Feat: Make RayCluster head node ingress optional

[fg91]

Why are the changes needed?

Currently, the flytepropeller ray plugin hardcodes the creation of an ingress for the ray cluster's head node, see here.

This is a potential security problem as the ray head node might be exposed to the public internet in clusters with a default ingress class without the user knowing.

What changes were proposed in this pull request?

• Add field EnableIngress to the ray plugin config
• Disable the creation of the ingress by default.

How was this patch tested?

• Added a unit test.

Check all the applicable boxes

• I updated the documentation accordingly.
• All new and existing tests passed.
• All commits are signed-off.

Related PRs

flyteorg/flytekit#3365

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.21%. Comparing base (8877200) to head (1f5adfd).

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #6852      +/-   ##
==========================================
- Coverage   56.93%   56.21%   -0.72%     
==========================================
  Files         929      772     -157     
  Lines       58144    47369   -10775     
==========================================
- Hits        33102    26627    -6475     
+ Misses      22000    18320    -3680     
+ Partials     3042     2422     -620     

Flag	Coverage Δ
unittests-datacatalog	53.51% <ø> (ø)
unittests-flyteadmin	53.14% <ø> (+0.03%)	⬆️
unittests-flytecopilot	43.06% <ø> (ø)
unittests-flytectl	64.00% <ø> (ø)
unittests-flyteidl	75.71% <ø> (ø)
unittests-flyteplugins	?
unittests-flytepropeller	53.54% <ø> (ø)
unittests-flytestdlib	63.27% <ø> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[pingsutw]

Why don't we add it to the plugin config?

flyte/flyteplugins/go/tasks/plugins/k8s/ray/config.go

Line 61 in 8877200

type Config struct {

[fg91]

I added it to the head node config because that's where this is configured in the RayCluster CRD and some of the other fields of the head node config can be configured from python too.
But I don't have a strong opinion, could change to the plugin config instead of the task_config in the task decorator if you prefer.
My main concern is that it should be disabled by default and opt-in to not accidentally expose things :)

[pingsutw]

I think this config is more related to the cluster settings, so putting it in the plugin config map might be better.

[pingsutw]

We could add it to the Ray proto in the future if anyone wants to turn it off for certain tasks only, although i think it's not the common use case.

[fg91]

Agree. Can you please take another look?
1f5adfd

[machichima]

nit: I think we can put EnableIngress: & cfg.EnableIngress directly in HeadGroupSpec, as it's the only place that use this

[fg91]

We could but the ServiceType - which is also part of the RayCluster's HeadGroupSpec - is also in our top level plugin config. My preference would be to try to keep it consistent here at least?

This is not a strong opinion though.