[ https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
zoli updated SPARK-36833: ------------------------- Description: Currently it seems impossible to create the correct cert for driver's pod because of the random naming of the service. I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service. {code:java} "spark.ssl.enabled"=true "spark.ssl.keyStore"=my-spark.jks "spark.ssl.keyStorePassword"=mypassword ..etc..{code} At this point we already have to know the domain for the cert. Which we don't because it will be generated at time when the driver pod generated. {code:java} my-application-75f3654hj76gb67n-driver my-application-75f3654hj76gb67n-driver-svc{code} So SSL handshake will fail with : {code:java} " SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc{code} I tried to mod the pod name with: {code:java} spark.kubernetes.driver.pod.name{code} but it only affects the pod name and not the service name If it is neither a bug nor a missed feature then please guide me how to use SSL when hitting the driver's service (or how to define fixed name service like for pods). ---------------------------------------------------------------------------------------------------------------------------------------------------------------- I found a *partial solution* using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with : <POD_NAME>-*-driver-svc.<NS>.svc as alternatedomain inside the cert and using it with the namespace , svc added just to conform the wildcard's rule subdomain restriction was: Currently it seems impossible to create the correct cert for driver's pod because of the random naming of the service. I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service. {code:java} "spark.ssl.enabled"=true "spark.ssl.keyStore"=my-spark.jks "spark.ssl.keyStorePassword"=mypassword ..etc..{code} At this point we already have to know the domain for the cert. Which we don't because it will be generated at time when the driver pod generated. {code:java} my-application-75f3654hj76gb67n-driver my-application-75f3654hj76gb67n-driver-svc{code} So SSL handshake will fail with : {code:java} " SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc{code} I tried to mod the pod name with: {code:java} spark.kubernetes.driver.pod.name{code} but it only affects the pod name and not the service name If it is neither a bug nor a missed feature then please guide me how to use SSL when hitting the driver's service. I found a *partial solution* using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with : <POD_NAME>-*-driver-svc.<NS>.svc as alternatedomain inside the cert and using it with the namespace , svc added just to conform the wildcard's rule subdomain restriction > Can't use SSL with spark on kubernetes on service level > ------------------------------------------------------- > > Key: SPARK-36833 > URL: https://issues.apache.org/jira/browse/SPARK-36833 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security > Affects Versions: 3.0.0 > Reporter: zoli > Priority: Critical > > Currently it seems impossible to create the correct cert for driver's pod > because of the random naming of the service. > I would like to use ssl on spark Ui which will be accessed by other pods > using the driver's service. > {code:java} > "spark.ssl.enabled"=true > "spark.ssl.keyStore"=my-spark.jks > "spark.ssl.keyStorePassword"=mypassword > ..etc..{code} > At this point we already have to know the domain for the cert. > Which we don't because it will be generated at time when the driver pod > generated. > {code:java} > my-application-75f3654hj76gb67n-driver > my-application-75f3654hj76gb67n-driver-svc{code} > So SSL handshake will fail with : > {code:java} > " SSL: no alternative certificate subject name matches target host name > my-application-75f3654hj76gb67n-driver-svc{code} > I tried to mod the pod name with: > {code:java} > spark.kubernetes.driver.pod.name{code} > but it only affects the pod name and not the service name > If it is neither a bug nor a missed feature then please guide me how to use > SSL when hitting the driver's service (or how to define fixed name service > like for pods). > ---------------------------------------------------------------------------------------------------------------------------------------------------------------- > I found a *partial solution* using wildcards for domain inside the cert, but > because it only works on subdomain level I have to refer the service with : > <POD_NAME>-*-driver-svc.<NS>.svc as alternatedomain inside the cert > and using it with the namespace , svc added just to conform the wildcard's > rule subdomain restriction -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org