IBM Cloud Pak® for Data 4.6 版本将于 2025 年 7 月 31 日结束支持(EOS)。 欲了解更多信息,请参阅 IBM Cloud Pak for Data 版本 4.X 的停止服务公告。
在 IBM Cloud Pak for Data 4.6 版本支持结束之前,升级到 IBM Software Hub 5.1 版本。 更多信息,请参阅 IBM Software Hub 版本 5.1 文档中的升级 IBM Software Hub。
在 Analytics Engine Powered by Apache Spark 中添加自签名证书
您可以将自己的自签名证书或组织拥有的 CA 证书添加到 Spark 信任库。 您可以添加证书,以便在 Spark 运行时和您的资源(如网络服务器、 IBM Cloud Object Storage 和任何数据库)之间进行安全连接。
您必须是项目管理员才能将自签名证书添加到 Spark 信任库。
要添加自签名证书:
访存内部证书。 您可以运行以下命令以将内部证书复制到本地文件:
oc get secret internal-tls -n ${PROJECT_CPD_INSTANCE} -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt oc get secret internal-tls -n ${PROJECT_CPD_INSTANCE} -o jsonpath='{.data.tls\.crt}' | base64 -d > tls.crt将要包含的证书附加到本地文件
ca.crt,您希望应用该文件并使用该文件在从 Spark Notebook 或 Spark 应用程序访问端点时建立安全连接。 例如,如果外部端点证书为ext.crt,那么需要将其追加到ca.crt,如下所示:cat ext.crt >> ca.crt确保新
ca.crt的内容如下所示:-----BEGIN CERTIFICATE----- ... existing cert ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... external endpoint cert ... -----END CERTIFICATE-----创建 Kubernetes 私钥。 当
ca.crt文件就绪时,请在安装的 OpenShift 项目中创建私钥。 此示例显示如何使用创建的私钥new-certificates-chain:# create secret with new certificate chain $ oc create secret generic new-certificates-chain --from-file=ca.crt --from-file=tls.crt -n ${PROJECT_CPD_INSTANCE}此命令返回创建
secret/new-certificates-chain的信息。确定必须在作业配置中设置以用于 pod 创建的映像名称:
# Find the image to be used for the pod creation $ oc get deploy spark-hb-create-trust-store -o jsonpath="{..image}" -n ${PROJECT_CPD_INSTANCE}此命令返回类似如下的内容:
cp.icr.io/cp/cpd/spark-hb-truststore-util@sha256:bb1ac4bba2a201995f07de7995d1055cd571a865b60bc7fad8cbb7879f41150d创建 Kubernetes pod 以更新证书。 运行以下命令以部署 kubernetes pod ,这将更新 Analytics Engine Powered by Apache Sparkservice 所使用的信任库。 在运行该命令之前,请将 REPLACE_WITH_IMAGE 替换为先前步骤中返回的映像名称。
# replace REPLACE_WITH_IMAGE with image name $ oc run spark-hb-update-certificates -n ${PROJECT_CPD_INSTANCE} --image $REPLACE_WITH_IMAGE --restart OnFailure --generator=run-pod/v1 --overrides '{"apiVersion":"v1","kind":"Pod","metadata":{"name":"spark-hb-update-certificates","labels":{"app":"spark-hb-update-certificates","run":"spark-hb-update-certificates"}},"spec":{"affinity":{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"beta.kubernetes.io/arch","operator":"In","values":["amd64"]}]}]}},"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchExpressions":[{"key":"run","operator":"In","values":["spark-hb-update-certificates"]}]},"topologyKey":"kubernetes.io/hostname"}]}},"containers":[{"args":["bash /opt/ibm/entrypoint/create-trust-store-and-secret.sh changeit spark-hb-java-trust-store spark-hb-os-trust-store /opt/hb/icp4d-certs"],"command":["/bin/sh","-c"],"image":"$REPLACE_WITH_IMAGE","imagePullPolicy":"Always","name":"spark-hb-update-certificates-container","resources":{"limits":{"cpu":"100m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1000320999},"volumeMounts":[{"mountPath":"/opt/hb/icp4d-certs","name":"icp4d-certs","readOnly":true},{"mountPath":"/opt/ibm/entrypoint/","name":"spark-hb-create-trust-store-secret-script"}]}],"restartPolicy":"OnFailure","serviceAccount":"zen-editor-sa","serviceAccountName":"zen-editor-sa","terminationGracePeriodSeconds":30,"volumes":[{"name":"icp4d-certs","secret":{"defaultMode":420,"secretName":"new-certificates-chain"}},{"configMap":{"defaultMode":420,"items":[{"key":"create-trust-store-and-secret.sh","path":"create-trust-store-and-secret.sh"}],"name":"spark-hb-create-trust-store-secret-script"},"name":"spark-hb-create-trust-store-secret-script"}],"tolerations":[{"effect":"NoExecute","key":"node.kubernetes.io/not-ready","operator":"Exists","tolerationSeconds":300},{"effect":"NoExecute","key":"node.kubernetes.io/unreachable","operator":"Exists","tolerationSeconds":300}]}}'监视 pod; 大约需要一分钟才能完成任务:
$ oc get pod spark-hb-update-certificates当
spark-hb-update-certificates的状态设置为 "正在运行" 时,请检查日志:oc logs -f spark-hb-update-certificates日志输出示例:
count 3 secret "spark-hb-java-trust-store" deleted exit_code : 0 count 3 secret "spark-hb-os-trust-store" deleted exit_code : 0 count 3 secret/spark-hb-java-trust-store created exit_code : 0 count 3 secret/spark-hb-os-trust-store created exit_code : 0