zoli created SPARK-36833:
----------------------------
Summary: Can't use SSL with spark on kubernetes on service level
Key: SPARK-36833
URL: https://issues.apache.org/jira/browse/SPARK-36833
Project: Spark
Issue Type: Bug
Components: Kubernetes, Security
Affects Versions: 3.0.0
Reporter: zoli
Currently seems impossible to generate the correct cert for driver's service
because of the random naming.
I would like to use ssl on spark Ui which will be accessed by other pods using
the driver's service.
"spark.ssl.enabled"=true
"spark.ssl.keyStore"=my-spark.jks
"spark.ssl.keyStorePassword"=mypassword
..etc..
At this point we already have to know the domain for the cert.
Which we don't because it will be generated at time when the driver pod
generated.
my-application-75f3654hj76gb67n-driver
my-application-75f3654hj76gb67n-driver-svc
{{So SSL handshake will fail with }}
" SSL: no alternative certificate subject name matches target host name
my-application-75f3654hj76gb67n-driver-svc"{{
I tried to mod the pod name with}}
spark.kubernetes.driver.pod.name
{{but it only affects the pod and not the service
I found a partial solution using wildcards for domain inside the cert, but
because it only works on subdomain level I have to refer the service with :
}}
<SERVICE-NAME>.<NS>.<svc>{{
and using <pod-name>-*-driver-svc.<NS>.svc as alternatedomain inside the cert
}}
{{}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
