Cloudera Docs

No wildcard DNS/TLS setup

This guide documents the required entries that must be present in DNS and TLS certificates when not using wildcards. This is meant to reflect customer setups where wildcard DNS and TLS are not allowed.

Only the Control Plane and Cloudera Data Warehouse (CDW) support this workflow currently. All entries specified in the Control Plane and CDW sections must be present in DNS and the Ingress controller TLS certificate.

Entries required by Control Plane

Let APPDOMAIN be the base app domain for the ECS cluster, not including the ".apps" subdomain. 
For example, if your console URL is "console-cdp.apps.cloudera.com", then the APPDOMAIN is "cloudera.com".
OpenShift Container Platform (OCP) :
  • console-<namespace>.apps.APPDOMAIN
  • validation-<namespace>.apps.APPDOMAIN
Embedded Container Service (ECS) :
  • console-cdp.apps.APPDOMAIN
  • prometheus-cp.apps.APPDOMAIN
  • infra-prometheus.apps.APPDOMAIN
  • validation-cdp.apps.APPDOMAIN
  • kube-dashboard.apps.APPDOMAIN
  • longhorn.apps.APPDOMAIN
  • fluent-console-cdp.apps.APPDOMAIN

Entries required by CDW

Let APPDOMAIN be the base app domain for the ECS cluster. 
For example, if your console URL is "console-cdp.apps.cloudera.com", then the APPDOMAIN is "cloudera.com".
Let VWHNAME be the name of the CDW Virtual Warehouse. This must match the name the user provides when creating a new Virtual Warehouse (VW).
Endpoints of Hive VW:
  • hue-VWHNAME.apps.APPDOMAIN
  • hs2-VWHNAME.apps.APPDOMAIN
Endpoints of Impala VW:
  • hue-VWHNAME.apps.APPDOMAIN
  • coordinator-VWHNAME.apps.APPDOMAIN
  • admissiond-web-VWHNAME.apps.APPDOMAIN
  • catalogd-web-VWHNAME.apps.APPDOMAIN
  • coordinator-web-VWHNAME.apps.APPDOMAIN
  • statestored-web-VWHNAME.apps.APPDOMAIN
  • impala-proxy-VWHNAME.apps.APPDOMAIN
  • impala-autoscaler-web-VWHNAME.apps.APPDOMAIN
Endpoints of Viz:
  • viz-VWHNAME.apps.APPDOMAIN

Adding DNS entries

For each entry in the certificate, create an 'A' record pointing to the IP address of the host running the ECS Ingress Controller (should be the same host running the ECS server role). When creating additional virtual warehouses, create additional DNS entries.

Adding TLS certificate entries

You must construct a single TLS certificate with all of the entries as SubjectAltName (SAN) fields. This certificate and corresponding private key (in PEM format) must be placed on the Cloudera Manager server host, and the paths to those files must be specified in the Ingress Controller TLS certificate and private key configurations when creating the ECS cluster.

When creating additional virtual warehouses, you must sign a new certificate with all existing SANs plus the SANs for the new virtual warehouse. Place the new certificate on the Cloudera Manager server host (overwriting the old one if desired), and set the Ingress Controller TLS certificate and private key configurations in the ECS service to the new file paths (if required). Then run the Cloudera Manager command to rotate the Ingress Controller TLS certificate.