You can provision an ML workspace with TLS enabled, so that it can be accessed via
https.
You need to obtain a certificate from the Certificate Authority used by your
organization. This may be an internal certificate authority.
Additionally, you need a computer with CLI access to the cluster, and with
kubectl installed.
-
Provision the ML Workspace. Follow the procedure Provisioning ML
Workspaces.
-
Obtain the
.crt and .key files for the
certificate from your Certificate Authority.
The certificate URL is generally of the form:
<workspaceid>.<cluster>.<domain>.com.
Assuming an example URL for the certificate of
ml-30b43418-53c.cluster.yourcompany.com, check that the
certificate correctly shows the corresponding Common Name (CN) and Subject
Alternative Names (SAN):
- CN: ml-30b43418-53c.cluster.yourcompany.com
- SAN: *.ml-30b43418-53c.cluster.yourcompany.com
- SAN: ml-30b43418-53c.cluster.yourcompany.com
-
Create a Kubernetes secret inside the previously provisioned ML workspace
namespace, and name the secret
cml-tls-secret.
On a machine with access to the .srt and .key files above, and access to the OpenShift cluster,
run this command: kubectl create secret tls cml-tls-secret
--cert=<pathtocrt.crt> --key=<pathtokey.key> -o yaml
--dry-run | kubectl -n <cml-workspace-namespace> create -f
-
You can replace or update certificates in the secret at any time.
-
In , add the root CA certificate to the workspace.
For example:
https://ml-def88113-acd.cluster.yourcompany.com/administration/security"
The command creates routes to reflect the new state of ingress and secret, and
enables TLS.
