Cloudera Docs

What's new in Cloudera Data Services on premises 1.5.5 SP2

Learn about the new functionalities and feature improvements in Cloudera Data Services on premises 1.5.5 SP2.

Certificate Management support for OpenShift Container Platform (OCP)

Cert-manager is an open-source tool for Kubernetes that automates the provisioning, management, and renewal of TLS certificates. Its documentation at Certificate Management provides comprehensive guidance on installing, configuring, and using cert-manager to secure workloads with trusted X.509 certificates. Cloudera provides out-of-the-box support for Venafi Trust Protection Platform (TPP) as part of the Cloudera Embedded Container Service and OCP installation. By integrating cert-manager, the Data services achieve secure communication, reduced manual overhead, and compliance with security standards, leveraging its robust automation and flexibility. For more information on setting Cert-manager using Venafi TPP, see Setting up Certification Manager using Venafi TPP.

Custom Annotation Support in Certificate Manager

When Venafi TPP (Trust Protection Platform) requires a custom mandatory field to be included in all certificate issuance API requests, Custom Annotation Support in Certificate Manager feature enables support for custom annotation fields defined in the Venafi ClusterIssuer with their specified values. It automatically injects the required Venafi custom field annotations (venafi.cert-manager.io/custom-fields) into CertificateRequest objects at creation, ensuring they are included in all Venafi certificate issuance API calls. Annotations with dynamic values—such as those generated from environment variables or the cluster name—are not supported.

For example, to add a custom Venafi field annotation NBKID with the value ADFS:1234554321 to the ClusterIssuer named tpp-issuer-e2e-lbd60c, use the following command:
kubectl patch clusterissuer tpp-issuer-e2e-lbd60c --type='merge' -p
                '{"metadata":{"annotations":{"venafi.cert-manager.io/custom-fields":"[{\"name\":\"NBKID\",\"value\":\"ADFS:1234554321\"}]"}}}'
For more information, see Setting up Certification Manager using Venafi TPP

Added Dedicated CDE Node and Dedicated CAI Infra Node to run on the dedicated Cloudera Embedded Container Service node

Under the node_taint property on the Cloudera Embedded Container Service Host Configuration page, the following options are added in 1.5.5 SP2:

  1. Dedicated CDE Node for Data Engineering services (available only if Cloudera Embedded Container Service version is 1.5.5 SP2 or later). If selected, the host is reserved exclusively for all CDE-related services and workloads.
  2. Dedicated CAI Infra Node for CAI infrastructure services (available only if Cloudera Embedded Container Service version is 1.5.5 SP2 or later). If selected, the host is allocated exclusively for CAI infrastructure services.

For more information, see Adding Dedicated CDE and CAI node.

Added reflector to continuously mirror secrets from openshift-ingress to istio-ingress namespace

In the Ingress Certificate Secret Synchronization section, enter the name of the TLS secret located in the openshift-ingress namespace into the OpenShift Ingress Secret Name field. This is the default certificate used by the OpenShift cluster, and it will be used by the Istio ingress for TLS termination.

For more information, see Ingress Certificate Secret Synchronization