No wildcard DNS/TLS setup
This guide documents the required entries that must be present in DNS and TLS certificates when not using wildcards. This is meant to reflect customer setups where wildcard DNS and TLS are not allowed.
Only the Control Plane and Cloudera Data Warehouse (CDW) support this workflow currently. All entries specified in the Control Plane and CDW sections must be present in DNS and the Ingress controller TLS certificate.
Entries required by Control Plane
For example, if your console URL is "console-cdp.apps.cloudera.com", then the APPDOMAIN is "cloudera.com".
Entries required by CDW
For example, if your console URL is "console-cdp.apps.cloudera.com", then the APPDOMAIN is "cloudera.com".Let VWHNAME be the name of the CDW Virtual Warehouse. This must match the name the user provides when creating a new Virtual Warehouse (VW).
Adding DNS entries
For each entry in the certificate, create an 'A' record pointing to the IP address of the host running the ECS Ingress Controller (should be the same host running the ECS server role). When creating additional virtual warehouses, create additional DNS entries.
Adding TLS certificate entries
You must construct a single TLS certificate with all of the entries as SubjectAltName (SAN) fields. This certificate and corresponding private key (in PEM format) must be placed on the Cloudera Manager server host, and the paths to those files must be specified in the Ingress Controller TLS certificate and private key configurations when creating the ECS cluster.
When creating additional virtual warehouses, you must sign a new certificate with all existing SANs plus the SANs for the new virtual warehouse. Place the new certificate on the Cloudera Manager server host (overwriting the old one if desired), and set the Ingress Controller TLS certificate and private key configurations in the ECS service to the new file paths (if required). Then run the Cloudera Manager command to rotate the Ingress Controller TLS certificate.