clemenskol
commented
1 year ago FYI, there is a way to work around this without native support in Pixie: since the cloud-connector proxy uses the standard golang gRPC libraries, we can override the root CA used by the process. For example, we can extend the deployment/vizier-cloud-connector to have the following volume and volumeMount:
apiVersion: apps/v1
kind: Deployment
metadata:
...
name: vizier-cloud-connector
...
spec:
...
template:
...
spec:
...
containers:
- env:
...
name: app
volumeMounts:
...
# NEW ENTRY: vvvvvvvvv
- mountPath: /etc/ssl/certs/ca-certificates.crt
name: control-plane-certs
subPath: "ca.crt"
# NEW ENTRY: ^^^^^^^^^^
...
serviceAccountName: cloud-conn-service-account
volumes:
...
# NEW ENTRY: vvvvvvvvv
- name: control-plane-certs
secret:
secretName: control-plane-tls-certs
# NEW ENTRY: ^^^^^^^^^^and put the CA cert of the cloud control-plane into a secret in the pl namespace:
apiVersion: v1
kind: Secret
metadata:
name: control-plane-tls-certs
namespace: pl
type: Opaque
data:
ca.crt: <base64-of-certificate>which can be found in the cloud using
kubectl --namespace plc get secret cloud-proxy-tls-certs -o jsonpath='{.data.tls\.crt}'Conceptually it's of course still cleaner to split NATs and gRPC configs, but at least the above allows connectivity without changing the containers/code.
NOTE: The above replaces the root CAs (instead of adding it). This means that only the local cluster cert generated by Vizier and the installed cloud cert are trusted - nothing else. Be warned of this side-effect, but in most scenarios that should be fine, as the cloud-connector proxy shouldn't talk to anything else.
MrAta
Is your feature request related to a problem? Please describe.
We are using the Pixie cloud in a self-hosted, multi-tenant environments. In some scenarios, including (but not limited to) dev/testing, we would like to deploy Vizier connected to the cloud using a self-signed certificate, or at least a certificate that is not signed by a global, trusted CA.
For this purpose, we want to be able to configure Vizier to use a CA certificate of the cloud backend stored in a k8s secret.
This does not seem possible currently, as the certificate loading logic/config is shared between the cloud-gRPC and NATs pieces, meaning that I cannot change the certificate for gRPC only without affecting NATs.
Furthermore, while technically unrelated, it would be practical to also allow disabling of SSL independently for gRPC and NATs. If we split SSL config, we might as well split that related option too. And, while at it - but now we could really consider a separate story: support insecure SSL for cloud connections for testing (disable validation of SSL but keep SSL enabled).
Describe the solution you'd like
SSL certificates and SSL config are split between NATs and cloud gRPC so they can be configured independently from each other. Support loading CA certificates for gRPC from a custom secret (created by the user; doesn't need to be deployed by Pixie)
Describe alternatives you've considered
Disable SSL validation for testing purposes, but this is not supported and is a worse situation. Relying on public CAs for our test/dev environments is not an opotion
Additional context