[PR] [Flink 31966] Flink Kubernetes operator lacks TLS support [flink-kubernetes-operator]

Wed, 25 Oct 2023 05:46:01 -0700 


tagarr opened a new pull request, #689:
URL: https://github.com/apache/flink-kubernetes-operator/pull/689

   ## What is the purpose of the change
   If the FlinkDeployment CR is configured to use ssl, the operator is unable 
to properly reconcile the deployment as the underlying RestClient the operator 
uses tries to load the certificates defined in the config.
   
   ## Brief change log
     - When rest cluster client is created (in AbstractFlinkService) the config 
is checked to see if rest ssl is configured. If it is, find the relevant secret 
defined in the kubernetes.secret config and copy the secret to a local 
directory in the location of /tmp/operator/certs/{namespace}/{instanceName}. 
Copied config is then modified to point to the new ssl cert location before the 
rest client is created.
     - Creation of a new OperatorKubernetesClusterDescriptor so that a 
restclient created in the operator can be passed to it and prevent the creation 
of a restclient within the private createClusterClientProvider method
     - Modify the KubernetesStandaloneClusterDescriptor to be able to pass in a 
RestClient in same way as the above class
   
   ## Verifying this change
   
   This change added tests and can be verified as follows:
     - Added new tests for the new OperatorKubernetesClusterDescriptor class
     - Added a SecureFlinkServiceTest that checks that the copied certs are 
deleted when the cluster is deleted, that data in the secrets are copied into 
the relevant directory of the operator and additional test when relevant file 
does not exist or secret does not exist
     - Added new basic-secure.yaml example that provides a secured flink 
application and updated relevant README 
   
   ## Does this pull request potentially affect one of the following parts:
   
     - Dependencies (does it add or upgrade a dependency): (no)
     - The public API, i.e., is any changes to the `CustomResourceDescriptors`: 
(no)
     - Core observer or reconciler logic that is regularly executed: (no) N.b. 
this only modifies the Flink service used by the observers and reconcilers
   
   ## Documentation
   
     - Does this pull request introduce a new feature? (no)
     - If yes, how is the feature documented? (not applicable)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to