Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature]: Ability to trust private CA of for internally hosted openai endpoints to overcome x509 TLS errors #546

Open
2 tasks done
vijaymateti opened this issue Oct 24, 2024 · 1 comment
Open
2 tasks done

[Feature]: Ability to trust private CA of for internally hosted openai endpoints to overcome x509 TLS errors #546

vijaymateti opened this issue Oct 24, 2024 · 1 comment

Comments

@vijaymateti
Copy link

vijaymateti commented Oct 24, 2024
edited
Loading

Checklist

  • I've searched for similar issues and couldn't find anything matching
  • I've discussed this feature request in the K8sGPT Slack and got positive feedback

Is this feature request related to a problem?

Yes

Problem Description

Some of internally hosted model endpoints are protected using TLS certificates signed by private certificate authority. When k8sgpt is deployed as operator in cluster, we are unable to see details inside results CRD due to TLS errors in application logs.

Finished Reconciling k8sGPT with error: failed to call Analyze RPC: rpc error: code = Unknown desc = failed while calling AI provider openai: Post "https://XXnternal endpointXX/openai/v1/chat/completions": tls: failed to verify certificate: x509: certificate signed by unknown authority
XXXZ ERROR Reconciler error {"controller": "k8sgpt", "controllerGroup": "core.k8sgpt.ai", "controllerKind": "K8sGPT", "K8sGPT": {"name":"k8sgpt","namespace":"k8sgpt-operator-system"}, "namespace": "k8sgpt-operator-system", "name": "k8sgpt", "reconcileID": "XXX", "error": "failed to call Analyze RPC: rpc error: code = Unknown desc = failed while calling AI provider openai: Post "https://XXinternal endpointXX/openai/v1/chat/completions": tls: failed to verify certificate: x509: certificate signed by unknown authority"}

Solution Description

Overcome TLS by creating configmap for internal CA public certificate and probably mounting as a volume on deployment spec

      volumeMounts:
        - name: ca-certificates
          mountPath: /etc/ssl/certs/ca.crt  # Mount the configMap directly to the system certificates directory
          subPath: ca.crt
  volumes:
    - name: ca-certificates
      configMap:
        name: ca-configmap

Benefits

This allows enterprises to use internally hosted model endpoint secured using TLS certs signed by internal CAs

Potential Drawbacks

I've tried above version, its not working for some reason may the cert is not getting trusted.

Additional Information

No response
@samirtahir91
Copy link

Typically people add custom ca certs by building a custom image based on the official one for addons, but this sounds nice to have

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vijaymateti @samirtahir91