Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL Issue with Pinecone in Semantic Router #525

Open
clioo opened this issue Jan 31, 2025 · 1 comment · May be fixed by #529
Open

SSL Issue with Pinecone in Semantic Router #525

clioo opened this issue Jan 31, 2025 · 1 comment · May be fixed by #529
Labels
enhancement Enhancement to existing features

Comments

@clioo
Copy link

clioo commented Jan 31, 2025

When integrating Pinecone with Semantic Router, we encountered an SSL issue that prevents secure communication with the Pinecone service when operating under Zscaler security. Disabling SSL verification (ssl_verify=False) temporarily bypasses the issue, but this is not a viable solution due to security concerns. Additionally, disabling Zscaler is not an option.

Steps to Reproduce:

  1. Connect to Zscaler and run a Python container with Semantic Router installed within a Kubernetes cluster.
  2. Requests to Pinecone fail with an SSL error, despite using the default system certificates as environment variables pointing to (/etc/ssl/certs/ca-certificates.crt).
  3. Create a vanilla Pinecone client disabling ssl_verify allows the request to succeed, confirming an issue with certificate verification.
  4. Add a Zscaler certificate to the container, updating the certificates, and specifying the new certificates in vanilla Pinecone client resolves the issue.

Findings:

  • The way PineconeIndex initializes the Pinecone client currently prevents specifying custom SSL certificates or other necessary options.
  • When running Semantic Router inside a container, adding the necessary certificates during the build process alone does not resolve the issue. Explicitly specifying the certificate in the Pinecone client initialization is required, but the current implementation does not allow for this customization.
    Proposed Solution:
  • Modify Semantic Router to allow passing a custom Pinecone client, enabling users to explicitly configure SSL certificates and other necessary options.
  • Ensure that Pinecone endpoints are properly configurable.
  • Validate that the fix works both inside and outside Docker environments.
  • Add unit tests to confirm proper SSL verification behavior and handling of custom certificates.

Would the maintainers be open to a PR addressing this issue? Let me know if any additional context is required. Thanks!
@jamescalam jamescalam added the enhancement Enhancement to existing features label Jan 31, 2025
@jamescalam
Copy link
Member

hi @clioo — thanks for raising the issue. The team unfortunately doesn't have active access to zscaler so we cannot confirm the behaviour but we can see that the custom SSL support it not currently implemented. If this is something you're able to contribute we'd be happy to review and merge.

Note that it's likely you'd need to add the SSL support to the pinecone client but also to the async pinecone calls, hope that helps!

clioo added a commit to clioo/semantic-router that referenced this issue Feb 8, 2025
@clioo
feat: allow optional injection of custom Pinecone client
f590de1 
- Add a new `client` parameter to `PineconeIndex.__init__` for dependency injection.
- Use the supplied client if provided, otherwise initialize a new Pinecone client.
- Maintain backward compatibility while improving testability and configuration flexibility.
- removing duplication on api_key

Fixes aurelio-labs#525
@clioo clioo linked a pull request Feb 8, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Enhancement to existing features
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: allow optional injection of custom Pinecone client clioo/semantic-router
2 participants
@clioo @jamescalam