[
https://issues.apache.org/jira/browse/FLINK-28272?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17580621#comment-17580621
]
wu3396 commented on FLINK-28272:
--------------------------------
Hello,
I've just hit the same issue , my env is:
kubernetes-operator:1.1.0
flink-webhook logs
{code:java}
{ "@timestamp": "2022-08-17T05:58:52.578Z",
"ecs.version": "1.2.0",
"log.level": "WARN",
"message": "An exceptionCaught() event was fired, and it reached at the tail
of the pipeline. It usually means the last handler in the pipeline did not
handle the exception.",
"process.thread.name": "nioEventLoopGroup-3-2",
"log.logger":
"org.apache.flink.shaded.netty4.io.netty.channel.DefaultChannelPipeline",
"error.type":
"org.apache.flink.shaded.netty4.io.netty.handler.codec.DecoderException",
"error.message": "javax.net.ssl.SSLHandshakeException: Received fatal alert:
bad_certificate",
"error.stack_trace":
"org.apache.flink.shaded.netty4.io.netty.handler.codec.DecoderException:
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
at
org.apache.flink.shaded.netty4.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:477)
at
org.apache.flink.shaded.netty4.io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at
org.apache.flink.shaded.netty4.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at
org.apache.flink.shaded.netty4.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at
org.apache.flink.shaded.netty4.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at
org.apache.flink.shaded.netty4.io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at
org.apache.flink.shaded.netty4.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at
org.apache.flink.shaded.netty4.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at
org.apache.flink.shaded.netty4.io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at
org.apache.flink.shaded.netty4.io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
at
org.apache.flink.shaded.netty4.io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:719)
at
org.apache.flink.shaded.netty4.io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655)
at
org.apache.flink.shaded.netty4.io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581)
at
org.apache.flink.shaded.netty4.io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at
org.apache.flink.shaded.netty4.io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
at
org.apache.flink.shaded.netty4.io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at
org.apache.flink.shaded.netty4.io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Unknown Source) Caused by:
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate at
java.base/sun.security.ssl.Alert.createSSLException(Unknown Source) at
java.base/sun.security.ssl.Alert.createSSLException(Unknown Source) at
java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) at
java.base/sun.security.ssl.Alert$AlertConsumer.consume(Unknown Source) at
java.base/sun.security.ssl.TransportContext.dispatch(Unknown Source) at
java.base/sun.security.ssl.SSLTransport.decode(Unknown Source) at
java.base/sun.security.ssl.SSLEngineImpl.decode(Unknown Source) at
java.base/sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) at
java.base/sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) at
java.base/sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) at
java.base/javax.net.ssl.SSLEngine.unwrap(Unknown Source) at
org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:296)
at
org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1342)
at
org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1235)
at
org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1284)
at
org.apache.flink.shaded.netty4.io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507)
at
org.apache.flink.shaded.netty4.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446)
... 17 more"
}{code}
> Handle TLS Certificate Renewal in Webhook
> -----------------------------------------
>
> Key: FLINK-28272
> URL: https://issues.apache.org/jira/browse/FLINK-28272
> Project: Flink
> Issue Type: Bug
> Components: Kubernetes Operator
> Affects Versions: kubernetes-operator-1.0.0
> Reporter: Matyas Orhidi
> Priority: Major
> Fix For: kubernetes-operator-1.2.0
>
>
> We found that flink-kubernetes-operator v1.0.0 does not reload new
> certificate when updated by cert-manager, and it causes the following error
> when updating FlinkDeployment
> {{Failed sync attempt to 597d35a7434bede526f526852c33a65262765219: one or
> more objects failed to apply, reason: Internal error occurred: failed calling
> webhook "flinkoperator.flink.apache.org": Post "}}
> {{[https://flink-operator-webhook-service.flink-operator.svc:443/validate?timeout=10s|https://flink-operator-webhook-service.flink-operator.svc/validate?timeout=10s]}}
> {{": x509: certificate signed by unknown authority (possibly because of
> "x509: invalid signature: parent certificate cannot sign this kind of
> certificate" while trying to verify candidate authority certificate
> "FlinkDeployment Validator") (retried 3 times).}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
