Security OverviewPDF version

No wildcard DNS/TLS setup

This guide documents the required entries that must be present in DNS and TLS certificates when not using wildcards. This is meant to reflect customer setups where wildcard DNS and TLS are not allowed.

Only the Control Plane and Cloudera Data Warehouse support this workflow currently. All entries specified in the Control Plane and Cloudera Data Warehouse sections must be present in DNS and the Ingress controller TLS certificate.

Let APPDOMAIN be the base app domain for the Cloudera Embedded Container Service cluster, not including the ".apps" subdomain. 
For example, if your console URL is "console-cdp.apps.cloudera.com", then the APPDOMAIN is "cloudera.com".
OpenShift Container Platform :
  • console-<namespace>.apps.APPDOMAIN
  • validation-<namespace>.apps.APPDOMAIN
Cloudera Embedded Container Service :
  • console-cdp.apps.APPDOMAIN
  • prometheus-cp.apps.APPDOMAIN
  • infra-prometheus.apps.APPDOMAIN
  • validation-cdp.apps.APPDOMAIN
  • kube-dashboard.apps.APPDOMAIN
  • longhorn.apps.APPDOMAIN
  • fluent-console-cdp.apps.APPDOMAIN
Let APPDOMAIN be the base app domain for the Cloudera Embedded Container Service cluster. 
For example, if your console URL is "console-cdp.apps.cloudera.com", then the APPDOMAIN is "cloudera.com".
Let VWHNAME be the name of the Cloudera Data Warehouse Virtual Warehouse. This must match the name the user provides when creating a new Virtual Warehouse (VW).
Endpoints of Hive VW:
  • hue-VWHNAME.apps.APPDOMAIN
  • hs2-VWHNAME.apps.APPDOMAIN
Endpoints of Impala VW:
  • hue-VWHNAME.apps.APPDOMAIN
  • coordinator-VWHNAME.apps.APPDOMAIN
  • admissiond-web-VWHNAME.apps.APPDOMAIN
  • catalogd-web-VWHNAME.apps.APPDOMAIN
  • coordinator-web-VWHNAME.apps.APPDOMAIN
  • statestored-web-VWHNAME.apps.APPDOMAIN
  • impala-proxy-VWHNAME.apps.APPDOMAIN
  • impala-autoscaler-web-VWHNAME.apps.APPDOMAIN
Endpoints of Viz:
  • viz-VWHNAME.apps.APPDOMAIN

For each entry in the certificate, create an 'A' record pointing to the IP address of the host running the Cloudera Embedded Container Service Ingress Controller (should be the same host running the Cloudera Embedded Container Service server role). When creating additional virtual warehouses, create additional DNS entries.

You must construct a single TLS certificate with all of the entries as SubjectAltName (SAN) fields. This certificate and corresponding private key (in PEM format) must be placed on the Cloudera Manager server host, and the paths to those files must be specified in the Ingress Controller TLS certificate and private key configurations when creating the Cloudera Embedded Container Service cluster.

When creating additional virtual warehouses, you must sign a new certificate with all existing SANs plus the SANs for the new virtual warehouse. Place the new certificate on the Cloudera Manager server host (overwriting the old one if desired), and set the Ingress Controller TLS certificate and private key configurations in the Cloudera Embedded Container Service service to the new file paths (if required). Then run the Cloudera Manager command to rotate the Ingress Controller TLS certificate.