Cloudera Docs

Updating custom certificates

In a CDP Private Cloud deployment configured with an external vault, the CDP Management services such as Custom Ingress and Custom Kubernetes API authenticate to the vault with the help of the ServiceAccount's JSON Web Token (JWT) attached to the Kubernetes pod on which the services are running. The vault service validates the JWTs using the Kubernetes TokenReview API, and verifies the existence of the services. However, if the external service dependency being updated uses an entirely new CA certificate that CDP Private Cloud Data Services is not currently configured to trust, then that CA certificate should be updated in CDP Private Cloud Data Services first, then the certificate of the service dependency can be updated.

You must have updated the certificates for the services by using the Miscellaneous certificate type option mentioned in Updating TLS certificates.
Enter the following cURL statement to authenticate to the vault. 
$ curl \ 
      --header "X-Vault-Token: <VAULT_TOKEN>" \
      --request POST \
      --data @payload.json \ 
      http://<VAULT_URL>/v1/auth/<KUBERNETES_PATH>/config
Here:
  • <VAULT_TOKEN>: The privileged authorization token with write permissions on the vault.
  • <KUBERNETES_PATH>: The path on which the Kubernetes login credentials information is mounted on the vault service. You can find this information specified as the value of the VAULT_AUTH_PATH property in the vault configmap. Ensure that this value follows the following naming convention: cloudera-<PROJECT_NAME>-<K8s-host> with the dot (.) replaced by an underscore (_).
  • <VAULT_URL>: The URL of the vault service.
The payload.json contains the following information:
  • kubernetes_host: The URL to access the Kubernetes API server from the vault service.
  • token_reviewer_jwt: The JWT of the Kubernetes service account that the vault service uses to validate authentication requests from the Management Console services. The CDP Private Cloud installer creates a dedicated service named vault-auth for reviewing the requests.
  • kubernetes_ca_cert: The CA certificate of the Kubernetes API server with newline characters replaced with '\n'.
The following example shows the contents of payload.json:
{
  "kubernetes_host": "https://api.examplehost.com:1111",
  "token_reviewer_jwt": "-----BEGIN CERTIFICATE-----\n.......\n-----END CERTIFICATE-----",
  "kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----\n.......\n-----END CERTIFICATE-----"
}
For more information, see the vault documentation.