[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level

Thu, 23 Sep 2021 05:33:04 -0700 


     [ 
https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

zoli updated SPARK-36833:
-------------------------
    Priority: Critical  (was: Major)

> Can't use SSL with spark on kubernetes on service level
> -------------------------------------------------------
>
>                 Key: SPARK-36833
>                 URL: https://issues.apache.org/jira/browse/SPARK-36833
>             Project: Spark
>          Issue Type: Bug
>          Components: Kubernetes, Security
>    Affects Versions: 3.0.0
>            Reporter: zoli
>            Priority: Critical
>
> Currently it seems impossible to generate the correct cert for driver's pod 
> because of the random naming of the service.
> I would like to use ssl on spark Ui which will be accessed by other pods 
> using the driver's service.
> {code:java}
> "spark.ssl.enabled"=true
> "spark.ssl.keyStore"=my-spark.jks
> "spark.ssl.keyStorePassword"=mypassword
> ..etc..{code}
> At this point we already have to know the domain for the cert.
> Which we don't because it will be generated at time when the driver pod 
> generated.
> {code:java}
> my-application-75f3654hj76gb67n-driver
> my-application-75f3654hj76gb67n-driver-svc{code}
> So SSL handshake will fail with :
> {code:java}
> " SSL: no alternative certificate subject name matches target host name 
> my-application-75f3654hj76gb67n-driver-svc{code}
> I tried to mod the pod name with:
> {code:java}
>  spark.kubernetes.driver.pod.name{code}
> but it only affects the pod name and not the service name
> If it is neither a bug nor a missed feature then please guide me how to use 
> SSL when hitting the driver's service.
> I found a *partial solution* using wildcards for domain inside the cert, but 
> because it only works on subdomain level I have to refer the service with :
>  <POD_NAME>-*-driver-svc.<NS>.svc as alternatedomain inside the cert
>  and using it with the namespace , svc added just to conform the wildcard's 
> rule subdomain restriction



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to