Chapter 4. Adding a CA bundle after upgrading
Red Hat OpenShift AI 2.11 provides support for using self-signed certificates. If you have upgraded from OpenShift AI 2.7 or earlier versions, you can add self-signed certificates to the OpenShift AI deployments and Data Science Projects in your cluster.
There are two ways to add a Certificate Authority (CA) bundle to OpenShift AI. You can use one or both of these methods:
-
For OpenShift clusters that rely on self-signed certificates, you can add those self-signed certificates to a cluster-wide Certificate Authority (CA) bundle (
ca-bundle.crt
) and use the CA bundle in Red Hat OpenShift AI. -
You can use self-signed certificates in a custom CA bundle (
odh-ca-bundle.crt
) that is separate from the cluster-wide bundle.
For more information, see Working with certificates.
Prerequisites
-
You have admin access to the
DSCInitialization
resources in the OpenShift cluster. -
You installed the OpenShift command line interface (
oc
) as described in Get Started with the CLI. - You upgraded Red Hat OpenShift AI from version 2.7 or earlier. If you are working in a new installation of Red Hat OpenShift AI, see Adding a CA bundle.
Procedure
- Log in to the OpenShift as a cluster administrator.
-
Click Operators
Installed Operators and then click the Red Hat OpenShift AI Operator. - Click the DSC Initialization tab.
- Click the default-dsci object.
- Click the YAML tab.
Add the following to the
spec
section, setting themanagementState
field toManaged
:spec: trustedCABundle: managementState: Managed customCABundle: ""
- If you want to use self-signed certificates added to a cluster-wide CA bundle, log in to the OpenShift as a cluster administrator and follow the steps as described in Configuring the cluster-wide proxy during installation.
If you want to use self-signed certificates in a custom CA bundle that is separate from the cluster-wide bundle, follow these steps:
Add the custom certificate to the
customCABundle
field of thedefault-dsci
object, as shown in the following example:spec: trustedCABundle: managementState: Managed customCABundle: | -----BEGIN CERTIFICATE----- examplebundle123 -----END CERTIFICATE-----
Click Save.
The Red Hat OpenShift AI Operator creates an
odh-trusted-ca-bundle
ConfigMap containing the certificates in all new and existing non-reserved namespaces.
Verification
If you are using a cluster-wide CA bundle, run the following command to verify that all non-reserved namespaces contain the
odh-trusted-ca-bundle
ConfigMap:$ oc get configmaps --all-namespaces -l app.kubernetes.io/part-of=opendatahub-operator | grep odh-trusted-ca-bundle
If you are using a custom CA bundle, run the following command to verify that a non-reserved namespace contains the
odh-trusted-ca-bundle
ConfigMap and that the ConfigMap contains yourcustomCABundle
value. In the following command, example-namespace is the non-reserved namespace and examplebundle123 is the customCABundle value.$ oc get configmap odh-trusted-ca-bundle -n example-namespace -o yaml | grep examplebundle123