Uploaded image for project: 'Red Hat OpenShift AI Engineering'
  1. Red Hat OpenShift AI Engineering
  2. RHOAIENG-4938

The custom CA certificate bundle isn't grabbed by default in workbench

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • Release Notes
    • RHOAISTRAT-60 - Support for Self-Signed Certificates in RHOAI deployments
    • No
    • Hide
      There are two bundle options to include self-signed certificates in OpenShift AI, `ca-bundle.crt` and `odh-ca-bundle.crt`. Self-signed certificates should apply to workbenches that you create after configuring self-signed certificates centrally. Workbenches do not use the self-signed certificates from the centrally configured bundle automatically.

      Workaround::
      After configuring self-signed certificates centrally, they apply to any new workbenches and are available at `/etc/pki/tls/certs/` with the `custom` prefix. You can force the tools in your workbench to use these certificates by setting a known environment variable that points to your certificate path.

      * If you used `ca-bundle.crt` when you configured certificates centrally, your path is `/etc/pki/tls/certs/custom-ca-bundle.crt`.
      * If you used `odh-ca-bundle.crt` when you configured certificates centrally, your path is `/etc/pki/tls/certs/custom-odh-ca-bundle.crt`.

      Set a known environment variable:
      . From the {productname-short} dashboard, go to *Data Science Projects* and select the name of the project containing your workbench.
      . In the *Workbenches* section, click the action menu (⋮) beside the workbench that you want to update, and click *Edit workbench*.
      . Click the *Environment variables* tab.
      . Click *Add variable*.
      . From the *Select environment variable type* dropdown list, select *ConfigMap*.
      . In the *Key* field, enter `SSL_CERT_FILE`.
      . In the *Value* field, enter the path to your certificate file. For example, `/etc/pki/tls/certs/custom-ca-bundle.crt`.
      . Click *Update workbench*.

      For more information, see link:https://access.redhat.com/solutions/7046285[How to execute a pipeline from a Jupyter notebook in a disconnected environment].
      Show
      There are two bundle options to include self-signed certificates in OpenShift AI, `ca-bundle.crt` and `odh-ca-bundle.crt`. Self-signed certificates should apply to workbenches that you create after configuring self-signed certificates centrally. Workbenches do not use the self-signed certificates from the centrally configured bundle automatically. Workaround:: After configuring self-signed certificates centrally, they apply to any new workbenches and are available at `/etc/pki/tls/certs/` with the `custom` prefix. You can force the tools in your workbench to use these certificates by setting a known environment variable that points to your certificate path. * If you used `ca-bundle.crt` when you configured certificates centrally, your path is `/etc/pki/tls/certs/custom-ca-bundle.crt`. * If you used `odh-ca-bundle.crt` when you configured certificates centrally, your path is `/etc/pki/tls/certs/custom-odh-ca-bundle.crt`. Set a known environment variable: . From the {productname-short} dashboard, go to *Data Science Projects* and select the name of the project containing your workbench. . In the *Workbenches* section, click the action menu (⋮) beside the workbench that you want to update, and click *Edit workbench*. . Click the *Environment variables* tab. . Click *Add variable*. . From the *Select environment variable type* dropdown list, select *ConfigMap*. . In the *Key* field, enter `SSL_CERT_FILE`. . In the *Value* field, enter the path to your certificate file. For example, `/etc/pki/tls/certs/custom-ca-bundle.crt`. . Click *Update workbench*. For more information, see link: https://access.redhat.com/solutions/7046285 [How to execute a pipeline from a Jupyter notebook in a disconnected environment].
    • Known Issue
    • Done
    • No
    • RHOAI IDE 2.9-extended, RHOAI IDE - Ankara
    • Testable

      With current RHOAI 2.8RC1 build, there is supposed to be possible to define custom certificate to be used for network communication on one place and use it everywhere for all RHOAI components. E.g. when having some internal service which uses self-signed certificate (e.g. local minion instance, etc.), I can configure it on one place and this is then used elsewhere for RHOAI.

      Certificate definition via DSCI configuration works just fine for case of workbenches. Also the certificate bundle is mounted to the workbench as expected:

      (app-root) (app-root) ls -l /etc/pki/tls/certs/
total 224
lrwxrwxrwx. 1 root root           49 Aug 29  2023 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root           55 Aug 29  2023 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-r--r--. 1 root 1000720000 222082 Mar  8 16:10 custom-ca-bundle.crt
-rw-r--r--. 1 root 1000720000   1119 Mar  8 16:10 custom-odh-ca-bundle.crt

      But the problem is that since it's not on the standard system path from which the tooling reads CA certs, this bundle is simply ignored by all the tooling unless we override the default setting of the tool. For example for the curl command we need to use `--cacert` flag pointing to the `/etc/pki/tls/certs/custom-odh-ca-bundle.crt` to be able to connect with the peer over HTTPS with self-signed certificate.

      In general, this means that for the regular user, there is not much change in behavior with current situation (to overcome problems with connection to peers with self-signed certs) to what was before this release.

        1. disconnected elyra.png
          disconnected elyra.png
          20 kB

            hnalla Harshad Reddy Nalla
            jstourac@redhat.com Jan Stourac
            Jiri Daněk Jiri Daněk
            RHOAI IDE
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: