TLS Certificates

Overview

In AI Studio Platform, TLS certificates are used to provide secure connections for its internal components. The following will guide you on how to create new or redeploy or rotate your platform's TLS certificate.

Redeploying TLS certificate is process of replacing the currently used TLS certificate with a new issued certificate, and it should be planned well before certificates expire or in the case of a certificate is being compromised.

Requirements

• kubectl utilily and administrative access to the Kubernetes cluster
• Wildcard TLS certificate for your domain (for each cluster).

Kubernetes TLS Secret

First, we will need to create a Kubernetes TLS secret from the TLS certificate and key files.

kubectl -n cnvrg create secret tls my-tls-secret \
  --cert=path/to/cert/file \
  --key=path/to/key/file

Update TLS secret

We have two options that we can use in order to update the TLS secret without manually editing the operator.

Option 1

The first option is use an inline kubectl patch command:

kubectl patch cnvrgapps.mlops.cnvrg.io/cnvrg-app --type=merge -p '{"spec": {"networking": {"https": {"enabled": true, "certSecret": "cnvrg-tls-secret"}}}}' -n cnvrg

Expected output

cnvrgapps.mlops.cnvrg.io/cnvrg-app patched

Option 2

The second option is to create a file named patch-secret.yaml that has this content:

---
spec:
  networking:
    https:
      certSecret: my-tls-secret
      enabled: true
...

Then, patch Ai Studio operator:

kubectl patch cnvrgapps.mlops.cnvrg.io/cnvrg-app --type=merge -p "$(cat patch-secret.yaml)" -n cnvrg

Expected output

cnvrgapps.mlops.cnvrg.io/cnvrg-app patched

Verification

Verify the progress of the operator reconciliation process:

kubectl -n cnvrg get cnvrgapps.mlops.cnvrg.io

Expected output

NAME                                VERSION                 STATUS   MESSAGE
cnvrgapp.mlops.cnvrg.io/cnvrg-app   cnvrg/app:v5.x.x   READY    successfully reconciled, ready (100%)

Update TLS secret

We have two options that we can use in order to update the TLS secret without manually editing the operator.

Option 1

The first option is use an inline kubectl patch command:

kubectl patch cnvrginfras.mlops.cnvrg.io/cnvrg-infra cnvrgapps.mlops.cnvrg.io/cnvrg-app --type=merge -p '{"spec": {"networking": {"https": {"enabled": true, "certSecret": "cnvrg-tls-secret"}}}}' -n cnvrg

Expected output

cnvrginfra.mlops.cnvrg.io/cnvrg-infra patched
cnvrgapp.mlops.cnvrg.io/cnvrg-app patched

Option 2

The second option is to create a file named patch-secret.yaml that has this content:

---
spec:
  networking:
    https:
      certSecret: my-tls-secret
      enabled: true
...

Then, patch AI Studio operator:

kubectl patch cnvrginfras.mlops.cnvrg.io/cnvrg-infra cnvrgapps.mlops.cnvrg.io/cnvrg-app --type=merge -p "$(cat patch-secret.yaml)" -n cnvrg

Expected output

cnvrginfra.mlops.cnvrg.io/cnvrg-infra patched
cnvrgapp.mlops.cnvrg.io/cnvrg-app patched

Verification

Verify the progress of the operator reconciliation process:

kubectl -n cnvrg get cnvrgapps.mlops.cnvrg.io/cnvrg-app cnvrginfras.mlops.cnvrg.io/cnvrg-infra

Expected output

NAME                                VERSION                 STATUS   MESSAGE
cnvrgapp.mlops.cnvrg.io/cnvrg-app   cnvrg/app:v4.x.x   READY    successfully reconciled, ready (100%)

NAME                                    STATUS    MESSAGE
cnvrginfra.mlops.cnvrg.io/cnvrg-infra   HEALTHY   successfully reconciled