Re: Recommended way to Enable SSL Flink Kubernetes Operator
I think you have already found the solution. Pod template[1] is exactly what you want. [1]. https://nightlies.apache.org/flink/flink-docs-release-1.15/docs/deployment/resource-providers/native_kubernetes/#pod-template Best, Yang Hao t Chang 于2022年9月13日周二 07:41写道: > Hi Biao > I think this modify basic-example FlinkDeployment should load the > existing keystore although I am not certain re-using the webhook keystore > recommended. > > apiVersion: flink.apache.org/v1beta1 > kind: FlinkDeployment > metadata: > name: basic-example > spec: > image: flink:1.15 > flinkVersion: v1_15 > flinkConfiguration: > taskmanager.numberOfTaskSlots: "2" > serviceAccount: flink > jobManager: > resource: > memory: "2048m" > cpu: 1 > taskManager: > resource: > memory: "2048m" > cpu: 1 > podTemplate: > apiVersion: v1 > kind: Pod > metadata: > name: pod-template > spec: > containers: > - name: flink-main-container > volumeMounts: > - mountPath: /certs > name: keystore > volumes: > - name: keystore > secret: > defaultMode: 420 > items: > - key: keystore.p12 > path: keystore.p12 > secretName: webhook-server-cert > job: > jarURI: local:///opt/flink/examples/streaming/StateMachineExample.jar > parallelism: 2 > upgradeMode: stateless > > Verify with curl > curl -v -k https://basic-example-rest:8081 > * Trying 172.21.126.88:8081... > * Connected to basic-example-rest (172.21.126.88) port 8081 (#0) > * ALPN, offering h2 > * ALPN, offering http/1.1 > * successfully set certificate verify locations: > * CAfile: /etc/ssl/certs/ca-certificates.crt > * CApath: /etc/ssl/certs > * TLSv1.3 (OUT), TLS handshake, Client hello (1): > * TLSv1.3 (IN), TLS handshake, Server hello (2): > * TLSv1.2 (IN), TLS handshake, Certificate (11): > * TLSv1.2 (IN), TLS handshake, Server key exchange (12): > * TLSv1.2 (IN), TLS handshake, Server finished (14): > * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): > * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): > * TLSv1.2 (OUT), TLS handshake, Finished (20): > * TLSv1.2 (IN), TLS handshake, Finished (20): > * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 > * ALPN, server did not agree to a protocol > * Server certificate: > * subject: CN=FlinkDeployment Validator > * start date: Sep 12 17:38:37 2022 GMT > * expire date: Dec 11 17:38:37 2022 GMT > * issuer: CN=FlinkDeployment Validator > * SSL certificate verify result: self signed certificate (18), continuing > anyway. > > GET / HTTP/1.1 > > Host: basic-example-rest:8081 > > User-Agent: curl/7.74.0 > > Accept: */* > > From: Hao t Chang > Date: Friday, September 9, 2022 at 11:10 AM > To: dev@flink.apache.org > Subject: [EXTERNAL] Re: Recommended way to Enable SSL Flink Kubernetes > Operator > Hi Biao thanks for the quick reply. > The helm chart uses a standard Deployment to mount the keystore onto the > webhook container using volumes/volumeMounts for the operator but it’s not > clear to me how to mount the keystore using the FlinkDeployment CRD[2] for > a Flink application. > >
Re: Recommended way to Enable SSL Flink Kubernetes Operator
Hi Biao I think this modify basic-example FlinkDeployment should load the existing keystore although I am not certain re-using the webhook keystore recommended. apiVersion: flink.apache.org/v1beta1 kind: FlinkDeployment metadata: name: basic-example spec: image: flink:1.15 flinkVersion: v1_15 flinkConfiguration: taskmanager.numberOfTaskSlots: "2" serviceAccount: flink jobManager: resource: memory: "2048m" cpu: 1 taskManager: resource: memory: "2048m" cpu: 1 podTemplate: apiVersion: v1 kind: Pod metadata: name: pod-template spec: containers: - name: flink-main-container volumeMounts: - mountPath: /certs name: keystore volumes: - name: keystore secret: defaultMode: 420 items: - key: keystore.p12 path: keystore.p12 secretName: webhook-server-cert job: jarURI: local:///opt/flink/examples/streaming/StateMachineExample.jar parallelism: 2 upgradeMode: stateless Verify with curl curl -v -k https://basic-example-rest:8081 * Trying 172.21.126.88:8081... * Connected to basic-example-rest (172.21.126.88) port 8081 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=FlinkDeployment Validator * start date: Sep 12 17:38:37 2022 GMT * expire date: Dec 11 17:38:37 2022 GMT * issuer: CN=FlinkDeployment Validator * SSL certificate verify result: self signed certificate (18), continuing anyway. > GET / HTTP/1.1 > Host: basic-example-rest:8081 > User-Agent: curl/7.74.0 > Accept: */* From: Hao t Chang Date: Friday, September 9, 2022 at 11:10 AM To: dev@flink.apache.org Subject: [EXTERNAL] Re: Recommended way to Enable SSL Flink Kubernetes Operator Hi Biao thanks for the quick reply. The helm chart uses a standard Deployment to mount the keystore onto the webhook container using volumes/volumeMounts for the operator but it’s not clear to me how to mount the keystore using the FlinkDeployment CRD[2] for a Flink application.
Re: Recommended way to Enable SSL Flink Kubernetes Operator
Hi Biao thanks for the quick reply. The helm chart uses a standard Deployment to mount the keystore onto the webhook container using volumes/volumeMounts for the operator but it’s not clear to me how to mount the keystore using the FlinkDeployment CRD[2] for a Flink application. [2] https://github.com/apache/flink-kubernetes-operator/blob/main/helm/flink-kubernetes-operator/crds/flinkdeployments.flink.apache.org-v1.yml From: Geng Biao Date: Friday, September 9, 2022 at 9:33 AM To: dev@flink.apache.org Subject: [EXTERNAL] Re: Recommended way to Enable SSL Flink Kubernetes Operator Hi Hao, You may take a look at codes for webhook in the helm charts of the Flink k8s project as it also utilizes cert-manager to create and mount the keystore for ssl. Best, Biao Geng
Re: Recommended way to Enable SSL Flink Kubernetes Operator
Hi Hao, You may take a look at codes for webhook in the helm charts of the Flink k8s project as it also utilizes cert-manager to create and mount the keystore for ssl. Best, Biao Geng 获取 Outlook for iOS<https://aka.ms/o0ukef> 发件人: Hao t Chang 发送时间: Saturday, September 10, 2022 12:24:48 AM 收件人: dev@flink.apache.org 主题: Recommended way to Enable SSL Flink Kubernetes Operator Hi Is there a recommended way (similar to this [1] ) to enable the SSL REST/Internal connectivity for FlinkDeployment created by the Flink Kubernetes Operator? First I added the required SSL config inside the flink-operator-config configmap. The required SSL configs look like: security.ssl.internal.enabled: true security.ssl.internal.keystore: /certs/keystore.p12 security.ssl.internal.keystore-password: password security.ssl.internal.key-password: password security.ssl.internal.truststore: /certs/keystore.p12 security.ssl.internal.truststore-password: password security.ssl.rest.enabled: true security.ssl.rest.keystore: /certs/keystore.p12 security.ssl.rest.keystore-password: password security.ssl.rest.key-password: password1234 security.ssl.rest.truststore: /certs/keystore.p12 security.ssl.rest.truststore-password: password What’s not clear to me is how to Create and Mount the keystore and truststore in a FlinkDeployment CRD for the job/taskManagers to consume? Otherwise, the basic-example FlinkDeployment would fail to start with the following reason: Shutting KubernetesApplicationClusterEntrypoint down with application status FAILED. Diagnostics java.io.IOException: Failed to initialize SSL for the blob server Caused by: java.nio.file.NoSuchFileException: /certs/keystore.p12 [1] https://nightlies.apache.org/flink/flink-docs-master/docs/deployment/security/security-ssl/
Recommended way to Enable SSL Flink Kubernetes Operator
Hi Is there a recommended way (similar to this [1] ) to enable the SSL REST/Internal connectivity for FlinkDeployment created by the Flink Kubernetes Operator? First I added the required SSL config inside the flink-operator-config configmap. The required SSL configs look like: security.ssl.internal.enabled: true security.ssl.internal.keystore: /certs/keystore.p12 security.ssl.internal.keystore-password: password security.ssl.internal.key-password: password security.ssl.internal.truststore: /certs/keystore.p12 security.ssl.internal.truststore-password: password security.ssl.rest.enabled: true security.ssl.rest.keystore: /certs/keystore.p12 security.ssl.rest.keystore-password: password security.ssl.rest.key-password: password1234 security.ssl.rest.truststore: /certs/keystore.p12 security.ssl.rest.truststore-password: password What’s not clear to me is how to Create and Mount the keystore and truststore in a FlinkDeployment CRD for the job/taskManagers to consume? Otherwise, the basic-example FlinkDeployment would fail to start with the following reason: Shutting KubernetesApplicationClusterEntrypoint down with application status FAILED. Diagnostics java.io.IOException: Failed to initialize SSL for the blob server Caused by: java.nio.file.NoSuchFileException: /certs/keystore.p12 [1] https://nightlies.apache.org/flink/flink-docs-master/docs/deployment/security/security-ssl/
