pixie
pixie copied to clipboard
pixie-io
Provide mechanism for streamlining Vizier deployment against Pixie cloud with self signed certificates
Self hosted cloud users occasionally deploy their cloud with certificates from an internal CA. This creates issues for the operator and vizier since these components don't have the means to supply the CA files inside their container.
Manual workaround
I've validated that Clouds using self signed certs can be deployed with the following manual steps:
- Ensure pixie installs the necessary OLM crds --
PX_CLOUD_ADDR=self-hosted-cloud.example.domain:443 px deploy - Delete OLM namespace to prevent OLM from messing with later manual changes --
kubectl delete ns olm - Modify vizier-operator to mount SSL certs directory from the host. Note: the CA must match the paths recognized by Go
# vizier-operator Deployment
template:
metadata:
labels:
app: ssl-mount-app
spec:
containers:
- name: app
[ ... ]
volumeMounts: <------------------ required
- name: ssl-certificates
mountPath: /etc/ssl
volumes: <------------------ required
- name: ssl-certificates
hostPath:
path: /etc/ssl
type: Directory
- Deploy vizier patching the cloud connector --
px deploy --patches='vizier-cloud-connector:{"spec":{"template":{"spec":{"containers":[{"name":"app","volumeMounts":[{"name":"ssl-certificates","mountPath":"/etc/ssl"}]}],"volumes":[{"name":"ssl-certificates","hostPath":{"path":"/etc/ssl","type":"Directory"}}]}}}}'
Proposed Solution
Ideally the px cli and helm install process should allow for injecting the internal CA to the vizier-operator and vizier-cloud-connector components. This can be accomplished with the following steps:
- Update the pixie operator's Subscription to support the
config.openshift.io/inject-trusted-cabundleannotation (docs) - Add a configuration option (cli flag and helm setting) that allows for supplying the vizier-cloud-connector patch from above
Thanks for posting this, have been battling with this for a few days.
Agree this should be much simpler
