Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix certificate contents #911

Merged
merged 2 commits into from
Aug 31, 2023
Merged

fix certificate contents #911

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9d549f4
fix certificate contents
akihikokuroda Aug 25, 2023
659fcb5
review comments
akihikokuroda Aug 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 52 additions & 1 deletion charts/quantum-serverless/charts/gateway/templates/raycertgen.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -198,9 +198,11 @@ data:
spec:
commonName: quantummiddleware.com
dnsNames:
- $CLUSTER_NAME-svc.$NAMESPACE.svc.cluster.local
- localhost
- $CLUSTER_NAME-head-svc.$NAMESPACE.svc.cluster.local
duration: 2160h0m0s
ipAddresses:
- 127.0.0.1
- $IP_ADDRESS
issuerRef:
group: cert-manager.io
Expand Down Expand Up @@ -232,4 +234,53 @@ data:
kubectl get secret $CLUSTER_NAME -o=jsonpath='{.data.ca\.crt}' | base64 -d > $BASE_DIR/ca.crt
kubectl get secret $CLUSTER_NAME -o=jsonpath='{.data.tls\.crt}' | base64 -d > $BASE_DIR/tls.crt
kubectl get secret $CLUSTER_NAME -o=jsonpath='{.data.tls\.key}' | base64 -d > $BASE_DIR/tls.key
gencert_cert_worker.sh: |
#!/bin/sh
BASE_DIR=$1
CLUSTER_NAME=$2
IP_ADDRESS=$3

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: $CLUSTER_NAME-worker
spec:
commonName: quantummiddleware.com
dnsNames:
- localhost
duration: 2160h0m0s
ipAddresses:
- 127.0.0.1
- $IP_ADDRESS
issuerRef:
group: cert-manager.io
kind: Issuer
name: ray-ca-issuer
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
renewBefore: 360h0m0s
secretName: $CLUSTER_NAME-worker
subject:
organizations:
- quantummiddleware
usages:
- server auth
- client auth
EOF

status="False"
while [ $status = "False" ]
do
status=$(kubectl get cert $CLUSTER_NAME-worker -o=jsonpath='{.status.conditions[?(@.type=="Ready")].status}')
done

echo "Certificate for $CLUSTER_NAME-worker is ready"
kubectl get cert $CLUSTER_NAME-worker -o json

kubectl get secret $CLUSTER_NAME-worker -o=jsonpath='{.data.ca\.crt}' | base64 -d > $BASE_DIR/ca.crt
kubectl get secret $CLUSTER_NAME-worker -o=jsonpath='{.data.tls\.crt}' | base64 -d > $BASE_DIR/tls.crt
kubectl get secret $CLUSTER_NAME-worker -o=jsonpath='{.data.tls\.key}' | base64 -d > $BASE_DIR/tls.key
{{- end }}
20 changes: 6 additions & 14 deletions charts/quantum-serverless/charts/gateway/templates/rayclustertemplate.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,7 @@ data:
initContainers:
- name: ray-worker-cert
image: {{ .Values.application.ray.kubectlImage }}
command: ["/bin/sh", "-c", "/etc/gen/tls/gencert_cert_head.sh /tmp/tls {{`{{ cluster_name }}`}}-worker $POD_IP {{ .Release.Namespace }}"]
command: ["/bin/sh", "-c", "/etc/gen/tls/gencert_cert_worker.sh /tmp/tls {{`{{ cluster_name }}`}} $POD_IP"]
volumeMounts:
- mountPath: /tmp/tls
name: cert-tls
Expand Down Expand Up @@ -256,6 +256,9 @@ data:
readOnly: true
- mountPath: /etc/ray/tls
name: ray-tls
- mountPath: /data
name: user-storage
subPath: {{`{{ user_id }}`}}
{{- if .Values.useCertManager }}
- mountPath: /tmp/tls
name: cert-tls
Expand Down Expand Up @@ -303,17 +306,6 @@ data:
cpu: {{ .Values.application.ray.cpu }}
memory: {{ .Values.application.ray.memory }}Gi
securityContext:
volumeMounts:
Copy link
Member

@IceKhan13 IceKhan13 Aug 25, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we do not need mounts for worker anymore?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There were 2 volumeMounts. The latter was used. This PR merges them into one.

- mountPath: /tmp/ray
name: log-volume
- mountPath: /data
name: user-storage
subPath: {{`{{ user_id }}`}}
- mountPath: /etc/ca/tls
name: ca-tls
readOnly: true
- mountPath: /etc/ray/tls
name: ray-tls
imagePullSecrets: []
{{- if .Values.useCertManager }}
serviceAccountName: ray-cluster-sa
Expand Down Expand Up @@ -343,8 +335,8 @@ data:
- key: gencert_worker.sh
path: gencert_worker.sh
{{- if .Values.useCertManager }}
- key: gencert_cert_head.sh
path: gencert_cert_head.sh
- key: gencert_cert_worker.sh
path: gencert_cert_worker.sh
{{- end }}
- name: user-storage
persistentVolumeClaim:
Expand Down