You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Self hosted cloud users occasionally deploy their cloud with certificates from an internal CA. This creates issues for the operator and vizier since these components don't have the means to supply the CA files inside their container.
Manual workaround
I've validated that Clouds using self signed certs can be deployed with the following manual steps:
Deploy vizier patching the cloud connector -- px deploy --patches='vizier-cloud-connector:{"spec":{"template":{"spec":{"containers":[{"name":"app","volumeMounts":[{"name":"ssl-certificates","mountPath":"/etc/ssl"}]}],"volumes":[{"name":"ssl-certificates","hostPath":{"path":"/etc/ssl","type":"Directory"}}]}}}}'
Proposed Solution
Ideally the px cli and helm install process should allow for injecting the internal CA to the vizier-operator and vizier-cloud-connector components. This can be accomplished with the following steps:
Update the pixie operator's Subscription to support the config.openshift.io/inject-trusted-cabundle annotation (docs)
Add a configuration option (cli flag and helm setting) that allows for supplying the vizier-cloud-connector patch from above
The text was updated successfully, but these errors were encountered:
Self hosted cloud users occasionally deploy their cloud with certificates from an internal CA. This creates issues for the operator and vizier since these components don't have the means to supply the CA files inside their container.
Manual workaround
I've validated that Clouds using self signed certs can be deployed with the following manual steps:
PX_CLOUD_ADDR=self-hosted-cloud.example.domain:443 px deploy
kubectl delete ns olm
px deploy --patches='vizier-cloud-connector:{"spec":{"template":{"spec":{"containers":[{"name":"app","volumeMounts":[{"name":"ssl-certificates","mountPath":"/etc/ssl"}]}],"volumes":[{"name":"ssl-certificates","hostPath":{"path":"/etc/ssl","type":"Directory"}}]}}}}'
Proposed Solution
Ideally the
px
cli and helm install process should allow for injecting the internal CA to the vizier-operator and vizier-cloud-connector components. This can be accomplished with the following steps:config.openshift.io/inject-trusted-cabundle
annotation (docs)The text was updated successfully, but these errors were encountered: