I ended up submitting a PR that allows operators to implement rotation and
more complicated TLS setups:
https://github.com/apache/flink/pull/21457

On Fri, Dec 16, 2022 at 8:37 AM Őrhidi Mátyás <matyas.orh...@gmail.com>
wrote:

> We've added something similar to the FKO:
> https://github.com/apache/flink-kubernetes-operator/pull/364
>
> Best,
> Matyas
>
> On Fri, Dec 16, 2022 at 5:11 AM Martijn Visser <martijnvis...@apache.org>
> wrote:
>
>> Hi Steve,
>>
>> I don't think that Flink has added support for certificate rotation. It
>> would be quite a nice feature if someone could contribute to it.
>>
>> Best regards,
>>
>> Martijn
>>
>> On Fri, Dec 2, 2022 at 3:51 PM Steve Niemitz <sniem...@apache.org> wrote:
>>
>>> We're investigating using internal SSL for our flink deployments, but
>>> I'm curious how it handles cases where the certificates expire while a job
>>> is running.  We run a key distribution infrastructure with client/server
>>> keys that expire fairly quickly (~days), so for example, long-running
>>> streaming jobs could run into a case where the certificate that was loaded
>>> when the job started expires while the job is still running.
>>>
>>> I looked through the code and see 3 places where certs are loaded:
>>> - Akka via CustomSSLEngineProvider (for actor communication)
>>> - NettyConfig.createServerSSLEngineFactory and similar (for shuffle
>>> communication)
>>> - SSLUtils.createRestNettySSLContext and similar (for the blob server)
>>>
>>> None of these seem to support reloading a certificate once created, but
>>> is it possible that this is handled somewhere else higher up the stack?
>>>
>>> Does anyone have experience running something like this that they
>>> could share?
>>>
>>> Thank you!
>>>
>>

Reply via email to