Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide mechanism for streamlining Vizier deployment against Pixie cloud with self signed certificates #2054

Open
ddelnano opened this issue Dec 4, 2024 · 0 comments
Labels
area/cli area/deployment Issues replated to deployments

Comments

@ddelnano
Copy link
Member

ddelnano commented Dec 4, 2024

Self hosted cloud users occasionally deploy their cloud with certificates from an internal CA. This creates issues for the operator and vizier since these components don't have the means to supply the CA files inside their container.

Manual workaround

I've validated that Clouds using self signed certs can be deployed with the following manual steps:

  1. Ensure pixie installs the necessary OLM crds -- PX_CLOUD_ADDR=self-hosted-cloud.example.domain:443 px deploy
  2. Delete OLM namespace to prevent OLM from messing with later manual changes -- kubectl delete ns olm
  3. Modify vizier-operator to mount SSL certs directory from the host. Note: the CA must match the paths recognized by Go
# vizier-operator Deployment
  template:
    metadata:
      labels:
        app: ssl-mount-app
    spec:
      containers:
      - name: app

        [ ... ]

        volumeMounts:       <------------------ required
        - name: ssl-certificates
          mountPath: /etc/ssl
      volumes:              <------------------ required
      - name: ssl-certificates
        hostPath:
          path: /etc/ssl
          type: Directory
  1. Deploy vizier patching the cloud connector -- px deploy --patches='vizier-cloud-connector:{"spec":{"template":{"spec":{"containers":[{"name":"app","volumeMounts":[{"name":"ssl-certificates","mountPath":"/etc/ssl"}]}],"volumes":[{"name":"ssl-certificates","hostPath":{"path":"/etc/ssl","type":"Directory"}}]}}}}'

Proposed Solution

Ideally the px cli and helm install process should allow for injecting the internal CA to the vizier-operator and vizier-cloud-connector components. This can be accomplished with the following steps:

  1. Update the pixie operator's Subscription to support the config.openshift.io/inject-trusted-cabundle annotation (docs)
  2. Add a configuration option (cli flag and helm setting) that allows for supplying the vizier-cloud-connector patch from above
@ddelnano ddelnano added area/deployment Issues replated to deployments area/cli labels Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/cli area/deployment Issues replated to deployments
Projects
None yet
Development

No branches or pull requests

1 participant