Production Readiness

Pixie allows you to connect multiple Kubernetes clusters to a single Pixie Cloud instance. The main advantage of such a deployment is that you can monitor all your Kubernetes clusters from a single point.

This guide explains how to share a Pixie Cloud instance across multiple Pixie deployments.

• A domain name that you own
• Prerequisites of the install method your choice; Self-hosted Pixie or Air Gapped Pixie

Install the NGINX Ingress Controller in your Kubernetes cluster. Please refer to the NGINX Ingress Controller Installation Guide for more information.

Note the IP address assigned to the Ingress Controller service. All requests to the Pixie Cloud will be sent through this.

E.g. The following image shows the services created in the namespace where the NGINX Ingress Controller was installed. Note the IP address in the EXTERNAL-IP column of the ingress-nginx-controller Load Balancer service.

Two DNS A records need to be created pointing to the NGINX Ingress controller IP address obtained above.

Suppose that your Pixie custom domain name is pixie.example.com and the IP address obtained above is a.b.c.d. Two A records need to be created as follows.

pixie.example.com           a.b.c.d
work.pixie.example.com      a.b.c.d

If you are using the Self-Hosted installation,

1. Follow steps 1 - 5 and 8 in Deploy Pixie Cloud.
2. Comment lines 94 to 106 in ./scripts/create_cloud_secrets.sh
3. Execute the script as explained in step 9 of Deploy Pixie Cloud

If you are using the Air Gapped installation,

1. Follow steps 1 and 4 in Deploy Pixie Cloud
2. Comment lines 94 to 106 in ./scripts/create_cloud_secrets.sh
3. Execute the script as explained in step 6 of Deploy Pixie Cloud

A TLS certificate is required for the custom domains that you wish to use with Pixie.

Suppose that your Pixie custom domain name is pixie.example.com. You need to obtain a single certificate that is valid for both pixie.example.com and work.pixie.example.com. Finally, create a Kubernetes secret (of type kubernetes.io/tls) named cloud-proxy-tls-certs in the plc namespace using the certificate.

One way to obtain it is by creating a Let's Encrypt certificate using cert-manager. Securing NGINX-ingress tutorial from cert-manager has detailed information about the process.

Here are sample resources that can be used with cert-manager:

Sample ClusterIssuer resource

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-cluster-issuer
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: admin@example.com
    privateKeySecretRef:
      name: letsencrypt-cluster-issuer-key
    solvers:
    - http01:
       ingress:
          class: nginx

Sample Certificate resource

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cloud-proxy-tls-certs
  namespace: plc
spec:
  dnsNames:
  - pixie.example.com
  - work.pixie.example.com
  secretName: cloud-proxy-tls-certs
  issuerRef:
    name: letsencrypt-cluster-issuer
    kind: ClusterIssuer

Two Kubernetes Ingresses are required for Pixie Cloud; One for HTTPs and the other for gRPCs communication.

Create two ingresses as follows.

kubectl apply -f k8s/cloud/overlays/exposed_services_nginx/cloud_ingress_grpcs.yaml
kubectl apply -f k8s/cloud/overlays/exposed_services_nginx/cloud_ingress_https.yaml

If you are using the Self-Hosted installation,

1. In k8s/cloud/public/domain_config.yaml set the value of PASSTHROUGH_PROXY_PORT to be empty.

PASSTHROUGH_PROXY_PORT: ""

2. Complete steps 10 - 13 in Deploy Pixie cloud
3. Skip the Set up DNS section
4. Complete the steps in Authentication using Kratos / Hydra
5. (Optional) - Complete the steps in Invite others to your organization (optional)
6. Install the Pixie CLI as explained in Install the Pixie CLI

If you are using the Air Gapped installation,

1. Complete steps 7 - 11 in Deploy Pixie Cloud
2. In yamls/cloud.yaml, find the ConfigMap named pl-domain-config. Set the value of PASSTHROUGH_PROXY_PORT in it to be empty.

PASSTHROUGH_PROXY_PORT: ""

3. Complete the remaining steps (from step 12 onwards) in Deploy Pixie Cloud
4. Skip the Set up DNS section
5. Complete the steps in Authentication using Kratos / Hydra
6. Complete the steps in Serve the Script Bundle
7. (Optional) - Complete the steps in Invite others to your organization (optional)

Finally, deploy Pixie in each cluster that you wish to monitor.

If you are using the Self-Hosted installation, in Deploy Pixie instructions, skip the --dev_cloud_namespace plc flag when executing px deploy commands.

If you are using the Air Gapped installation, deploy Pixie as explained here.

Air Gapped PixieInstall Schemes (optional)