Configuring cluster issuer for Certificate Manager

Certificate Manager is installed by default as part of the Cloudera Embedded Container Service installation.

To enable the usage of cert-manager in Cloudera AI, cluster issuers must be configured with the appropriate annotations.

Configure at least one cluster issuer with the type longlived.

kubectl annotate clusterissuer <ISSUER_NAME> issuer.cdp.cloudera.com/type=longlived

Ensure that the cluster issuers are labelled for the CDP namespace for Cloudera Embedded Container Service.
```
kubectl label clusterissuer <ISSUER_NAME> issuer.cdp.cloudera.com/project=cdp
```
Optional: Configure a different cluster issuer with the type shortlived as below:
```
kubectl annotate clusterissuer <ISSUER_NAME> issuer.cdp.cloudera.com/type=shortlived
```
note

There can be only one cluster issuer configured with longlived or shortlived type for the CDP namespace.
Optional: Option: To create a certificate with a specific duration instead of using the default value, configure the duration annotation in the cluster issuer.
```
kubectl annotate clusterissuer <ISSUER_NAME> issuer.cdp.cloudera.com/duration=”24h”
```
When the duration is configured, the cert-manager.io/duration annotation is also configured in the ingress definition. This annotation is utilized by the cert-manager for certificate signing.

Cloudera AI will prioritize using the shortlived issuer, if available, to sign certificates for temporary workloads such as jobs, sessions, and experiments. For Cloudera AI infrastructure endpoints and application workloads, the longlived issuer will be used. In cases where a shortlived issuer is not configured, the longlived issuer will handle certificate signing for all workloads and infrastructure endpoints.