Configure HTTPS/TLS for External Repositories

This guide explains how to configure HTTPS/TLS for external repositories that use a self-signed certificate. Note these steps are not required for external repositories such as huggingface.co or s3.amazonaws.com, which use valid SSL/TLS certificates issued by trusted certificate authorities (CAs) for their website.

Before You Start

  • Obtain the external repository’s self-signed certificate

How to Configure HTTPS/TLS for External Repositories

1. Create a Kubernetes Secret

  1. Create a Kubernetes secret with the root CAs:

    AIOLI_EXTERNAL_CA_CERT_SECRET_NAME=<your-secret-name>
kubectl create secret generic ${AIOLI_EXTERNAL_CA_CERT_SECRET_NAME} --from-file=<path-to-cert-file> -n <namespace>
    Note
    File names must end with .crt. Specify additional --from-file options for each root CA to be added.

  2. Verify that the secret was created:

    kubectl get secret ${AIOLI_EXTERNAL_CA_CERT_SECRET_NAME} -n <namespace>

2. Update the MLIS Deployment

  1. Update the MLIS deployment to use the secret: 
    helm install mlis --values values.yaml --set externalCaCertSecretName=${AIOLI_EXTERNAL_CA_CERT_SECRET_NAME} -n <namespace>

Using Cert Management Tools

If you are managing CA certificate bundles using trust-manager or other similar tools, you can deploy these bundles to HPE Machine Learning Inferencing Software by specifying the ConfigMap name during the Helm installation process. This approach provides a more automated and scalable way to manage trusted CA certificates across your cluster.

  1. Obtain the ConfigMap name that contains the CA certificate bundle: 
    kubectl get configmaps
  2. Specify the ConfigMap name during the Helm installation process: 
    helm install ... --set trustedCAsConfigMap=<configmap-name> ...
  3. Once deployed, the certificates in the bundle will be automatically mounted into:
    • The controller
    • All newly created deployment pods
Tip
If you’re not using trust-manager, you can still use this approach with any ConfigMap containing your CA certificates. Just ensure the ConfigMap is created in the same namespace as your MLIS deployment before running the Helm install/upgrade command.