add: check for isRayDashboardOAuthEnabledWebhook before applying patch

VanillaSpoon · VanillaSpoon · commit 89e9b2a0ade0 · 2024-04-17T11:26:03.000+01:00
diff --git a/pkg/controllers/raycluster_webhook.go b/pkg/controllers/raycluster_webhook.go
@@ -21,6 +21,7 @@ import (
 
 	rayv1 "github.com/ray-project/kuberay/ray-operator/apis/ray/v1"
 
+	"github.com/project-codeflare/codeflare-operator/pkg/config"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -34,89 +35,97 @@ var rayclusterlog = logf.Log.WithName("raycluster-resource")
 func (r *RayClusterDefaulter) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(&rayv1.RayCluster{}).
-		WithDefaulter(&RayClusterDefaulter{}).
+		WithDefaulter(&RayClusterDefaulter{
+			Config:                   r.Config,
+			rayDashboardOauthEnabled: r.isRayDashboardOAuthEnabledWebhook(),
+		}).
 		Complete()
 }
 
 //+kubebuilder:webhook:path=/mutate-ray-io-v1-raycluster,mutating=true,failurePolicy=fail,sideEffects=None,groups=ray.io,resources=rayclusters,verbs=create;update,versions=v1,name=mraycluster.kb.io,admissionReviewVersions=v1
 
-type RayClusterDefaulter struct{}
+type RayClusterDefaulter struct {
+	Config                   *config.KubeRayConfiguration
+	rayDashboardOauthEnabled bool
+}
 
 var _ webhook.CustomDefaulter = &RayClusterDefaulter{}
 
 // Default implements webhook.Defaulter so a webhook will be registered for the type
 func (r *RayClusterDefaulter) Default(ctx context.Context, obj runtime.Object) error {
 	raycluster := obj.(*rayv1.RayCluster)
 
-	rayclusterlog.Info("default", "name", raycluster.Name)
-	// Check and add OAuth proxy if it does not exist.
-	alreadyExists := false
-	for _, container := range raycluster.Spec.HeadGroupSpec.Template.Spec.Containers {
-		if container.Name == "oauth-proxy" {
-			rayclusterlog.Info("OAuth sidecar already exists, no patch needed")
-			alreadyExists = true
-			break // exits the for loop
+	if r.rayDashboardOauthEnabled {
+		rayclusterlog.Info("default", "name", raycluster.Name)
+		// Check and add OAuth proxy if it does not exist.
+		alreadyExists := false
+		for _, container := range raycluster.Spec.HeadGroupSpec.Template.Spec.Containers {
+			if container.Name == "oauth-proxy" {
+				rayclusterlog.Info("OAuth sidecar already exists, no patch needed")
+				alreadyExists = true
+				break // exits the for loop
+			}
 		}
-	}
 
-	if !alreadyExists {
-		rayclusterlog.Info("Adding OAuth sidecar container")
-		// definition of the new container
-		newOAuthSidecar := corev1.Container{
-			Name:  "oauth-proxy",
-			Image: "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:1ea6a01bf3e63cdcf125c6064cbd4a4a270deaf0f157b3eabb78f60556840366",
-			Ports: []corev1.ContainerPort{
-				{ContainerPort: 8443, Name: "oauth-proxy"},
-			},
-			Args: []string{
-				"--https-address=:8443",
-				"--provider=openshift",
-				"--openshift-service-account=" + raycluster.Name + "-oauth-proxy",
-				"--upstream=http://localhost:8265",
-				"--tls-cert=/etc/tls/private/tls.crt",
-				"--tls-key=/etc/tls/private/tls.key",
-				"--cookie-secret=$(COOKIE_SECRET)",
-				"--openshift-delegate-urls={\"/\":{\"resource\":\"pods\",\"namespace\":\"default\",\"verb\":\"get\"}}",
-			},
-			Env: []corev1.EnvVar{
-				{
-					Name: "COOKIE_SECRET",
-					ValueFrom: &corev1.EnvVarSource{
-						SecretKeyRef: &corev1.SecretKeySelector{
-							LocalObjectReference: corev1.LocalObjectReference{
-								Name: raycluster.Name + "-oauth-config",
+		if !alreadyExists {
+			rayclusterlog.Info("Adding OAuth sidecar container")
+			// definition of the new container
+			newOAuthSidecar := corev1.Container{
+				Name:  "oauth-proxy",
+				Image: "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:1ea6a01bf3e63cdcf125c6064cbd4a4a270deaf0f157b3eabb78f60556840366",
+				Ports: []corev1.ContainerPort{
+					{ContainerPort: 8443, Name: "oauth-proxy"},
+				},
+				Args: []string{
+					"--https-address=:8443",
+					"--provider=openshift",
+					"--openshift-service-account=" + raycluster.Name + "-oauth-proxy",
+					"--upstream=http://localhost:8265",
+					"--tls-cert=/etc/tls/private/tls.crt",
+					"--tls-key=/etc/tls/private/tls.key",
+					"--cookie-secret=$(COOKIE_SECRET)",
+					"--openshift-delegate-urls={\"/\":{\"resource\":\"pods\",\"namespace\":\"default\",\"verb\":\"get\"}}",
+				},
+				Env: []corev1.EnvVar{
+					{
+						Name: "COOKIE_SECRET",
+						ValueFrom: &corev1.EnvVarSource{
+							SecretKeyRef: &corev1.SecretKeySelector{
+								LocalObjectReference: corev1.LocalObjectReference{
+									Name: raycluster.Name + "-oauth-config",
+								},
+								Key: "cookie_secret",
 							},
-							Key: "cookie_secret",
 						},
 					},
 				},
-			},
-			VolumeMounts: []corev1.VolumeMount{
-				{
-					Name:      "proxy-tls-secret",
-					MountPath: "/etc/tls/private",
-					ReadOnly:  true,
+				VolumeMounts: []corev1.VolumeMount{
+					{
+						Name:      "proxy-tls-secret",
+						MountPath: "/etc/tls/private",
+						ReadOnly:  true,
+					},
 				},
-			},
-		}
+			}
 
-		// Adding the new OAuth sidecar container
-		raycluster.Spec.HeadGroupSpec.Template.Spec.Containers = append(raycluster.Spec.HeadGroupSpec.Template.Spec.Containers, newOAuthSidecar)
+			// Adding the new OAuth sidecar container
+			raycluster.Spec.HeadGroupSpec.Template.Spec.Containers = append(raycluster.Spec.HeadGroupSpec.Template.Spec.Containers, newOAuthSidecar)
 
-		tlsSecretVolume := corev1.Volume{
-			Name: "proxy-tls-secret",
-			VolumeSource: corev1.VolumeSource{
-				Secret: &corev1.SecretVolumeSource{
-					SecretName: raycluster.Name + "-proxy-tls-secret",
+			tlsSecretVolume := corev1.Volume{
+				Name: "proxy-tls-secret",
+				VolumeSource: corev1.VolumeSource{
+					Secret: &corev1.SecretVolumeSource{
+						SecretName: raycluster.Name + "-proxy-tls-secret",
+					},
 				},
-			},
-		}
+			}
 
-		raycluster.Spec.HeadGroupSpec.Template.Spec.Volumes = append(raycluster.Spec.HeadGroupSpec.Template.Spec.Volumes, tlsSecretVolume)
+			raycluster.Spec.HeadGroupSpec.Template.Spec.Volumes = append(raycluster.Spec.HeadGroupSpec.Template.Spec.Volumes, tlsSecretVolume)
 
-		// Ensure the service account is set
-		if raycluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName == "" {
-			raycluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName = raycluster.Name + "-oauth-proxy"
+			// Ensure the service account is set
+			if raycluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName == "" {
+				raycluster.Spec.HeadGroupSpec.Template.Spec.ServiceAccountName = raycluster.Name + "-oauth-proxy"
+			}
 		}
 	}
 	return nil
diff --git a/pkg/controllers/support.go b/pkg/controllers/support.go
@@ -155,3 +155,10 @@ func (r *RayClusterReconciler) isRayDashboardOAuthEnabled() bool {
 	}
 	return true
 }
+
+func (r *RayClusterDefaulter) isRayDashboardOAuthEnabledWebhook() bool {
+	if r.Config != nil && r.Config.RayDashboardOAuthEnabled != nil {
+		return *r.Config.RayDashboardOAuthEnabled
+	}
+	return true
+}

Original file line number	Diff line number	Diff line change
`@@ -155,3 +155,10 @@ func (r *RayClusterReconciler) isRayDashboardOAuthEnabled() bool {`
`155`	`155`	`}`
`156`	`156`	`return true`
`157`	`157`	`}`
	`158`	`+`
	`159`	`+func (r *RayClusterDefaulter) isRayDashboardOAuthEnabledWebhook() bool {`
	`160`	`+ if r.Config != nil && r.Config.RayDashboardOAuthEnabled != nil {`
	`161`	`+ return *r.Config.RayDashboardOAuthEnabled`
	`162`	`+ }`
	`163`	`+ return true`
	`164`	`+}`