Working with a Local Certificate Authority¶
Run:ai can be installed in an isolated network. In this air-gapped configuration, the organization will not be using an established root certificate authority. Instead, the organization creates a local certificate which serves as the root certificate for the organization. The certificate is installed in all browsers within the organization.
In the context of Run:ai, the cluster and control-plane need to be aware of this certificate for consumers to be able to connect to the system.
Preparation¶
You will need to have the public key of the local certificate authority.
Control-Plane Installation¶
- Create the runai-backendnamespace if it does not exist.
- Add the public key to the runai-backendnamespace:
- As part of the installation instructions, you need to create a secret for runai-backend-tls. Use the local certificate authority instead.
- Install the control plane, add the following flag to the helm command --set global.customCA.enabled=true
Cluster Installation¶
- Create the runainamespace if it does not exist.
- Add the public key to the runainamespace. In case you're using OpenShift, add the public key also to theopenshift-monitoringnamespace:
oc -n runai create secret generic runai-ca-cert \
    --from-file=runai-ca.pem=<ca_bundle_path>
oc -n openshift-monitoring create secret generic runai-ca-cert \
    --from-file=runai-ca.pem=<ca_bundle_path>
oc label secret runai-ca-cert -n runai run.ai/cluster-wide=true run.ai/name=runai-ca-cert --overwrite
- Install the Run:ai operator, add the following flag to the helm command --set global.customCA.enabled=true
Git and S3¶
Run:ai enables AI practitioners to integrate with S3 or Git as data sources. When using a custom CA, sidecar containers used for S3 or Git integrations do not automatically inherit the CA configured at the cluster level. This requires manually building a custom container for each integration based on the default Run:ai image while incorporating the local CA certificates.
- Build tag and publish the images for the S3 / Git integrations using the following Dockerfile: #FROM gcr.io/run-ai-prod/goofys:master # S3 #FROM registry.k8s.io/git-sync/git-sync:v4.4.0 # Git USER root ADD <ca_bundle_path> /usr/local/share/ca-certificates/ # example: anchors/ RUN chmod 644 -R /usr/local/share/ca-certificates/ && update-ca-certificates WORKDIR / ENTRYPOINT ["sh"] CMD ["/usr/bin/run.sh"]
- Edit the cluster configurations for images used by Run:ai following the S3 and Git sidecar images instructions.