pixie-io
Support self-signed certs / custom CAs for otel export
Is your feature request related to a problem? Please describe. I'd like to configure Pixie such that all data it exports is encrypted in transit. I can configure my OpenTelemetry collector to serve TLS using a self-signed server certificate, or a server certificate signed by a private Certificate Authority (CA). But if I do this, and then configure the OpenTelemetry Pixie Plugin to "Secure connections with TLS", then the export fails with a message like
Error: 13: OTel export (carnot node_id=337) failed with error 'UNAVAILABLE'. Details: failed to connect to all addresses; last error: UNKNOWN: ipv4:10.110.170.217:4317: Ssl handshake failed: SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
Describe the solution you'd like I'd like an easy way to add a custom CA certificate to the set of CAs trusted by the Pixie Otel export plugin.
Ideally, I could configure this separately for each OpenTelemetry data export script, alongside the export URL.
But as a first-pass, I'd be ok with setting a volumeMount and an environment variable on the Kelvin pod, similar to the existing PL_TLS_CA_CERT variable that's used in a few places. Could be named PL_EXPORT_TLS_CA_CERT or something like that, and would expect the path to a file within the Kelvin pod, which could be a volume mount, where the CA file would be loaded from.
Describe alternatives you've considered
I think there's a workaround, using a Kubernetes volumeMount to overwrite the /etc/ssl/certs/ca-certificates.crt file within the kelvin pod, e.g.
volumeMounts:
- mountPath: /etc/ssl/certs/ca-certificates.crt
name: my-custom-ca
subPath: ca.crt
readOnly: true
I'm going to try that for now, but I'm unclear if that might break other functionality, since it removes all the public CAs in the process.
Additional context Very similar to #710
