PrimeHub
  • Introduction
  • Installation
  • Tiers and Licenses
  • End-to-End Tutorial
    • 1 - MLOps Introduction and Scoping the Project
    • 2 - Train and Manage the Model
    • 3 - Compare, Register and Deploy the Model
    • 4 - Build the Web Application
    • 5 - Summary
  • User Guide
    • User Portal
    • Notebook
      • Notebook Tips
      • Advanced Settings
      • PrimeHub Notebook Extension
      • Submit Notebook as Job
    • Jobs
      • Job Artifacts
      • Tutorial
        • (Part1) MNIST classifier training
        • (Part2) MNIST classifier training
        • (Advanced) Use Job Submission to Tune Hyperparameters
        • (Advanced) Model Serving by Seldon
        • Job Artifacts Simple Usecase
    • Models
      • Manage and Deploy Model
      • Model Management Configuration
    • Deployments
      • Pre-packaged servers
        • TensorFlow server
        • PyTorch server
        • SKLearn server
        • Customize Pre-packaged Server
        • Run Pre-packaged Server Locally
      • Package from Language Wrapper
        • Model Image for Python
        • Model Image for R
        • Reusable Base Image
      • Prediction APIs
      • Model URI
      • Tutorial
        • Model by Pre-packaged Server
        • Model by Pre-packaged Server (PHFS)
        • Model by Image built from Language Wrapper
    • Shared Files
    • Datasets
    • Apps
      • Label Studio
      • MATLAB
      • MLflow
      • Streamlit
      • Tutorial
        • Create Your Own App
        • Create an MLflow server
        • Label Dataset by Label Studio
        • Code Server
    • Group Admin
      • Images
      • Settings
    • Generate an PrimeHub API Token
    • Python SDK
    • SSH Server Feature
      • VSCode SSH Notebook Remotely
      • Generate SSH Key Pair
      • Permission Denied
      • Connection Refused
    • Advanced Tutorial
      • Labeling the data
      • Notebook as a Job
      • Custom build the Seldon server
      • PrimeHub SDK/CLI Tools
  • Administrator Guide
    • Admin Portal
      • Create User
      • Create Group
      • Assign Group Admin
      • Create/Plan Instance Type
      • Add InfuseAI Image
      • Add Image
      • Build Image
      • Gitsync Secret for GitHub
      • Pull Secret for GitLab
    • System Settings
    • User Management
    • Group Management
    • Instance Type Management
      • NodeSelector
      • Toleration
    • Image Management
      • Custom Image Guideline
    • Volume Management
      • Upload Server
    • Secret Management
    • App Settings
    • Notebooks Admin
    • Usage Reports
  • Reference
    • Jupyter Images
      • repo2docker image
      • RStudio image
    • InfuseAI Images List
    • Roadmap
  • Developer Guide
    • GitHub
    • Design
      • PrimeHub File System (PHFS)
      • PrimeHub Store
      • Log Persistence
      • PrimeHub Apps
      • Admission
      • Notebook with kernel process
      • JupyterHub
      • Image Builder
      • Volume Upload
      • Job Scheduler
      • Job Submission
      • Job Monitoring
      • Install Helper
      • User Portal
      • Meta Chart
      • PrimeHub Usage
      • Job Artifact
      • PrimeHub Apps
    • Concept
      • Architecture
      • Data Model
      • CRDs
      • GraphQL
      • Persistence Storages
      • Persistence
      • Resources Quota
      • Privilege
    • Configuration
      • How to configure PrimeHub
      • Multiple Jupyter Notebook Kernels
      • Configure SSH Server
      • Configure Job Submission
      • Configure Custom Image Build
      • Configure Model Deployment
      • Setup Self-Signed Certificate for PrimeHub
      • Chart Configuration
      • Configure PrimeHub Store
    • Environment Variables
Powered by GitBook
On this page
  • Prerequisite
  • Self-Signed Certificate
  • Trust Self-Signed Certificate on Node
  • Configure
  1. Developer Guide
  2. Configuration

Setup Self-Signed Certificate for PrimeHub

In certain scenarios we may want to use self-signed certificate HTTPS. For example, in private network or corporation network.

This document explains how to setup self-signed certificate for PrimeHub.

Prerequisite

To enable this feature, you need to make sure:

  1. Keycloak version ≥ 8.0

  2. PrimeHub version ≥ 3.1

  3. Your Keycloak is installed in the same Kubernetes cluster with PrimeHub so they can talk with each other using in-cluster connections.

Self-Signed Certificate

Generation

Create a config file for openssl named selfsigned.cnf. Please make sure to replace the YOUR_DOMAIN_NAME field with the domain name you want to use.

prompt             = no
distinguished_name = req_dn
x509_extensions = x509_ext

[ req_dn ]

commonName = YOUR_DOMAIN_NAME

[ x509_ext ]

subjectAltName = @alt_names

[alt_names]
DNS.1 = YOUR_DOMAIN_NAME

Generate a self-signed certificate using the following command:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout selfsigned.key -out selfsigned.crt -config selfsigned.cnf

Modify the file permission for latter use.

sudo chmod 644 selfsigned.*

Create A Secret For Nginx-Ingress-Controller

Create a TLS from our certificate and key files.

You may need to manually create the hub namespace before PrimeHub installation.

kubectl -n hub create secret tls selfsigned-tls --key selfsigned.key --cert selfsigned.crt

Trust Self-Signed Certificate on Node

Execute following steps to trust your self-signed certificate on your node for latter use.

sudo mkdir -p /usr/local/share/ca-certificates/primehub
sudo cp selfsigned.crt /usr/local/share/ca-certificates/primehub/
sudo update-ca-certificates

Configure

Nginx-Ingress TLS Setting

Add the following ingress setting to your helm overrides. Including these components.

You can also refer to the nginx-ingress documentation.

PrimeHub

Including these ingresses:

  • primehub-admin-notebook

  • primehub-console

  • primehub-graphql

  • primehub-jupyterhub

  • keycloak (installed via PrimeHub chart)

# helm_override/primehub.yaml
ingress:
  annotations:
    kubernetes.io/tls-acme: "false"
  tls:
  - hosts:
    - YOUR_DOMAIN_NAME
    secretName: selfsigned-tls

Keycloak

Keycloak Service URL Setting (Optional)

Please notice that if you install a standalone Keycloak by using Keycloak chart instead of the one installed during PrimeHub installation, then you need to have a proper TLS.

Set KC_SVC_URL in your .env file to activate internal connection.

Please note which namespace your Keycloak locates. e.g. http://keycloak-http.<namespace>/auth.

# .env  namespace: default
KC_SVC_URL=http://keycloak-http.default/auth

#Use the following if your Keycloak installed in the `hub` namespace
#KC_SVC_URL=http://keycloak-http.hub/auth

helm_override/keycloak.yaml

If you installed Keycloak by using Keycloak chart, then you need to configure Keycloak ingress to use self-signed certificate. If you install Keycloak via PrimeHub chart then there's no extra configuration needed.

# helm_override/keycloak.yaml
keycloak:
  ingress:
    annotations:
      kubernetes.io/tls-acme: "false"
    tls:
    - hosts:
      - YOUR_DOMAIN_NAME
      secretName: selfsigned-tls # Note if your Keycloak using other domain & tls

Grafana

# helm_override/prometheus.yaml
grafana:
  enabled: true
  ingress:
    annotations:
      kubernetes.io/tls-acme: "false"
    tls:
    - hosts:
      - YOUR_DOMAIN_NAME
      secretName: selfsigned-tls

With these settings, you can proceed PrimeHub installation and it should be working. Don't forget to trust your self-signed certificate in your browser.

PreviousConfigure Model DeploymentNextChart Configuration

Last updated 2 years ago