Cloudera Docs

Updating custom certificates

The vault service validates the JWTs using the Kubernetes TokenReview API, and verifies the existence of the services. However, if the external service dependency being updated uses an entirely new CA certificate that Cloudera Data Services on premises is not currently configured to trust, then that CA certificate should be updated in Cloudera Data Services on premises first, then the certificate of the service dependency can be updated

In a Cloudera Private Cloud deployment configured with an external vault, the Cloudera Management services such as Custom Ingress and Custom Kubernetes API authenticate to the vault with the help of the ServiceAccount's JSON Web Token (JWT) attached to the Kubernetes pod on which the services are running.

You must have updated the certificates for the services by using the Miscellaneous certificate type option mentioned in Updating TLS certificates.
Enter the following cURL statement to authenticate to the vault. 
$ curl \ 
      --header "X-Vault-Token: <VAULT_TOKEN>" \
      --request POST \
      --data @payload.json \ 
      http://<VAULT_URL>/v1/auth/<KUBERNETES_PATH>/config
Here:
  • <VAULT_TOKEN>: The privileged authorization token with write permissions on the vault.
  • <KUBERNETES_PATH>: The path on which the Kubernetes login credentials information is mounted on the vault service. You can find this information specified as the value of the VAULT_AUTH_PATH property in the vault configmap. Ensure that this value follows the following naming convention: cloudera-<PROJECT_NAME>-<K8s-host> with the dot (.) replaced by an underscore (_).
  • <VAULT_URL>: The URL of the vault service.
The payload.json contains the following information:
  • kubernetes_host: The URL to access the Kubernetes API server from the vault service.
  • token_reviewer_jwt: The JWT of the Kubernetes service account that the vault service uses to validate authentication requests from the Management Console services. The Cloudera Private Cloud installer creates a dedicated service named vault-auth for reviewing the requests.
  • kubernetes_ca_cert: The CA certificate of the Kubernetes API server with newline characters replaced with '\n'.
The following example shows the contents of payload.json:
{
  "kubernetes_host": "https://api.examplehost.com:1111",
  "token_reviewer_jwt": "-----BEGIN CERTIFICATE-----\n.......\n-----END CERTIFICATE-----",
  "kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----\n.......\n-----END CERTIFICATE-----"
}
For more information, see the vault documentation.