search

Azure / AKS-Edge

Welcome to the Azure Kubernetes Service (AKS) Edge repo.
MIT License
51 stars 34 forks source link

[Feature] Add automatic support for corporate proxy certificates like Zscaler #170

Open derbl4ck opened 5 months ago

derbl4ck commented 5 months ago

Is your feature request related to a problem? Please describe. In the past, using an AKS EE with IoT Operations behind a corporate proxy was only possible by manually adjusting the configuration of the deployment manifests and cluster. Since the IoT Ops Team fixed their part, only AKS Edge Team's part is missing. See https://github.com/Azure/azure-iot-operations/issues/31.

Describe the solution you'd like It is still not possible to pull container images until you add proxies certificate to the chain. This can be done by copying proxies .pem file or content to /etc/pki/ca-trust/source/anchors/ and run sudo update-ca-trust and sudo systemctl restart containerd. Since the Zscaler Root CAs are already added to Windows Host Certificate Chain (e.g. via Intune), those certificates should be automatically mounted to the AKS EE!

Describe alternatives you've considered Until now our enterprise is copying the .pem files manually and run the above commands.

Additional context Last tested with AksEdge-K8s-1.26.6-1.5.203.0. See also https://github.com/Azure/azure-iot-operations/issues/31.

derbl4ck commented 4 months ago

While adding extensions like data connector, the following error comes up:

The extension operation failed with the following error: Unable to download the Helm chart from the repourl https://arcdataservicesrow1.azurecr.io/arcdata/arcdataservices-extension:1.27.0 : Recommendation Please ensure that the helm repo is network reachable from the cluster : InnerError [failed to do request: Head "https://arcdataservicesrow1.azurecr.io/v2/arcdata/arcdataservices-extension/manifests/1.27.0": tls: failed to verify certificate: x509: certificate signed by unknown authority], For general troubleshooting visit: https://aka.ms/k8s-extensions-TSG. (Code: ExtensionOperationFailed)

It can be fixed by adding a volume mount to proxies .pem file:

kubectl edit deployment/extension-manager -n azure-arc

containers:
      - env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        envFrom:
        - configMapRef:
            name: azure-clusterconfig
        - secretRef:
            name: proxy-config
        image: mcr.microsoft.com/azurearck8s/extensionoperator:1.14.6
        imagePullPolicy: IfNotPresent
        name: manager
        resources:
          limits:
            cpu: 200m
            memory: 300Mi
          requests:
            cpu: 100m
            memory: 150Mi
        securityContext:
          readOnlyRootFilesystem: false
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /etc/pki/tls/certs/
          name: hosts-trusted-certs
volumes:
      - hostPath:
          path: /etc/pki/ca-trust/source/anchors/
          type: Directory
        name: hosts-trusted-certs

Please add this feature to fix this Issue!