CDP Private Cloud Data Services TLS Connections in CDP Private Cloud
• Traffic between the Control Plane or Data Services and end users: All endpoints exposed by CDP Private Cloud
take the form of Kubernetes ingresses and must go through the Ingress Controller and Gateway. The Ingress
Controller is configured with a TLS certificate and guarantees that the traffic must use HTTPS, while the Gateway
guarantees that the traffic must be authenticated.
• Traffic between the Control Plane and Data Services: These two reside in separate Kubernetes namespaces and
are treated as external to each other. As such, connections from Data Services to the Control Plane go through the
Ingress Controller, guaranteeing the use of HTTPS.
• Traffic between the Control Plane or Data Services and the Kubernetes API server: API calls to the Kubernetes
API server always use HTTPS and are authenticated using the pod’s service account tokens, thus being subject to
RBAC.
• Traffic between the Control Plane or Data Services and the Base Cluster: The Base Cluster must have TLS
enabled, meaning that all connections will be encrypted.
The Control Plane has a network policy which prevents traffic from the outside from reaching inside it unless it goes
through the Ingress Controller and Gateway. This effectively ensures that all traffic going into the Control Plane must
be encrypted with TLS and authenticated.
There is no analogous network policy for egress traffic, but all connections from the Control Plane and Data Services
to the outside (such as pulling images from an external Docker registry) use TLS. CDP Private Cloud supports
running in an air gap environment where connections to external networks are forbidden.
Traffic within the same cluster and namespace is trusted, and is not currently encrypted.
Base Cluster TLS Requirements
The Base cluster must have TLS enabled, either using manual TLS configuration or Auto-TLS.
The truststore configured in Cloudera Manager will be automatically imported into CDP Private Cloud during
installation of the Control Plane, but afterwards can be managed separately from the Base Cluster’s truststore. This
truststore is imported so that the Control Plane and workloads can trust TLS connections to the Base cluster.
For the most seamless experience, ensure that this truststore trusts:
• The Cloudera Manager server certificate
• The LDAP server certificate
• The Postgres database server certificate of all Hive Metastores that expect to be used with Private Cloud
Instead of specifying individual certificates, it is recommended to import a root CA certificate that signed all of the
above. CA certificates can be updated or rotated after Control Plane installation.
Unified Truststore
After Control Plane installation, management of trusted CA certificates can be done from the Administration page of
the Control Plane. The set of trusted CA certificates forms a “unified truststore” which is then propagated to workload
clusters.
The unified truststore contains certificates for:
• Cloudera Manager and base cluster services
• Control Plane
• LDAP
• Control Plane Database
• Docker Registry (if external)
• Vault (if external)
Again, it is not likely that separate certificates are required for each entry above. In most cases, an organization will
only have one CA certificate signing the certificates for the above entities.
6