Deploy an ML Workspace with Support for TLS

You can provision an ML workspace with TLS enabled, so that it can be accessed via https.

You need to obtain a certificate from the Certificate Authority used by your organization. This may be an internal certificate authority.

Additionally, you need a computer with CLI access to the cluster, and with kubectl installed.

  1. Provision the ML Workspace. Follow the procedure Provisioning ML Workspaces.
  2. Obtain the .crt and .key files for the certificate from your Certificate Authority.
    The certificate URL is generally of the form: <workspaceid>.<apps.openshiftcluster>.<domain>.com. Assuming an example URL for the certificate of, check that the certificate correctly shows the corresponding Common Name (CN) and Subject Alternative Names (SAN):
    • CN:
    • SAN: *
    • SAN:
  3. Create a Kubernetes secret inside the previously provisioned ML workspace namespace, and name the secret cml-tls-secret.

    On a machine with access to the .srt and .key files above, and access to the OpenShift cluster, run this command: kubectl create secret tls cml-tls-secret --cert=<pathtocrt.crt> --key=<pathtokey.key> -o yaml --dry-run | kubectl -n <cml-workspace-namespace> create -f -

    You can replace or update certificates in the secret at any time.

  4. In Admin > Security > Root CA configuration, add the root CA certificate to the workspace.
    For example:"
The command creates routes to reflect the new state of ingress and secret, and enables TLS.

Replace a Certificate

You can replace a certificate in a deployed namespace.

  1. Obtain the new certificate .crt and .key files.
  2. Run this command (example): kubectl create secret tls cml-tls-secret --cert=<pathtocrt.crt> --key=<pathtokey.key> -o yaml --dry-run | kubectl -n <cml-workspace-namespace> replace -f -
The certificate of an existing session does not get renewed. The new certificate only applies to newly created sessions.