Using a certification authority (CA) certificate of external object storage for ingestion

You can use a custom-signed CA certificate to establish a secure connection between Software Hub and services for watsonx.data ingestion.

watsonx.data on IBM Software Hub

The pods are injected with a secret mount (cpd-custom-ca-certs) that contains the CA certificate and environment variables that points to the mount path. The CA certificate is merged with the built-in CA certificate and injected to the pods.

Procedure

  1. Connect to the external object store over https.
  2. Install the Software Hub configuration admission controller for the Software Hub namespace by using the manage install-cpd-config-ac command.
    cpd-cli manage install-cpd-config-ac \
    --cpd_instance_ns=<project-name> \
    [--cpd_config_ac_image=<image-location-and-name>] \
    [--preview=true|false] \
    [-v][-vv][-vvv]
    For more information, see manage install-cpd-config-ac.
  3. Enable the Software Hub configuration admission controller in the specified namespace and other tethered namespaces (if any) using the manage enable-cpd-config-ac command.
    cpd-cli manage enable-cpd-config-ac \
    --cpd_instance_ns=<project-name> \
    [-v][-vv][-vvv]
    For more information, see manage enable-cpd-config-ac.
  4. Run the oc cli command to create the cpd-custom-ca-certs secret. Include a --from-file entry for each certificate that you want to include in the secret. For example:
    oc create secret generic cpd-custom-ca-certs \
    --namespace=${PROJECT_CPD_INST_OPERANDS} \
    --from-file=<file-name-1>.crt=<fully-qualified-cert-file-name-1> \
    --from-file=<file-name-2>.crt=<fully-qualified-cert-file-name-2>
  5. Update the cpd-custom-ca-certs secret with the contents of custom certificates.
    cpd-cli manage gen-platform-ca-certs \
    --cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
    --apply=true
    Important: Injecting the secret into the pods might take some time. Complete this action during a maintenance window or before you give users access to this instance of Software Hub. However, services cannot use the certificates in the secret until you inject the secret into the Software Hub pods.
  6. To verify that the secrets are injected successfully, run the manage list-platform-ca-certs-pods command.
    cpd-cli manage list-platform-ca-certs-pods \
    --cpd_instance_ns=<project-name>
    For more information, see manage list-platform-ca-certs-pods.

What to do next

Proceed with ingesting data by using Spark.