You can use a custom-signed CA certificate to establish a secure connection between
Software Hub and services for watsonx.data
ingestion.
watsonx.data on IBM Software
Hub
The pods are injected with a secret mount (cpd-custom-ca-certs
) that contains
the CA certificate and environment variables that points to the mount path. The CA certificate is
merged with the built-in CA certificate and injected to the pods.
Procedure
-
Connect to the external object store over
https
.
- Install the Software Hub configuration admission controller for the Software Hub
namespace by using the manage install-cpd-config-ac
command.
cpd-cli manage install-cpd-config-ac \
--cpd_instance_ns=<project-name> \
[--cpd_config_ac_image=<image-location-and-name>] \
[--preview=true|false] \
[-v][-vv][-vvv]
For more information, see
manage install-cpd-config-ac.
- Enable the Software Hub configuration admission controller in the specified namespace and
other tethered namespaces (if any) using the manage enable-cpd-config-ac
command.
cpd-cli manage enable-cpd-config-ac \
--cpd_instance_ns=<project-name> \
[-v][-vv][-vvv]
For more information, see
manage enable-cpd-config-ac.
- Run the oc cli command to create the
cpd-custom-ca-certs
secret. Include a --from-file
entry for each
certificate that you want to include in the secret. For example:
oc create secret generic cpd-custom-ca-certs \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--from-file=<file-name-1>.crt=<fully-qualified-cert-file-name-1> \
--from-file=<file-name-2>.crt=<fully-qualified-cert-file-name-2>
- Update the
cpd-custom-ca-certs
secret with the contents of custom
certificates.
cpd-cli manage gen-platform-ca-certs \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--apply=true
Important: Injecting the secret into the pods might take some time. Complete this action
during a maintenance window or before you give users access to this instance of Software Hub.
However, services cannot use the certificates in the secret until you inject the secret into the
Software Hub pods.
- To verify that the secrets are injected successfully, run the manage
list-platform-ca-certs-pods
command.
What to do next
Proceed with ingesting data by using
Spark.