[ https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
zoli updated SPARK-36833: ------------------------- Priority: Critical (was: Major) > Can't use SSL with spark on kubernetes on service level > ------------------------------------------------------- > > Key: SPARK-36833 > URL: https://issues.apache.org/jira/browse/SPARK-36833 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security > Affects Versions: 3.0.0 > Reporter: zoli > Priority: Critical > > Currently it seems impossible to generate the correct cert for driver's pod > because of the random naming of the service. > I would like to use ssl on spark Ui which will be accessed by other pods > using the driver's service. > {code:java} > "spark.ssl.enabled"=true > "spark.ssl.keyStore"=my-spark.jks > "spark.ssl.keyStorePassword"=mypassword > ..etc..{code} > At this point we already have to know the domain for the cert. > Which we don't because it will be generated at time when the driver pod > generated. > {code:java} > my-application-75f3654hj76gb67n-driver > my-application-75f3654hj76gb67n-driver-svc{code} > So SSL handshake will fail with : > {code:java} > " SSL: no alternative certificate subject name matches target host name > my-application-75f3654hj76gb67n-driver-svc{code} > I tried to mod the pod name with: > {code:java} > spark.kubernetes.driver.pod.name{code} > but it only affects the pod name and not the service name > If it is neither a bug nor a missed feature then please guide me how to use > SSL when hitting the driver's service. > I found a *partial solution* using wildcards for domain inside the cert, but > because it only works on subdomain level I have to refer the service with : > <POD_NAME>-*-driver-svc.<NS>.svc as alternatedomain inside the cert > and using it with the namespace , svc added just to conform the wildcard's > rule subdomain restriction -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org