add sidecar container option

[akihikokuroda]

Why are these changes needed?

The sidecar container is useful for adding security capabilities to the pod. This PR adds the capability to inject the sidecar container to the api-server pod by the values.yaml file.

Related issue number

Checks

• I've made sure the tests are passing.
• Testing Strategy
  • Unit tests
  • Manual tests
  • This PR is not tested :(

[Jeffwan]

Thanks for the contribution. Do you mind sharing an example? I am thinking we should document these customization just in case someone want to use this configuration as well

[akihikokuroda]

@Jeffwan Thanks for review! This is putting the same sidecar capability as the ray head / worker node

kuberay/helm-chart/ray-cluster/templates/raycluster-cluster.yaml

Line 61 in 0564748

{{- if .Values.head.sidecarContainers }}

. I can provide a sample soon.

[akihikokuroda]

Here is the value file example. This works with Keycloak configured for "Client Credentials Grant" in OAuth2 specification.

sidecarContainers:
  - image: quay.io/gogatekeeper/gatekeeper:2.1.1
    imagePullPolicy: IfNotPresent
    name: gatekeeper
    args:
    - --no-redirects=true
    - --forwarding-grant-type=client_credentials
    - --listen=0.0.0.0:4180
    - --client-id=rayapiserver
    - --client-secret=APISERVERSECRET-CHANGEME
    - --discovery-url=http://LOCAL-IP:31059/realms/quantumserverless
    - --enable-logging=true
    - --verbose=true
    - --upstream-url=http://kuberay-apiserver-service:8888/

[akihikokuroda]

@Jeffwan Thanks for your approval. This change will be used in Qiskit/qiskit-serverless#235