Configuring cert-manager for TLS on Ingress¶

The Certificate Manager service can be utilized to handle TLS certificates necessary for DataRobot installations.

DataRobot uses Let's Encrypt as an example configuration of a cert-manager, in conjunction with a certificate provider, to obtain valid TLS certificates for ingress-nginx. If Let's Encrypt does not meet the customer's requirements, a third-party public certificate can be imported.

Chart: cert-manager¶

Clients are required to install the cert-manager chart independently, as it is not included in the DataRobot release artifacts.

If you already have cert-manager installed in your cluster, skip this step.

The helm chart of cert-manager can be installed in this way:

helm repo add cert-manager https://charts.jetstack.io
helm install cert-manager jetstack/cert-manager --create-namespace --namespace cert-manager --set startupapicheck.timeout=5m --set crds.enabled=true --set crds.keep=true --debug 

NOTE: For further information, please refer to the official cert-manager documentation.

ACME Challenges¶

LetsEncrypt has two methods of proving that a requester owns the domain for which the requester wants a TLS certificate issued: HTTP or DNS. More details can be found in their overview documentation. Details on the HTTP01 solvers are here, and details on the DNS01 solvers are here with DNS Supported providers.

cluster-issuers¶

The ACME Issuer type represents a single account registered with the Automated Certificate Management Environment (ACME) Certificate Authority server. When you create a new ACME Issuer, cert-manager will generate a private key which is used to identify you with the ACME server.

Let's Encrypt provides rate limits to ensure fair usage by as many people as possible. While testing the install process for a cluster it is recommended to use the letsencrypt-staging issuer to avoid hitting the rate limits. Once testing is done and the cluster has been installed for real use, it is recommended to switch to the letsencrypt-prod issuer. See the LetsEncrypt Rate Limits documentation for further reading.

ClusterIssuer configuration can be found in the cert-manager Documentation.

Requesting TLS Certs in DataRobot¶

The DataRobot helm chart will request a TLS certificate as part of its installation process.

Under the hood, it creates a cert-manager certificate resource. This causes the cert-manager controller to request a new TLS cert and keep it updated.

The required configuration is the following:

global:
  ...
  # -- hostname (or IP address) used for constructing various public service URLs
  domain: ""

  ingress:
    ...
    tls:
      # -- Enable TLS
      enabled: true
      # -- Configure TLS secret name to pull secrets from
      secretName: datarobot-acme-cert
      # -- Configure TLS issuer
      issuer: TLS_ISSUER_NAME
      # -- Enable TLS using Cert Manager
      certmanager: true 

• global.domain: This represents the Fully Qualified Domain Name (FQDN) that will be included in the TLS certificate, for example, datarobot.mycompany.net.
• global.ingress.tls.secretName: This denotes the name of a Kubernetes (K8S) secret that will be generated to store the TLS certificate. This secret will then be utilized by the DataRobot ingress objects to specify the TLS certificate for TLS Termination.
• global.ingress.tls.issuer: This refers to the name of the cluster-issuer, such as letsencrypt-staging or letsencrypt-prod, or any other name chosen by the client.
• The global.ingress.tls.certmanager flag is mandatory when utilizing cert-manager.

Using a 3rd party certificate¶

Customers can import a 3rd party certificate using the following command:

kubectl create secret tls custom-cert --namespace DR_CORE_NAMESPACE --key=private.key --cert=fullcert.crt -o yaml 

The DataRobot helm chart needs to be configured in the following way.

global:
  ...
  # -- hostname (or IP address) used for constructing various public service URLs
  domain: ""

  ingress:
    ...
    tls:
      # -- Enable TLS
      enabled: true
      # -- Configure TLS secret name to pull secrets from
      secretName: custom-cert
      # -- Enable TLS using Cert Manager
      certmanager: false 

• global.domain: This represents the Fully Qualified Domain Name (FQDN) that will be added to the TLS certificate, for example, datarobot.mycompany.net.
• The global.ingress.tls.certmanager flag must be set to false.

• global.ingress.tls.secretName: This is the name of a Kubernetes (K8S) secret that is created using kubectl.

• Please ensure that the file fullcert.crt contains both the certificate and the certificate chain to be valid. If you have multiple files, you can merge them using the following command: cat certificate.crt ca_bundle.crt > fullcert.crt

Further Reading¶

For more in-depth documentation from LetEncrypt and the cert-manager teams, see the below links.

• cert-Manager.io
• Helm charts on artifacthub
• Helm charts source
• Supported releases
• ACME configuration
• letsencrypt
• Rate limits
• Staging environments
• Duplicate certification limits