Cloudera Docs

What's new in Cloudera Data Services on premises 1.5.5 SP2

This Cloudera Data Services on premises release provides you with several new capabilities. Learn how the new features and improvements benefit you.

Certificate Management support for OpenShift Container Platform (OCP)

Cert-manager is an open-source tool for Kubernetes that automates the provisioning, management, and renewal of TLS certificates. Its documentation at Certificate Management provides comprehensive guidance on installing, configuring, and using cert-manager to secure workloads with trusted X.509 certificates. Cloudera provides out-of-the-box support for Venafi Trust Protection Platform (TPP) as part of the Cloudera Embedded Container Service and OCP installation. By integrating the cert-manager, Data Services achieve secure communication, reduced manual overhead, and compliance with security standards, leveraging the robust automation and flexibility of the tool. For more information on setting the cert-manager tool using Venafi TPP, see Setting up Certification Manager using Venafi TPP.

Custom Annotation Support in Certificate Manager

When Venafi TPP (Trust Protection Platform) requires a custom mandatory field to be included in all certificate issuance API requests, Custom Annotation Support in Certificate Manager feature enables support for custom annotation fields defined in the Venafi ClusterIssuer with their specified values. It automatically injects the required Venafi custom field annotations (venafi.cert-manager.io/custom-fields) into CertificateRequest objects at creation, ensuring they are included in all Venafi certificate issuance API calls. Annotations with dynamic values—such as those generated from environment variables or the cluster name—are not supported.

For example, to add a custom Venafi field annotation NBKID with the value ADFS:1234554321 to the ClusterIssuer named tpp-issuer-e2e-lbd60c, use the following command:
kubectl patch clusterissuer tpp-issuer-e2e-lbd60c --type='merge' -p
                '{"metadata":{"annotations":{"venafi.cert-manager.io/custom-fields":"[{\"name\":\"NBKID\",\"value\":\"ADFS:1234554321\"}]"}}}'
For more information, see Setting up Certification Manager using Venafi TPP

Added Dedicated Cloudera Data Engineering Node and Cloudera AI Infra Node to run on the dedicated Cloudera Embedded Container Service node

In the node_taint property on the Cloudera Embedded Container Service Host Configuration page, the following options are added in 1.5.5 SP2:

  1. Dedicated Cloudera Data Engineering Node for Data Engineering services (available only in Cloudera Embedded Container Service 1.5.5 SP2 or higher versions) – If selected, the host is reserved exclusively for all Cloudera Data Engineering - related services and workloads.
  2. Dedicated Cloudera AI Infra Node for Cloudera AI infrastructure services (available only in Cloudera Embedded Container Service 1.5.5 SP2 or higher versions) – If selected, the host is allocated exclusively for Cloudera AI infrastructure services.

For more information, see Adding Dedicated CDE and CAI node.

Added reflector to continuously mirror secrets from openshift-ingress to istio-ingress namespace

In the Ingress Certificate Secret Synchronization section, enter the name of the TLS secret located in the openshift-ingress namespace into the OpenShift Ingress Secret Name field. This is the default certificate used by the OpenShift cluster, and it will be used by the Istio ingress for TLS termination.

For more information, see Ingress Certificate Secret Synchronization