project-codeflare · KPostOffice · Feb 19, 2024
diff --git a/src/codeflare_sdk/templates/base-template.yaml b/src/codeflare_sdk/templates/base-template.yaml
@@ -157,6 +157,18 @@ spec:
                   - name: server-cert
                     mountPath: "/home/ray/workspace/tls"
                     readOnly: true
+                  - mountPath: /etc/pki/tls/certs
+                    name: odh-trusted-ca-cert
+                    subPath: odh-trusted-ca-bundle.crt
+                  - mountPath: /etc/ssl/certs
+                    name: odh-trusted-ca-cert
+                    subPath: odh-trusted-ca-bundle.crt
+                  - mountPath: /etc/pki/tls/certs
+                    name: odh-ca-cert
+                    subPath: odh-ca-bundle.crt
+                  - mountPath: /etc/ssl/certs
+                    name: odh-ca-cert
+                    subPath: odh-ca-bundle.crt
                 initContainers:
                 - command:
                   - sh
@@ -181,6 +193,20 @@ spec:
                   optional: false
                 - name: server-cert
                   emptyDir: {}
+                - name: odh-trusted-ca-cert
+                  configMap:
+                    name: odh-trusted-ca-bundle
+                    items:
+                    - key: ca-bundle.crt
+                      path: odh-custom-ca-bundle.crt
+                    optional: true
+                - name: odh-ca-cert
+                  configMap:
+                    name: odh-trusted-ca-bundle
+                    items:
+                    - key: odh-ca-bundle.crt
+                      path: odh-ca-bundle.crt
+                    optional: true
           workerGroupSpecs:
           # the pod replicas in this group typed worker
           - replicas: 3
@@ -277,13 +303,39 @@ spec:
                   - name: server-cert
                     mountPath: "/home/ray/workspace/tls"
                     readOnly: true
+                  - mountPath: /etc/pki/tls/certs
+                    name: odh-trusted-ca-cert
+                    subPath: odh-trusted-ca-bundle.crt
+                  - mountPath: /etc/ssl/certs
+                    name: odh-trusted-ca-cert
+                    subPath: odh-trusted-ca-bundle.crt
+                  - mountPath: /etc/pki/tls/certs
+                    name: odh-ca-cert
+                    subPath: odh-ca-bundle.crt
+                  - mountPath: /etc/ssl/certs
+                    name: odh-ca-cert
+                    subPath: odh-ca-bundle.crt
                 volumes:
                 - name: ca-vol
                   secret:
                     secretName: ca-secret-deployment-name
                   optional: false
                 - name: server-cert
                   emptyDir: {}
+                - name: odh-trusted-ca-cert
+                  configMap:
+                    name: odh-trusted-ca-bundle
+                    items:
+                    - key: ca-bundle.crt
+                      path: odh-custom-ca-bundle.crt
+                    optional: true
+                - name: odh-ca-cert
+                  configMap:
+                    name: odh-trusted-ca-bundle
+                    items:
+                    - key: odh-ca-bundle.crt
+                      path: odh-ca-bundle.crt
+                    optional: true
     - replicas: 1
       generictemplate:
         apiVersion: networking.k8s.io/v1

diff --git a/src/codeflare_sdk/utils/generate_yaml.py b/src/codeflare_sdk/utils/generate_yaml.py
@@ -17,6 +17,7 @@
 (in the cluster sub-module) for AppWrapper generation.
 """
 
+import typing
 import yaml
 import sys
 import os
@@ -466,35 +467,34 @@ def enable_local_interactive(resources, cluster_name, namespace, ingress_domain)
     ][0].get("command")[2] = command
 
 
+def del_from_list_by_name(l: list, target: typing.List[str]):
+    for item in l:
+        if item["name"] in ["ca-vol", "server-cert"]:
+            l.remove(item)
+
+
 def disable_raycluster_tls(resources):
     generic_template_spec = resources["GenericItems"][0]["generictemplate"]["spec"]
 
-    if "volumes" in generic_template_spec["headGroupSpec"]["template"]["spec"]:
-        del generic_template_spec["headGroupSpec"]["template"]["spec"]["volumes"]
+    del_from_list_by_name(
+        generic_template_spec["headGroupSpec"]["template"]["spec"].get("volumes", []),
+        ["ca-vol", "server-cert"],
+    )
 
-    if (
-        "volumeMounts"
-        in generic_template_spec["headGroupSpec"]["template"]["spec"]["containers"][0]
-    ):
-        del generic_template_spec["headGroupSpec"]["template"]["spec"]["containers"][0][
-            "volumeMounts"
-        ]
+    c: dict
+    for c in generic_template_spec["headGroupSpec"]["template"]["spec"]["containers"]:
+        del_from_list_by_name(c.get("volumeMounts", []), ["ca-vol", "server-cert"])
 
     if "initContainers" in generic_template_spec["headGroupSpec"]["template"]["spec"]:
         del generic_template_spec["headGroupSpec"]["template"]["spec"]["initContainers"]
 
-    if "volumes" in generic_template_spec["workerGroupSpecs"][0]["template"]["spec"]:
-        del generic_template_spec["workerGroupSpecs"][0]["template"]["spec"]["volumes"]
-
-    if (
-        "volumeMounts"
-        in generic_template_spec["workerGroupSpecs"][0]["template"]["spec"][
-            "containers"
-        ][0]
-    ):
-        del generic_template_spec["workerGroupSpecs"][0]["template"]["spec"][
-            "containers"
-        ][0]["volumeMounts"]
+    for workerGroup in generic_template_spec.get("workerGroupSpecs"):
+        del_from_list_by_name(
+            workerGroup["template"]["spec"].get("volumes", []),
+            ["ca-vol", "server-cert"],
+        )
+        for c in workerGroup["template"]["spec"].get("containers", []):
+            del_from_list_by_name(c.get("volumeMounts", []), ["ca-vol", "server-cert"])
 
     del generic_template_spec["workerGroupSpecs"][0]["template"]["spec"][
         "initContainers"