Setting up certificates for Cloudera AI Inference Service

Cloudera AI Inference service requires its own dedicated TLS certificate as it operates through a separate Istio gateway that does not support shared certificates.

After successfully installing the Cloudera AI Inference service follow these steps to update the certificates for Cloudera AI Inference service:

Generate a certificate for the Cloudera AI Inference service domain using the root CA that has been updated on the Cloudera Management Console.

The Domain name can be found in Cloudera AI > Cloudera AI Inference service > Cloudera AI Inference service name > Domain.

Figure 1. Check the Domain name for Cloudera AI Inference service
Apply the certificate for the Cloudera AI Inference service:
- Cloudera AI on premises 1.5.5
- Cloudera AI on premises 1.5.5 SP1
Apply the certificate by using the following command:
kubectl get secret ingress-default-cert-caii -n istio-ingress -o yaml > backup_caii_cert_secret.yaml kubectl delete secret ingress-default-cert-caii -n istio-ingress kubectl create secret tls ingress-default-cert-caii --cert=/path/to/mycert.crt --key=/path/to/cert.key -o yaml --dry-run=client | kubectl -n istio-ingress apply -f -
Patch certificates for Cloudera AI Inference service.

The cml_utils.sh script, available in the Cloudera parcels directory, can be used to patch certificates for the Cloudera AI Inference service.

note

This script is supported starting from Cloudera AI on premises 1.5.5 SP1.

To use the script, log in to the master cluster node and run the following command:
./cml_utils.sh upload-cert-caii -c /path/to/cert.crt -k /path/to/key.key
This command creates the ingress-default-cert-caii secret in the istio-ingress namespace using the specified certificate and key.
note

Ensure that this certificate includes only the Cloudera AI Inference service DNS, and the root CA of the certificate is uploaded to the Cloudera Management Console.