Cloudera Docs

Adding Docker registry credentials and certificates for engines

To enable Cloudera AI to fetch custom Legacy Engine from a secure repository, as an Administrator you need to add Docker registry credentials.

  1. In the Cloudera console, click the Cloudera AI tile.

    The Cloudera AI Workbenches page displays.

  2. Click on the name of the workbench.

    The Workbenches Home page displays.

  3. Click Site Administration in the left navigation menu.

    The Site Administration page displays.

  4. Click Runtimes, and click Add Credentials in the Docker Credentials section.
    The Add Credentials dialog box is displayed.
  5. In Name, provide a name for the credential. This name will be displayed to manage the credentials.
  6. In Server, provide the docker server address.
  7. In Username, provide the username of the credential.
  8. In Password, provide the password for the credential.
  9. In Confirm Password, repeat the same password given in the Password field.
  10. Click Add.

The credentials name and server name are displayed under the Docker Credentials section. The default credentials are used when Legacy Engine images are pulled.

You can use the toggle button to set the default credential. The default credential is picked up automatically for Custom Legacy Engines coming from the server stored in the default credential.

Click to edit the Docker credential and click to delete the Docker credential.

Adding Docker Registry certificates to Cloudera AI

You may need to copy your registry's TLS certificates into Cloudera AI:
  1. Pull the existing certificates: 
    kubectl get configmap private-cloud-ca-certs-pem -n [***CML workspace namespace***] -o jsonpath="{4e.binaryData.cacerts}" | base64 -d > /tmp/oldcerts.pem
  2. Append your docker registry certificates to the existing certificates and convert them to base64:
    cat /tmp/dockercerts.crt /tmp/oldcerts.pem > /tmp/newcerts.pem
       cat /tmp/newcerts.pem | base64 -w 0 > /tmp/newcerts.b64
  3. Pull the certificates' configuration map and update it with this new certificate file:
    kubectl get configmap private-cloud-ca-certs-pem -n [***CML workspace namespace***] -o yaml > /tmp/oldconfigmap.yaml
       
       cat /tmp/oldconfigmap.yaml | sed "s/cacerts.*/cacerts: $(cat /tmp/newcerts.b64)/" > /tmp/newconfigmap.yaml
       
       kubectl apply -f /tmp/newconfigmap.yaml
  4. Delete the runtime-manager pod to restart it and see these new certificates:
    kubectl delete pod runtime-manager-xxxxxxx-xxxxx -n [***CML workspace namespace***]

Adding Docker registry certificates to Cloudera

If the Custom Legacy Engine repository uses self-signed TLS certificates, those certificates must be trusted by Clouderaprior to creating the Cloudera AI Workbench. The certificates must be uploaded to Miscellaneous category, as uploading them to other categories might intervene into other processes. See the necessary steps to make Cloudera trust the self-signed certificates in Updating TLS certificates.