remove public ca and generate ca by operator

Signed-off-by: jooho lee <[email protected]>
opendatahub-io · Dec 2, 2024 · f74bcf0 · f74bcf0
1 parent 5024ef2
commit f74bcf0
Show file tree

Hide file tree

Showing 13 changed files with 332 additions and 201 deletions.
diff --git a/config/overlays/odh/kustomization.yaml b/config/overlays/odh/kustomization.yaml
@@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../../default
-  - ./ray_tls_resources.yaml
+  - ./ray_tls_script.yaml
 
 patches:
 - path: odh_model_controller_manager_patch.yaml

diff --git a/config/overlays/odh/ray_tls_resources.yaml b/config/overlays/odh/ray_tls_resources.yaml
diff --git a/config/overlays/odh/ray_tls_script.yaml b/config/overlays/odh/ray_tls_script.yaml
@@ -0,0 +1,69 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ray-tls-script
+  labels:
+    opendatahub.io/managed: 'true'
+data:
+  gencert_ray.sh: |
+    #!/bin/sh
+    ## Create tls.key
+    openssl genrsa -out /etc/ray/tls/tls.key 2048
+
+    ## Write CSR Config
+    cat > /etc/ray/tls/csr.conf <<EOF
+    [ req ]
+    default_bits = 2048
+    prompt = no
+    default_md = sha256
+    req_extensions = req_ext
+    distinguished_name = dn
+
+    [ dn ]
+    C = US
+    ST = Raleigh
+    L = North Carolina
+    O = redhat
+    OU = redhat
+    CN = self-signed-cert
+    
+    [ req_ext ]
+    subjectAltName = @alt_names
+
+    [ alt_names ]
+    DNS.1 = localhost
+    DNS.2 = *.${POD_NAMESPACE}.svc.cluster.local
+    IP.1 = 127.0.0.1
+    IP.2 = $POD_IP
+
+    EOF
+
+    ## Create CSR using tls.key
+    openssl req -new -key /etc/ray/tls/tls.key -out /etc/ray/tls/ca.csr -config /etc/ray/tls/csr.conf
+
+    ## Write cert config
+    cat > /etc/ray/tls/cert.conf <<EOF
+
+    authorityKeyIdentifier=keyid,issuer
+    basicConstraints=CA:FALSE
+    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+    subjectAltName = @alt_names
+
+    [alt_names]
+    DNS.1 = localhost
+    DNS.2 = *.${POD_NAMESPACE}.svc.cluster.local
+    IP.1 = 127.0.0.1
+    IP.2 = $POD_IP
+
+    EOF
+
+    ## create serial file
+    echo '01' > /tmp/ca.srl
+
+    ## Generate tls.cert
+    openssl x509 -req \
+        -in /etc/ray/tls/ca.csr \
+        -CA /etc/ca/tls/tls.crt -CAkey /etc/ca/tls/tls.key \
+        -CAserial /tmp/ca.srl  -out /etc/ray/tls/tls.crt \
+        -days 3650 \
+        -sha256 -extfile /etc/ray/tls/cert.conf
diff --git a/config/runtimes/vllm-multinode-template.yaml b/config/runtimes/vllm-multinode-template.yaml
@@ -41,7 +41,8 @@ objects:
             - |
               # Generate self signed certificate 
               if [[ $RAY_USE_TLS == "1" ]]; then
-                /etc/gen/tls/gencert_ray.sh
+                echo "Generating Self Signed Certificate for Ray nodes"
+                /etc/gen/tls/gencert_ray.sh > /dev/null 2>&1
               fi
               ray start --head --disable-usage-stats --include-dashboard false 
 
@@ -64,7 +65,7 @@ objects:
             - name: RAY_TLS_SERVER_KEY
               value: '/etc/ray/tls/tls.key'
             - name: RAY_TLS_CA_CERT
-              value: '/etc/ca/tls/ca.crt'
+              value: '/etc/ca/tls/tls.crt'
             - name: RAY_PORT
               value: '6379'
             - name: RAY_ADDRESS
@@ -209,7 +210,7 @@ objects:
         # The gencert_ray.sh can be prebaked into the docker container so the configMap is optional
         - name: gen-tls-script
           configMap:
-            name: ray-tls-scripts
+            name: ray-tls-script
             defaultMode: 0777
             # An array of keys from the ConfigMap to create as files
             items:
@@ -226,7 +227,8 @@ objects:
               - |
                 # Generate self signed certificate
                 if [[ $RAY_USE_TLS == "1" ]]; then
-                  /etc/gen/tls/gencert_ray.sh
+                  echo "Generating Self Signed Certificate for Ray nodes"
+                  /etc/gen/tls/gencert_ray.sh > /dev/null 2>&1
                 fi  
                 SECONDS=0
 
@@ -260,7 +262,7 @@ objects:
               - name: RAY_TLS_SERVER_KEY
                 value: '/etc/ray/tls/tls.key'
               - name: RAY_TLS_CA_CERT
-                value: '/etc/ca/tls/ca.crt'
+                value: '/etc/ca/tls/tls.crt'
               - name: POD_NAME
                 valueFrom:
                   fieldRef:
@@ -346,7 +348,7 @@ objects:
           # The gencert_ray.sh can be prebaked into the docker container so the configMap is optional
           - name: gen-tls-script
             configMap:
-              name: ray-tls-scripts
+              name: ray-tls-script
               defaultMode: 0777
               # An array of keys from the ConfigMap to create as files
               items:

diff --git a/controllers/constants/constants.go b/controllers/constants/constants.go
@@ -82,6 +82,6 @@ const (
 
 // Ray
 const (
-	RayCATlsSecretName        = "ray-ca-cert"
-	RayTlsScriptConfigMapName = "ray-tls-scripts"
+	RayCASecretName           = "ray-ca-cert"
+	RayTlsScriptConfigMapName = "ray-tls-script"
 )