FilKarnicki opened a new pull request #306:
URL: https://github.com/apache/flink-statefun/pull/306
### What is the purpose of the change
The goal of this PR is to add mutual TLS capabilities to flink-statefun. In
Master, currently only server-side TLS is allowed, meaning the flink-statefun
job can assert whether the remote service it's talking to is who it says it is,
but not the other way around. Furthermore, only the default java certificate
authority truststore can currently be used.
This change allows users to specify additional settings in module.yaml's
function spec:
```yaml
spec:
transport:
type: io.statefun.transports.v1/async
#(...)
trust_cacerts: ~/trustedCAs.pem
client_cert: classpath:clientPublic.crt
client_key: ~/clientPrivate.key
client_key_password: changeme
```
Certs/keys get loaded with `ResourceLocator` and used in Netty's `SslContext`
### Main changes are:
- Added a test for `NettyClient`
- Made slight changes to `HttpConnectionPoolManager` in order to catch
failure case responses without them being automatically retried
- Included a bunch of certificates/keys for testing (with README.md files
explaining how the certs were created)
- Replaced undertow in `statefun-smoke-e2e-java` with `netty` in order to be
able to use the same cert/key loading mechanisms as the netty client in
`statefun-flink-core`
### Verifying this change
`TransportClientTest` launches a netty service returning a stub response.
There are three endpoints: http, https with required mutual TLS and https with
server-side TLS only (for verifying existing, default jre truststore usecases)
`NettyClientTest` contains a number of tests used to verify the correct
behaviour
`statefun-smoke-e2e-java` was updated to use mutual TLS
Dependencies (does it add or upgrade a dependency): no
The public API, i.e., is any changed class annotated with @Public(Evolving):
N/A
The serializers: no
The runtime per-record code paths (performance sensitive): unsure - TLS was
already available, so if anyone is already using TLS, they are already
experiencing some performance hit
Anything that affects deployment or recovery: JobManager (and its
components), Checkpointing, Yarn/Mesos, ZooKeeper: no
The S3 file system connector: no
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
