Deployment with customDeployKeySecret results in crashing cloud connector pod.

Question

Deployment with customDeployKeySecret results in crashing cloud connector pod.

mj-sakellaropoulos opened this issue 7 months ago · comments

Michael-John Sakellaropoulos commented 7 months ago

Describe the bug
Deploying Pixie using the Helm chart or via YAML while specifying a customDeployKeySecret results in the following error in the cloud connector pod:

time="2023-11-21T00:25:22Z" level=fatal msg="Failed to register vizier deployment. If deploying via Helm or Manifest, please check your deployment key. Otherwise, ensure you have deployed with an authorized account." error="rpc error: code = Internal desc = stream terminated by RST_STREAM with error code: PROTOCOL_ERROR"

Specifying deployKey directly via helm values, vizier crd or CLI works as expected and deployment is successful.

To Reproduce

Create pl namespace first
Create secret px-deploy-key:

apiVersion: v1
data:
  deploy-key: _base64_encoded_deploy_key_
kind: Secret
metadata:
  name: px-deploy-key
  namespace: pl
type: Opaque

If using Helm, specify customDeployKeySecret: px-deploy-key in values.yaml, if using YAML, modify 06_vizier.yaml as follows:

apiVersion: px.dev/v1alpha1
kind: Vizier
metadata:
  name: pixie
  namespace: pl
spec:
  version: 0.14.7
  customDeployKeySecret: px-deploy-key
  cloudAddr: withpixie.ai:443
  disableAutoUpdate: false
  useEtcdOperator: false
  clusterName: cedille-cedille-cluster
  pemMemoryLimit: 3Gi
  dataAccess: Full
  dataCollectorParams:

Expected behavior: Possibility to use customDeployKeySecret to avoid putting the deploy key as cleartext in our repo.

Logs
pixie_logs_20231120193837.zip

App information (please complete the following information):

Pixie version: Latest from CLI or helm chart version 0.1.4
K8s cluster version: 1.27.3
Node Kernel version: 6.1.51-talos (Talos Linux)
Browser version: Not applicable

Additional context
Our repo is open source, all the pixie related configs are here: https://github.com/ClubCedille/Plateforme-Cedille/tree/master/system/pixie

Dom Delnano · Answer 1 · Mon Nov 27 2023 21:41:08 GMT+0800 (China Standard Time)

That looks correct from what I can tell. Can you inspect the PL_DEPLOY_KEY environment variable from the cloud connector container (either via $ strings /proc/$pid/environ or from a container shell)? Looking at your pl__vizier-cloud-connector-64c99d97f4-44nbt__describe.json file it appears that the PL_DEPLOY_KEY environment variable is getting its value from the correct secret name.

  "name": "PL_DEPLOY_KEY",
  "valueFrom": {
    "secretKeyRef": {
      "name": "px-deploy-key",
      "key": "deploy-key",
      "optional": true
    }

Michael-John Sakellaropoulos · Answer 2 · Tue Nov 28 2023 08:08:06 GMT+0800 (China Standard Time)

Thanks for your answer. I was able to confirm that the env var value was correct.
I started over from the beginning and regenerated (again) a deployment key, and now it's working
Not sure what exactly happened, I did re-deploy and regenerate the key many times before finally giving up and filing an issue. Murphy's law.
Maybe some unprintable character snuck into my base64 command

Either way, it seems to be a non issue - sorry for the trouble

Dom Delnano · Answer 3 · Tue Nov 28 2023 23:55:28 GMT+0800 (China Standard Time)

No worries and glad it is working now!