Hi Biao
I think this modify basic-example FlinkDeployment should load the existing
keystore although I am not certain re-using the webhook keystore recommended.
apiVersion: flink.apache.org/v1beta1
kind: FlinkDeployment
metadata:
name: basic-example
spec:
image: flink:1.15
flinkVersion: v1_15
flinkConfiguration:
taskmanager.numberOfTaskSlots: "2"
serviceAccount: flink
jobManager:
resource:
memory: "2048m"
cpu: 1
taskManager:
resource:
memory: "2048m"
cpu: 1
podTemplate:
apiVersion: v1
kind: Pod
metadata:
name: pod-template
spec:
containers:
- name: flink-main-container
volumeMounts:
- mountPath: /certs
name: keystore
volumes:
- name: keystore
secret:
defaultMode: 420
items:
- key: keystore.p12
path: keystore.p12
secretName: webhook-server-cert
job:
jarURI: local:///opt/flink/examples/streaming/StateMachineExample.jar
parallelism: 2
upgradeMode: stateless
Verify with curl
curl -v -k https://basic-example-rest:8081
* Trying 172.21.126.88:8081...
* Connected to basic-example-rest (172.21.126.88) port 8081 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=FlinkDeployment Validator
* start date: Sep 12 17:38:37 2022 GMT
* expire date: Dec 11 17:38:37 2022 GMT
* issuer: CN=FlinkDeployment Validator
* SSL certificate verify result: self signed certificate (18), continuing
anyway.
> GET / HTTP/1.1
> Host: basic-example-rest:8081
> User-Agent: curl/7.74.0
> Accept: */*
From: Hao t Chang <htch...@us.ibm.com>
Date: Friday, September 9, 2022 at 11:10 AM
To: dev@flink.apache.org <dev@flink.apache.org>
Subject: [EXTERNAL] Re: Recommended way to Enable SSL Flink Kubernetes Operator
Hi Biao thanks for the quick reply.
The helm chart uses a standard Deployment to mount the keystore onto the
webhook container using volumes/volumeMounts for the operator but it’s not
clear to me how to mount the keystore using the FlinkDeployment CRD[2] for a
Flink application.
