-
Story
-
Resolution: Done
-
Normal
-
None
-
3
-
False
-
-
False
-
RHOAISTRAT-60 - Support for Self-Signed Certificates in RHOAI deployments
-
No
-
-
-
RHOAI DSP 2.7, RHOAI DSP 2.8, RHOAI DSP 2.9
Similar to how we did this in dsp, v2 will require the ability to mount a provided CA bundle to pipeline pods.
For example, when dsp-launcher runs, it will connect to s3, it should have the bundle.
Considerations, the dsp-launcher pod is the executor pod which uses the user provided image, how can we know where to mount the bundle?
Implementation suggestion:
End goal: we need dsp launcher to have the ca-bundle mounted at a specified path the path needs to be one that we can specify from the dsp api server. We will re-use the env here. We want this to trickle down and be mounted at this path in the launcher.
How do we accomplish this? Well, the way api server can pass this info into the launcher is via the driver. The driver is what will create the pod spec for the kfp-launcher. We can probably mount it there. The API Server will create the driver pod (depending on the drivertype specified, either container/dag/rootdag).
Option 1:
I believe you'll need to pass them in the following locations as env vars:
Then retrieve them in the driver and mount them when driver creates the podspecpatch
Option 2:
You can have the driver read these from kfp-launcher configmap, store it in mlmd, then have the launcher read it. Similar to how we read the s3 bucket session info here.
- is cloned by
-
RHOAIENG-3780 Parameterize the ca bundle path in dspa
- Resolved
- is related to
-
RHOAISTRAT-28 Support for product capabilities in a disconnected environment
- In Progress
- links to
- mentioned on