Add initContainer to check for required CRDs availability

ChristianZaccaria · ChristianZaccaria · commit feeeee7cbe38 · 2024-04-12T10:14:31.000+01:00
diff --git a/Makefile b/Makefile
@@ -156,9 +156,20 @@ build: fmt vet ## Build manager binary.
 		-o bin/manager main.go
 
 .PHONY: run
-run: manifests fmt vet ## Run a controller from your host.
+run: crds-check manifests fmt vet ## Run a controller from your host.
 	go run ./main.go
 
+.PHONY: crds-check
+crds-check:
+	@{ \
+		kubectl get crds | grep 'rayclusters.ray.io' > /dev/null && \
+		kubectl get crds | grep 'rayjobs.ray.io' > /dev/null && \
+		kubectl get crds | grep 'rayservices.ray.io' > /dev/null; \
+	} || { \
+		echo "One or more required KubeRay CRDs are missing."; \
+		exit 1; \
+	}
+
 .PHONY: image-build
 image-build: test-unit ## Build container image with the manager.
 	podman build -t ${IMG} .
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -24,6 +24,29 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
+      initContainers:
+      - name: check-ray-crds
+        securityContext:
+          runAsUser: 1000
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - "ALL"
+        image: alpine/k8s:1.27.11
+        command:
+        - sh
+        - -c
+        - |
+          set -e
+          CRDS="rayclusters.ray.io rayjobs.ray.io rayservices.ray.io"
+          for crd in $CRDS; do
+            echo "Checking for $crd"
+            until kubectl get crd $crd; do
+              echo "$crd not available yet, retrying in 10 seconds..."
+              sleep 10
+            done
+          done
+          echo "All required CRDs are available."
         # TODO(user): For common cases that do not require escalating privileges
         # it is recommended to ensure that all your Pods/Containers are restrictive.
         # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -5,6 +5,12 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
 - apiGroups:
   - ""
   resources:
diff --git a/pkg/controllers/raycluster_controller.go b/pkg/controllers/raycluster_controller.go
@@ -78,6 +78,7 @@ var (
 // +kubebuilder:rbac:groups=core,resources=services,verbs=patch;delete;get
 // +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=patch;delete;get
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=patch;delete;get
+// +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
