Hi Biao I think this modify basic-example FlinkDeployment should load the existing keystore although I am not certain re-using the webhook keystore recommended.
apiVersion: flink.apache.org/v1beta1 kind: FlinkDeployment metadata: name: basic-example spec: image: flink:1.15 flinkVersion: v1_15 flinkConfiguration: taskmanager.numberOfTaskSlots: "2" serviceAccount: flink jobManager: resource: memory: "2048m" cpu: 1 taskManager: resource: memory: "2048m" cpu: 1 podTemplate: apiVersion: v1 kind: Pod metadata: name: pod-template spec: containers: - name: flink-main-container volumeMounts: - mountPath: /certs name: keystore volumes: - name: keystore secret: defaultMode: 420 items: - key: keystore.p12 path: keystore.p12 secretName: webhook-server-cert job: jarURI: local:///opt/flink/examples/streaming/StateMachineExample.jar parallelism: 2 upgradeMode: stateless Verify with curl curl -v -k https://basic-example-rest:8081 * Trying 172.21.126.88:8081... * Connected to basic-example-rest (172.21.126.88) port 8081 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=FlinkDeployment Validator * start date: Sep 12 17:38:37 2022 GMT * expire date: Dec 11 17:38:37 2022 GMT * issuer: CN=FlinkDeployment Validator * SSL certificate verify result: self signed certificate (18), continuing anyway. > GET / HTTP/1.1 > Host: basic-example-rest:8081 > User-Agent: curl/7.74.0 > Accept: */* From: Hao t Chang <htch...@us.ibm.com> Date: Friday, September 9, 2022 at 11:10 AM To: dev@flink.apache.org <dev@flink.apache.org> Subject: [EXTERNAL] Re: Recommended way to Enable SSL Flink Kubernetes Operator Hi Biao thanks for the quick reply. The helm chart uses a standard Deployment to mount the keystore onto the webhook container using volumes/volumeMounts for the operator but it’s not clear to me how to mount the keystore using the FlinkDeployment CRD[2] for a Flink application.