Deploy an ML Workspace with Support for TLS on ECS

On ECS, you can provision an ML workspace with TLS enabled, so that the workspace is accessible via https.

You need to obtain a certificate from the Certificate Authority used by your organization. This may be an internal certificate authority. Additionally, you need a computer with CLI access to the cluster, and with kubectl installed.

note

When provisioning CML, we recommend that the ML workspace be given a static subdomain name. This subdomain is used in the URL for the ML Workspace. A workspace domain is structured as https://<workspace-subdomain>.<cluster>.<company>.com. Workloads created in an ML workspace are containers provisioned in kubernetes and must be addressable to the user. To do this, CML creates a unique subdomain. The URL for the workload is structured as https://<workload-subdomain>.<workspace-subdomain>.<cluster>.<company>.com. Because the workload subdomain is randomly generated, for TLS to work, an ML workspace needs to have a wildcard SAN entry in the TLS certificate and its formed like SAN:*.<workspace-subdomain>.<cluster>.<company>.com. By using unique subdomains, the ML Workspace is able to securely serve each interactive workload with proper isolation and protect it from code injection attacks such as Cross Site Scripting.

Provision an ML workspace. See Provision an ML Workspace for more information.
note
Ensure you select Enable TLS.
Obtain the .crt and .key files for the certificate from your Certificate Authority.
The certificate URL is generally of the form: <workspaceid>.<cluster>.<domain>.com. Assuming an example URL for the certificate of ml-30b43418-53c.apps.cluster.yourcompany.com, check that the certificate correctly shows the corresponding Common Name (CN) and Subject Alternative Names (SAN):
- CN: ml-30b43418-53c.apps.cluster.yourcompany.com
- SAN: *.ml-30b43418-53c.apps.cluster.yourcompany.com
- SAN: ml-30b43418-53c.apps.cluster.yourcompany.com
Create or replace a Kubernetes secret inside the previously provisioned ML workspace namespace, then automatically upload the certificate.
Login to the Ecs Server role host and execute the following commands to accomplish these steps:
1. cd /opt/cloudera/parcels/ECS/bin/
2. ./cml_utils.sh -h
  Optional: A helper prompt appears, with explanation for the next command.
3. ./cml_utils.sh upload-cert -n <namespace> -c <path_to_cert> -k <path_to_key>
  For example: ./cml_utils.sh upload-cert -n bb-tls-1 -c /tmp/ws-cert.crt -k /tmp/ws-key.key
  note
  To find the <namespace> of the workspace, go to the Machine Learning Workspaces UI, and in the Actions menu for the workspace, select View Workspace Details. Namespace is shown on the Details tab.
In Site Administration > Security > Root CA configuration, add the root CA certificate to the workspace.
For example: https://ml-def88113-acd.apps.nf-01.os4cluster.yourcompany.com/administration/security