Skip to content

Non-Istio mTLS POC #3952

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

Non-Istio mTLS POC #3952

wants to merge 2 commits into from

Conversation

kryanbeane
Copy link
Contributor

Why are these changes needed?

Related issue number

Checks

  • I've made sure the tests are passing.
  • Testing Strategy
    • Unit tests
    • Manual tests
    • This PR is not tested :(

@laurafitzgerald laurafitzgerald force-pushed the mtls-poc branch 2 times, most recently from e1c074e to 9f73348 Compare September 2, 2025 14:43
@laurafitzgerald
Copy link

Verification Steps

Setup

Run make cert-manager

To ray-operator/config/manager/manager.yaml

  • add ,MTLS=true to --feature-gates flag value
  • image: quay.io/laurafitzgerald/kuberay:mtls

To ray-operator/config/default/kustomization.yaml

name: kuberay/operator
   newName: quay.io/laurafitzgerald/kuberay
   newTag: mtls

Run make deploy
Run oc apply -f config/samples/ray-cluster.sample.yaml

Verify Configuration

Run oc get certificate

NAME                                 READY   SECRET                                 AGE
ray-head-cert-raycluster-kuberay     True    ray-head-secret-raycluster-kuberay     34m
ray-worker-cert-raycluster-kuberay   True    ray-worker-secret-raycluster-kuberay   34m

Run oc get secret

NAME                                   TYPE                DATA   AGE
ray-head-secret-raycluster-kuberay     kubernetes.io/tls   3      100m
ray-worker-secret-raycluster-kuberay   kubernetes.io/tls   3      100m

Check the ENVS and volumemounts and volumes for the head and worker node
Expected
ENVs

- name: MY_POD_IP
        valueFrom:
          fieldRef:
            apiVersion: v1
            fieldPath: status.podIP
      - name: RAY_USE_TLS
        value: "1"
      - name: RAY_TLS_SERVER_CERT
        value: /home/ray/workspace/tls/server.crt
      - name: RAY_TLS_SERVER_KEY
        value: /home/ray/workspace/tls/server.key
      - name: RAY_TLS_CA_CERT
        value: /home/ray/workspace/tls/ca.crt

Volumes

volumes:
    - name: ca-vol
      secret:
        defaultMode: 420
        secretName: ray-head-secret-raycluster-kuberay

Volume Mounts

volumeMounts:
      - mountPath: /home/ray/workspace/tls
        name: ca-vol

@kryanbeane @laurafitzgerald
mTLS POC
a298d6a 
Changes include
- feature flag to switch mTLS on, by default it's off
- new mtls reconciler which reconciles the cert manager resources when mtls is on
- required ENV VARs, volumens and volumen mounts to each pod in the cluster behind the feature flag
- Additional RBACs required

Co-authored-by: laurafitzgerald <lfitzger@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kevin85421 kevin85421 Awaiting requested review from kevin85421 kevin85421 will be requested when the pull request is marked ready for review kevin85421 is a code owner

@andrewsykim andrewsykim Awaiting requested review from andrewsykim andrewsykim will be requested when the pull request is marked ready for review andrewsykim is a code owner

@rueian rueian Awaiting requested review from rueian rueian will be requested when the pull request is marked ready for review rueian is a code owner

@MortalHappiness MortalHappiness Awaiting requested review from MortalHappiness MortalHappiness will be requested when the pull request is marked ready for review MortalHappiness is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kryanbeane @laurafitzgerald @CathalOConnorRH