Skip to content

[e2e] RayJob Auth Mode E2E #4229

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 26, 2025
Merged

[e2e] RayJob Auth Mode E2E #4229

merged 3 commits into from
Nov 26, 2025

Conversation

@seanlaii
Copy link
Contributor

@seanlaii seanlaii commented Nov 24, 2025
edited
Loading

Why are these changes needed?

This PR adds comprehensive E2E tests for Ray authentication token mode to ensure correct auth token propagation across three RayJob submission modes:

  • RayJob K8s Job Mode: Verifies auth token in head, worker, and submitter Job pods
  • RayJob HTTP Mode: Verifies auth token in head and worker pods (operator uses HTTP client with token)
  • RayJob Sidecar Mode: Verifies auth token in head Ray container, submitter sidecar, and worker pods

Related issue number

Part of #4203

Checks

  • I've made sure the tests are passing.
  • Testing Strategy
    • Unit tests
    • Manual tests
    • This PR is not tested :(

@seanlaii
[E2E] RayJob Auth Mode E2E
fabaf58 
Signed-off-by: seanlaii <qazwsx0939059006@gmail.com>
@seanlaii seanlaii marked this pull request as ready for review November 25, 2025 01:29
@seanlaii
Copy link
Contributor Author

seanlaii commented Nov 25, 2025

Hi @Future-Outlier @rueian , please help review the PR when you have the chance. Thank you!

win5923
win5923 reviewed Nov 25, 2025
View reviewed changes
ray-operator/test/e2e/raycluster_auth_test.go
VerifyContainerAuthTokenEnvVars(test, rayCluster, &workerPod, utils.RayContainerIndex)
}

// TODO(andrewsykim): add job submission test with and without token once a Ray version with token support is released.
Copy link
Collaborator

@win5923 win5923 Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we open a issue to track this? I think we can find someone to pick it up.

Copy link
Contributor Author

@seanlaii seanlaii Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I can also create a PR to add it. The supported Ray version has been released. I will create another PR to address this. WDYT?

Copy link
Collaborator

@win5923 win5923 Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, thanks you!

Copy link
Contributor

@400Ping 400Ping Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

Copy link
Member

@andrewsykim andrewsykim Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Separate PR is fine. We can also probably just remove this given the submission is also exercised with RayJob

400Ping
400Ping suggested changes Nov 26, 2025
View reviewed changes
ray-operator/test/e2e/raycluster_auth_test.go
VerifyContainerAuthTokenEnvVars(test, rayCluster, &workerPod, utils.RayContainerIndex)
}

// TODO(andrewsykim): add job submission test with and without token once a Ray version with token support is released.
Copy link
Contributor

@400Ping 400Ping Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

400Ping
400Ping approved these changes Nov 26, 2025
View reviewed changes
Copy link
Contributor

@400Ping 400Ping left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Besides needing to fix the CI, overall LGTM.

andrewsykim
andrewsykim reviewed Nov 26, 2025
View reviewed changes
ray-operator/test/e2e/raycluster_auth_test.go
VerifyContainerAuthTokenEnvVars(test, rayCluster, &workerPod, utils.RayContainerIndex)
}

// TODO(andrewsykim): add job submission test with and without token once a Ray version with token support is released.
Copy link
Member

@andrewsykim andrewsykim Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Separate PR is fine. We can also probably just remove this given the submission is also exercised with RayJob

andrewsykim
andrewsykim reviewed Nov 26, 2025
View reviewed changes
ray-operator/test/support/ray.go Outdated
t.T().Helper()
g := NewWithT(t.T())

g.Expect(len(pod.Spec.Containers)).To(BeNumerically(">", containerIndex),
Copy link
Member

@andrewsykim andrewsykim Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can remove this assertion and thecontainerIndex parameter, and instead just pass in corev1.Container.

Copy link
Contributor Author

@seanlaii seanlaii Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, thanks for the review! Updated the tests accordingly.

@seanlaii
Copy link
Contributor Author

seanlaii commented Nov 26, 2025

Besides needing to fix the CI, overall LGTM.

Thanks, fixed the issue.

andrewsykim
andrewsykim approved these changes Nov 26, 2025
View reviewed changes
Copy link
Member

@andrewsykim andrewsykim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks!

@andrewsykim andrewsykim merged commit 3b42d56 into ray-project:master Nov 26, 2025
27 checks passed
@seanlaii seanlaii deleted the rayjob-auth-e2e branch November 26, 2025 19:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewsykim andrewsykim andrewsykim approved these changes

@win5923 win5923 win5923 approved these changes

+1 more reviewer

@400Ping 400Ping 400Ping approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@seanlaii @andrewsykim @400Ping @win5923