How to skip the validation of SSL for KServe

Solution Verified - Updated

Environment

  • Red Hat OpenShift AI
    • 2.5

Issue

When models are in the Minio that is using SSL with a self-signed certificate, it was not possible to create a connection without cabundle. How can I use skip validation ssl to pull a model from the Minio?

Resolution

KServe provides a feature to bypass SSL validation; however, the Red Hat OpenShift AI UI currently lacks the capability to configure this option.

Within a user namespace, there exists a Secret named storage-config that encapsulates registry information. When creating a data connection through the dashboard, this secret is automatically generated and is under the management of odh-model-controller. It's important to note that, at present, the dashboard does not provide an interface to configure the skip-validation field. Consequently, there arises a necessity to manually designate the storage-config Secret as unmanaged.

Note: This workaround enables the utilization of specific functionalities and anticipates future support within the dashboard for this configuration.

To configure the verify-ssl field within the storage-config Secret, follow these steps:

  1. Make the Secret "storage-config" to unmanaged
oc label secret/storage-config opendatahub.io/managed=false --overwrite
  1. Update the credential key in the storage-config.
    (ex) This is an example when the key name is aws-connection-s3
❯ oc get secret storage-config -o yaml
apiVersion: v1
data:
  aws-connection-s3: XXX
kind: Secret
metadata:
  labels:
    opendatahub.io/managed: "false"
  name: storage-config
type: Opaque

You can add this field {"verify_ssl": "false"} in the aws-connection-s3 value using OpenShift console.

OpenShift Console Secret Edit Page
editing storage-config Secret

Data will be like this:

{
  "access_key_id": "XXX",
  "bucket": "XXX",
  "default_bucket": "XXX",
  "endpoint_url": "https://s3.us-east-2.amazonaws.com/",
  "region": "us-east-2",
  "secret_access_key": "XXX",
  "type": "s3",
  "verify_ssl": "false"
}

After you update the Secret, you need to restart the runtime pod. Then it will skip the validation check of SSL.


This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.