Chapter 6. Adding a CA bundle after upgrading

Red Hat OpenShift AI 1 provides support for using self-signed certificates. If you have upgraded from OpenShift AI 2.7 or earlier versions, you can add self-signed certificates to the OpenShift AI deployments and Data Science Projects in your cluster.

There are two ways to add a Certificate Authority (CA) bundle to OpenShift AI. You can use one or both of these methods:

  • For OpenShift clusters that rely on self-signed certificates, you can add those self-signed certificates to a cluster-wide Certificate Authority (CA) bundle (ca-bundle.crt) and use the CA bundle in Red Hat OpenShift AI.
  • You can use self-signed certificates in a custom CA bundle (odh-ca-bundle.crt) that is separate from the cluster-wide bundle.

For more information, see Working with certificates.

Prerequisites

  • You have admin access to the DSCInitialization resources in the OpenShift cluster.
  • You installed the OpenShift command line interface (oc) as described in Get Started with the CLI.
  • You upgraded Red Hat OpenShift AI. If you are working in a new installation of Red Hat OpenShift AI, see Adding a CA bundle.

Procedure

  1. Log in to the OpenShift as a cluster administrator.
  2. Click OperatorsInstalled Operators and then click the Red Hat OpenShift AI Operator.
  3. Click the DSC Initialization tab.
  4. Click the default-dsci object.
  5. Click the YAML tab.
  6. Add the following to the spec section, setting the managementState field to Managed:

    spec:
      trustedCABundle:
        managementState: Managed
        customCABundle: ""
  7. If you want to use self-signed certificates added to a cluster-wide CA bundle, log in to the OpenShift as a cluster administrator and follow the steps as described in Configuring the cluster-wide proxy during installation.
  8. If you want to use self-signed certificates in a custom CA bundle that is separate from the cluster-wide bundle, follow these steps:

    1. Add the custom certificate to the customCABundle field of the default-dsci object, as shown in the following example:

      spec:
        trustedCABundle:
          managementState: Managed
          customCABundle: |
            -----BEGIN CERTIFICATE-----
            examplebundle123
            -----END CERTIFICATE-----
    2. Click Save.

      The Red Hat OpenShift AI Operator creates an odh-trusted-ca-bundle ConfigMap containing the certificates in all new and existing non-reserved namespaces.

Verification

  • If you are using a cluster-wide CA bundle, run the following command to verify that all non-reserved namespaces contain the odh-trusted-ca-bundle ConfigMap:

    $ oc get configmaps --all-namespaces -l app.kubernetes.io/part-of=opendatahub-operator | grep odh-trusted-ca-bundle
  • If you are using a custom CA bundle, run the following command to verify that a non-reserved namespace contains the odh-trusted-ca-bundle ConfigMap and that the ConfigMap contains your customCABundle value. In the following command, example-namespace is the non-reserved namespace and examplebundle123 is the customCABundle value.

    $ oc get configmap odh-trusted-ca-bundle -n example-namespace -o yaml | grep examplebundle123