Cloudera AI Registryon premises uses Apache Ozone to store model artifacts.
Cloudera AI Registry also requires dedicated TLS
certificates as it operates through a separate Istio gateway, which does not support
shared certificates.
Dedicated TLS certificate for Cloudera AI Registry
Cloudera AI Registry requires dedicated TLS certificates as it
operates through a separate Istio gateway, which does not support shared
certificates. During the installation of Cloudera on premises, the root Certificate Authority
(CA) for these certificates must be set up. If this configuration step was missed,
you can update the root CA by following the guidelines outlined in: Updating TLS certificates.
Creating Apache Ozone credentials
For creating a Cloudera AI Registry you need the Ozone S3
gateway endpoint, the Ozone access key, and the Ozone secret key.
Open the Cloudera Manager UI.
Select Clusters in the left navigation pane, and then
select the relevant cluster, as OZONE-1 in the
example.
Figure 1. Selecting clusters in Ozone configuration
Select S3 Gateway from the Status
Summary.
Figure 2. Selecting S3 Gateway in the Ozone configuration
Go to the S3 Gateway Web UI tab.
Figure 3. Selecting S3 Gateway Web UI in Ozone configuration
After selecting the S3 Gateway Web UI you can see a
command with the -- endpoint, which shows the Ozone S3 gateway
endpoint information:
Figure 4. S3 gateway endpoint information
Generate the Ozone S3 secret key and Ozone access key.
SSH to the Cloudera Manager host and run
klist.You can find the hostname
on Cloudera Manager > Environments under Cloudera Manager.
Skip this step if you see Kerberos ticket information. Otherwise
run the following command with the configured Keytab.
# kinit -kt /cdep/keytabs/om.keytab om
Run klist to check if kerberos ticket is granted.
[root@cml-pvc-oldap-1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: om@CDSW-INT.CLOUDERA.COM
Valid starting Expires Service principal
05/25/2022 14:32:13 05/26/2022 14:32:13 krbtgt/CDSW-INT.CLOUDERA.COM@CDSW-INT.CLOUDERA.COM
renew until 06/02/2022 14:32:13
Run this command to get the Ozone S3 secret key (awsSecret) and the
Ozone access key (awsAccessKey).