Deploy an ML Workspace with Support for TLS on ECS

On ECS, you can provision an ML workspace with TLS enabled, so that the workspace is accessible via https.

You need to obtain a certificate from the Certificate Authority used by your organization. This may be an internal certificate authority. Additionally, you need a computer with CLI access to the cluster, and with kubectl installed.

Provision an ML workspace. See Provision an ML Workspace for more information.
note
Ensure you select Enable TLS.
Obtain the .crt and .key files for the certificate from your Certificate Authority.
The certificate URL is generally of the form: <workspaceid>.<cluster>.<domain>.com. Assuming an example URL for the certificate of ml-30b43418-53c.cluster.yourcompany.com, check that the certificate correctly shows the corresponding Common Name (CN) and Subject Alternative Names (SAN):
- CN: ml-30b43418-53c.cluster.yourcompany.com
- SAN: *.ml-30b43418-53c.cluster.yourcompany.com
- SAN: ml-30b43418-53c.cluster.yourcompany.com
Create or replace a Kubernetes secret inside the previously provisioned ML workspace namespace, then automatically upload the certificate.
Login to the Ecs Server role host and execute the following commands to accomplish these steps:
1. cd /opt/cloudera/parcels/ECS/bin/
2. ./cml_utils.sh -h
  Optional: A helper prompt appears, with explanation for the next command.
3. ./cml_utils.sh upload-cert -n <namespace> -c <path_to_cert> -k <path_to_key>
  For example: ./cml_utils.sh upload-cert -n bb-tls-1 -c /tmp/ws-cert.crt -k /tmp/ws-key.key
  note
  To find the <namespace> of the workspace, go to the Machine Learning Workspaces UI, and in the Actions menu for the workspace, select View Workspace Details. Namespace is shown on the Details tab.
In Site Administration > Security > Root CA configuration, add the root CA certificate to the workspace.
For example: https://ml-def88113-acd.apps.nf-01.os4cluster.yourcompany.com/administration/security