[apiserver] Use ClusterIP instead of NodePort for KubeRay API server service

[machichima]

• Use ClusterIP in APIServer helm chart
• Update installation guide to do port-forwarding when using helm chart

Why are these changes needed?

We should not use NodePort for the KubeRay API server by default, as it is not suitable for production.

Related issue number

Closes #3705

Checks

• I've made sure the tests are passing.
• Testing Strategy
  • Unit tests
  • Manual tests
  • This PR is not tested :(

[machichima]

Hi @kevin85421 , PTAL

I use ClusterIP instead in helm chart and update APIServer V1 docs accordingly.

Once this is merge I will then update the V2 docs in PR #3594 (comment)

[kevin85421]

@rueian would you mind reviewing this PR?

[MortalHappiness]

nit:

Suggested change

	# Nodeport service
	# Nodeport service

[MortalHappiness]

nit:

Suggested change

	kubectl port-forward service/kuberay-apiserver-service 31888:8888 > /dev/null &
	kubectl port-forward service/kuberay-apiserver-service 31888:8888

[kevin85421]

Is there any reason not to remove this? If there’s no specific reason, we can go ahead and remove it.

[machichima]

This section keeps the two service type settings with the one unused commented out originally. I simply follow the same format.

I think we can safely remove this. Will remove this for now

[kevin85421]

Suggested change

	setting up the KubeRay operator and APIServer.
	setting up the KubeRay operator and APIServer, and port-forward the HTTP endpoint to local port 31888.

[machichima]

Fix! Thanks!

[machichima]

I've also update the V1 docs here to make them easier to follow

[rueian]

How about we simply attach -H 'Authorization: 12345' in every curl example? Or could we make the guide in the helm-chart/kuberay-apiserver/README.md to be no security proxy by default?

[machichima]

I would prefer making no security proxy by default, just wondering if it is ok to do so? (e.g. with security proxy is actually recommended?)

I will add this to installation section in README:

Refer to this document to install the latest
stable KubeRay apiserver from the Helm repository "without security proxy".

Important

If you install APIServer with security proxy, you may receive an "Unauthorized" error
when making a request. Please add an authorization header to the request: -H 'Authorization: 12345'
or install the APIServer without a security proxy.

[kevin85421]

@rueian would you mind reviewing another iteration? Thanks!

[rueian]

LGTM

[kevin85421]

should we also update services in https://github.com/ray-project/kuberay/tree/master/apiserver/deploy/base?

[machichima]

should we also update services in https://github.com/ray-project/kuberay/tree/master/apiserver/deploy/base?

I think services in apiserver/deploy/base are only used for local development (like using make start-local-apiserver)? In this case I think we can keep it as usual

[kevin85421]

I don’t think it’s only for development. Also, I still don’t think using NodePort for development is a good idea. I will open a follow up PR directly to unblock the branch cut.

[kevin85421]

I didn't review the doc changes. I will go through all related docs and open follow up PRs to update if needed.