Setting up certificates for Cloudera AI Registry

Cloudera AI Registry requires its own dedicated TLS certificate as it operates through a separate Istio gateway that does not support shared certificates.

After successfully installing the Cloudera AI Registry perform the following steps to update the certificates for Cloudera AI Registry:

Generate a certificate for the Cloudera AI Registry domain using the root CA that was updated on the Cloudera Management Console.

The Domain name can be found in Cloudera AI > AI Registries > MODEL_REGISTRY_NAME > Details > Domain.

For example: model-registry.apps.ecs-cluster-1.cloudera.com
Apply the certificate for the Cloudera AI Registry.
- Cloudera AI on premises 1.5.5
- Cloudera AI on premises 1.5.5 SP1
Apply the certificate by using the following command:
kubectl get secret ingress-default-cert-mr -n istio-ingress -o yaml > backup_mr_cert_secret.yaml kubectl delete secret ingress-default-cert-mr -n istio-ingress kubectl create secret tls ingress-default-cert-mr --cert=/path/to/mycert.crt --key=/path/to/cert.key -o yaml --dry-run=client | kubectl -n istio-ingress apply -f -
Patch certificates for Cloudera AI Registry.
note

The cml_utils.sh script, available in the Cloudera parcels directory, can be used to patch certificates for the Cloudera AI Registry. This script is supported in Cloudera AI on premises 1.5.5 SP1 and higher versions.

To use the script, log in to the master cluster node and run the following command:
./cml_utils.sh upload-cert-cair -c /path/to/cert.crt -k /path/to/key.key
This command creates the ingress-default-cert-mr secret in the istio-ingress namespace using the specified certificate and key.
note

Ensure that this certificate includes only the Cloudera AI Registry DNS and the root CA of the certificate is uploaded to the Cloudera Management Console.