I ended up submitting a PR that allows operators to implement rotation and more complicated TLS setups: https://github.com/apache/flink/pull/21457
On Fri, Dec 16, 2022 at 8:37 AM Őrhidi Mátyás <matyas.orh...@gmail.com> wrote: > We've added something similar to the FKO: > https://github.com/apache/flink-kubernetes-operator/pull/364 > > Best, > Matyas > > On Fri, Dec 16, 2022 at 5:11 AM Martijn Visser <martijnvis...@apache.org> > wrote: > >> Hi Steve, >> >> I don't think that Flink has added support for certificate rotation. It >> would be quite a nice feature if someone could contribute to it. >> >> Best regards, >> >> Martijn >> >> On Fri, Dec 2, 2022 at 3:51 PM Steve Niemitz <sniem...@apache.org> wrote: >> >>> We're investigating using internal SSL for our flink deployments, but >>> I'm curious how it handles cases where the certificates expire while a job >>> is running. We run a key distribution infrastructure with client/server >>> keys that expire fairly quickly (~days), so for example, long-running >>> streaming jobs could run into a case where the certificate that was loaded >>> when the job started expires while the job is still running. >>> >>> I looked through the code and see 3 places where certs are loaded: >>> - Akka via CustomSSLEngineProvider (for actor communication) >>> - NettyConfig.createServerSSLEngineFactory and similar (for shuffle >>> communication) >>> - SSLUtils.createRestNettySSLContext and similar (for the blob server) >>> >>> None of these seem to support reloading a certificate once created, but >>> is it possible that this is handled somewhere else higher up the stack? >>> >>> Does anyone have experience running something like this that they >>> could share? >>> >>> Thank you! >>> >>
