SSL Issue with Pinecone in Semantic Router #525
Description
When integrating Pinecone with Semantic Router, we encountered an SSL issue that prevents secure communication with the Pinecone service when operating under Zscaler security. Disabling SSL verification (ssl_verify=False) temporarily bypasses the issue, but this is not a viable solution due to security concerns. Additionally, disabling Zscaler is not an option.
Steps to Reproduce:
- Connect to Zscaler and run a Python container with Semantic Router installed within a Kubernetes cluster.
- Requests to Pinecone fail with an SSL error, despite using the default system certificates as environment variables pointing to (
/etc/ssl/certs/ca-certificates.crt). - Create a vanilla Pinecone client disabling
ssl_verifyallows the request to succeed, confirming an issue with certificate verification. - Add a Zscaler certificate to the container, updating the certificates, and specifying the new certificates in vanilla Pinecone client resolves the issue.
Findings:
- The way PineconeIndex initializes the Pinecone client currently prevents specifying custom SSL certificates or other necessary options.
- When running Semantic Router inside a container, adding the necessary certificates during the build process alone does not resolve the issue. Explicitly specifying the certificate in the Pinecone client initialization is required, but the current implementation does not allow for this customization.
Proposed Solution: - Modify Semantic Router to allow passing a custom Pinecone client, enabling users to explicitly configure SSL certificates and other necessary options.
- Ensure that Pinecone endpoints are properly configurable.
- Validate that the fix works both inside and outside Docker environments.
- Add unit tests to confirm proper SSL verification behavior and handling of custom certificates.
Would the maintainers be open to a PR addressing this issue? Let me know if any additional context is required. Thanks!