Deploy an ML Workspace with Support for TLS on ECS

On ECS, you can provision an ML workspace with TLS enabled, so that the workspace is accessible via https.

You need to obtain a certificate from the Certificate Authority used by your organization. This may be an internal certificate authority. Additionally, you need a computer with CLI access to the cluster, and with kubectl installed.
  1. Provision an ML workspace. See Provision an ML Workspace for more information.
  2. Obtain the .crt and .key files for the certificate from your Certificate Authority.
    The certificate URL is generally of the form: <workspaceid>.<cluster>.<domain>.com. Assuming an example URL for the certificate of ml-30b43418-53c.cluster.yourcompany.com, check that the certificate correctly shows the corresponding Common Name (CN) and Subject Alternative Names (SAN):
    • CN: ml-30b43418-53c.cluster.yourcompany.com
    • SAN: *.ml-30b43418-53c.cluster.yourcompany.com
    • SAN: ml-30b43418-53c.cluster.yourcompany.com
  3. Create or replace a Kubernetes secret inside the previously provisioned ML workspace namespace.
    Next, to automatically upload the certificate, login to the Ecs Server role host and execute the following commands:
    1. cd /opt/cloudera/parcels/ECS/bin/
    2. ./cml_utils.sh -h
      Optional: A helper prompt appears, with explanation for the next command.
    3. ./cml_utils.sh upload-cert -n <namespace> -c <path_to_cert> -k <path_to_key>
      For example: ./cml_utils.sh upload-cert -n bb-tls-1 -c /tmp/ws-cert.crt -k /tmp/ws-key.key
  4. In Admin > Security > Root CA configuration, add the root CA certificate to the workspace.
    For example: https://ml-def88113-acd.apps.nf-01.os4cluster.yourcompany.com/administration/security