Hi Steve, I don't think that Flink has added support for certificate rotation. It would be quite a nice feature if someone could contribute to it.
Best regards, Martijn On Fri, Dec 2, 2022 at 3:51 PM Steve Niemitz <sniem...@apache.org> wrote: > We're investigating using internal SSL for our flink deployments, but I'm > curious how it handles cases where the certificates expire while a job is > running. We run a key distribution infrastructure with client/server keys > that expire fairly quickly (~days), so for example, long-running streaming > jobs could run into a case where the certificate that was loaded when the > job started expires while the job is still running. > > I looked through the code and see 3 places where certs are loaded: > - Akka via CustomSSLEngineProvider (for actor communication) > - NettyConfig.createServerSSLEngineFactory and similar (for shuffle > communication) > - SSLUtils.createRestNettySSLContext and similar (for the blob server) > > None of these seem to support reloading a certificate once created, but is > it possible that this is handled somewhere else higher up the stack? > > Does anyone have experience running something like this that they > could share? > > Thank you! >
