Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Add automatic support for corporate proxy certificates like Zscaler #170

Open
derbl4ck opened this issue Feb 2, 2024 · 1 comment
Open

[Feature] Add automatic support for corporate proxy certificates like Zscaler #170

derbl4ck opened this issue Feb 2, 2024 · 1 comment
Assignees
@SummerSmith @abhilashaagarwala

Comments

@derbl4ck
Copy link

derbl4ck commented Feb 2, 2024

Is your feature request related to a problem? Please describe.
In the past, using an AKS EE with IoT Operations behind a corporate proxy was only possible by manually adjusting the configuration of the deployment manifests and cluster. Since the IoT Ops Team fixed their part, only AKS Edge Team's part is missing. See https://github.com/Azure/azure-iot-operations/issues/31.

Describe the solution you'd like
It is still not possible to pull container images until you add proxies certificate to the chain. This can be done by copying proxies .pem file or content to /etc/pki/ca-trust/source/anchors/ and run sudo update-ca-trust and sudo systemctl restart containerd. Since the Zscaler Root CAs are already added to Windows Host Certificate Chain (e.g. via Intune), those certificates should be automatically mounted to the AKS EE!

Describe alternatives you've considered
Until now our enterprise is copying the .pem files manually and run the above commands.

Additional context
Last tested with AksEdge-K8s-1.26.6-1.5.203.0. See also https://github.com/Azure/azure-iot-operations/issues/31.
@derbl4ck
Copy link
Author

While adding extensions like data connector, the following error comes up:

The extension operation failed with the following error: Unable to download the Helm chart from the repourl https://arcdataservicesrow1.azurecr.io/arcdata/arcdataservices-extension:1.27.0 : Recommendation Please ensure that the helm repo is network reachable from the cluster : InnerError [failed to do request: Head "https://arcdataservicesrow1.azurecr.io/v2/arcdata/arcdataservices-extension/manifests/1.27.0": tls: failed to verify certificate: x509: certificate signed by unknown authority], For general troubleshooting visit: https://aka.ms/k8s-extensions-TSG. (Code: ExtensionOperationFailed)

It can be fixed by adding a volume mount to proxies .pem file:

kubectl edit deployment/extension-manager -n azure-arc

containers:
      - env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        envFrom:
        - configMapRef:
            name: azure-clusterconfig
        - secretRef:
            name: proxy-config
        image: mcr.microsoft.com/azurearck8s/extensionoperator:1.14.6
        imagePullPolicy: IfNotPresent
        name: manager
        resources:
          limits:
            cpu: 200m
            memory: 300Mi
          requests:
            cpu: 100m
            memory: 150Mi
        securityContext:
          readOnlyRootFilesystem: false
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /etc/pki/tls/certs/
          name: hosts-trusted-certs
volumes:
      - hostPath:
          path: /etc/pki/ca-trust/source/anchors/
          type: Directory
        name: hosts-trusted-certs

Please add this feature to fix this Issue!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SummerSmith SummerSmith

@abhilashaagarwala abhilashaagarwala

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@derbl4ck @SummerSmith @abhilashaagarwala