwnerReference().
 			WithAPIVersion(cluster.APIVersion).
 			WithKind(cluster.Kind).
 			WithName(cluster.Name).
-			WithUID(types.UID(cluster.UID))).
+			WithUID(cluster.UID)).
 		WithSpec(networkingv1ac.IngressSpec().
 			WithRules(networkingv1ac.IngressRule().
 				WithHost(ingressHost). // Full Hostname
@@ -94,3 +94,49 @@ func desiredClusterIngress(cluster *rayv1.RayCluster, ingressHost string) *netwo
 			),
 		)
 }
+
+type compare[T any] func(T, T) bool
+
+func upsert[T any](items []T, item T, predicate compare[T]) []T {
+	for i, t := range items {
+		if predicate(t, item) {
+			items[i] = item
+			return items
+		}
+	}
+	return append(items, item)
+}
+
+func contains[T any](items []T, item T, predicate compare[T], path *field.Path, msg string) *field.Error {
+	for _, t := range items {
+		if predicate(t, item) {
+			if equality.Semantic.DeepDerivative(item, t) {
+				return nil
+			}
+			return field.Invalid(path, t, msg)
+		}
+	}
+	return field.Required(path, msg)
+}
+
+var byContainerName = compare[corev1.Container](
+	func(c1, c2 corev1.Container) bool {
+		return c1.Name == c2.Name
+	})
+
+func withContainerName(name string) compare[corev1.Container] {
+	return func(c1, c2 corev1.Container) bool {
+		return c1.Name == name
+	}
+}
+
+var byVolumeName = compare[corev1.Volume](
+	func(v1, v2 corev1.Volume) bool {
+		return v1.Name == v2.Name
+	})
+
+func withVolumeName(name string) compare[corev1.Volume] {
+	return func(v1, v2 corev1.Volume) bool {
+		return v1.Name == name
+	}
+}
