This is an automated email from the ASF dual-hosted git repository. gyfora pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/flink-kubernetes-operator.git
The following commit(s) were added to refs/heads/main by this push:
new c45121a2 [FLINK-39216][helm] Add PKCS12 profile option for webhook
certificate (#1118)
c45121a2 is described below
commit c45121a2bdbf4bd165faa63776d1e35609bd1923
Author: Breno Ferreira <[email protected]>
AuthorDate: Wed Jun 3 15:49:12 2026 +0100
[FLINK-39216][helm] Add PKCS12 profile option for webhook certificate
(#1118)
---
docs/content.zh/docs/operations/helm.md | 3 ++-
docs/content/docs/operations/helm.md | 1 +
.../templates/cert-manager/certificate.yaml | 3 +++
.../tests/cert-manager/certificate_test.yaml | 13 +++++++++++++
helm/flink-kubernetes-operator/values.yaml | 4 ++++
5 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/docs/content.zh/docs/operations/helm.md
b/docs/content.zh/docs/operations/helm.md
index 704a3f10..74eb2125 100644
--- a/docs/content.zh/docs/operations/helm.md
+++ b/docs/content.zh/docs/operations/helm.md
@@ -32,7 +32,7 @@ The operator installation is managed by a helm chart. To
install with the chart
helm install flink-kubernetes-operator helm/flink-kubernetes-operator
```
-To install from our Helm Chart Reporsitory run:
+To install from our Helm Chart Repository run:
```
helm repo add flink-operator-repo
https://downloads.apache.org/flink/flink-kubernetes-operator-<OPERATOR-VERSION>/
@@ -128,6 +128,7 @@ The configurable parameters of the Helm chart and which
default values as detail
| watchNamespaces | List of kubernetes
namespaces to watch for FlinkDeployment changes, empty means all namespaces.
|
[...]
| webhook.create | Whether to enable
validating and mutating webhooks for flink-kubernetes-operator.
| true
[...]
| webhook.keystore | The ConfigMap of webhook
key store.
| useDefaultPassword:
true
[...]
+| webhook.keystore.pkcs12Profile | PKCS12 encryption profile
for the webhook certificate. Options: `Modern2023`, `LegacyDES`, `LegacyRC2`.
Use `Modern2023` for FIPS-compliant environments. |
[...]
| webhook.mutator.create | Enable or disable mutating
webhook, overrides `webhook.create`
|
[...]
| webhook.serviceLabels | The labels for
flink-operator-webhook-service-resource.
|
[...]
| webhook.validator.create | Enable or disable
validating webhook, overrides `webhook.create`
|
[...]
diff --git a/docs/content/docs/operations/helm.md
b/docs/content/docs/operations/helm.md
index 64d98f2c..07678aff 100644
--- a/docs/content/docs/operations/helm.md
+++ b/docs/content/docs/operations/helm.md
@@ -128,6 +128,7 @@ The configurable parameters of the Helm chart and which
default values as detail
| watchNamespaces | List of kubernetes
namespaces to watch for FlinkDeployment changes, empty means all namespaces.
|
[...]
| webhook.create | Whether to enable
validating and mutating webhooks for flink-kubernetes-operator.
| true
[...]
| webhook.keystore | The ConfigMap of webhook
key store.
| useDefaultPassword:
true
[...]
+| webhook.keystore.pkcs12Profile | PKCS12 encryption profile
for the webhook certificate. Options: `Modern2023`, `LegacyDES`, `LegacyRC2`.
Use `Modern2023` for FIPS-compliant environments. |
[...]
| webhook.mutator.create | Enable or disable mutating
webhook, overrides `webhook.create`
|
[...]
| webhook.serviceLabels | The labels for
flink-operator-webhook-service-resource.
|
[...]
| webhook.validator.create | Enable or disable
validating webhook, overrides `webhook.create`
|
[...]
diff --git
a/helm/flink-kubernetes-operator/templates/cert-manager/certificate.yaml
b/helm/flink-kubernetes-operator/templates/cert-manager/certificate.yaml
index a6acc43c..526b0596 100644
--- a/helm/flink-kubernetes-operator/templates/cert-manager/certificate.yaml
+++ b/helm/flink-kubernetes-operator/templates/cert-manager/certificate.yaml
@@ -29,6 +29,9 @@ spec:
keystores:
pkcs12:
create: true
+ {{- if .Values.webhook.keystore.pkcs12Profile }}
+ profile: {{ .Values.webhook.keystore.pkcs12Profile | quote }}
+ {{- end }}
passwordSecretRef:
{{- if .Values.webhook.keystore.useDefaultPassword }}
name: flink-operator-webhook-secret
diff --git
a/helm/flink-kubernetes-operator/tests/cert-manager/certificate_test.yaml
b/helm/flink-kubernetes-operator/tests/cert-manager/certificate_test.yaml
index 28825794..428ee1dc 100644
--- a/helm/flink-kubernetes-operator/tests/cert-manager/certificate_test.yaml
+++ b/helm/flink-kubernetes-operator/tests/cert-manager/certificate_test.yaml
@@ -40,3 +40,16 @@ tests:
value:
kind: Issuer
name: flink-operator-selfsigned-issuer
+
+- it: Should not include pkcs12 profile when not set
+ asserts:
+ - isNull:
+ path: spec.keystores.pkcs12.profile
+
+- it: Should include pkcs12 profile when set
+ set:
+ webhook.keystore.pkcs12Profile: Modern2023
+ asserts:
+ - equal:
+ path: spec.keystores.pkcs12.profile
+ value: "Modern2023"
diff --git a/helm/flink-kubernetes-operator/values.yaml
b/helm/flink-kubernetes-operator/values.yaml
index c9242f2b..8eaa936e 100644
--- a/helm/flink-kubernetes-operator/values.yaml
+++ b/helm/flink-kubernetes-operator/values.yaml
@@ -157,6 +157,10 @@ webhook:
passwordSecretRef:
# name: jks-password-secret
# key: password-key
+ # PKCS12 encryption profile for the webhook certificate.
+ # Options: Modern2023, LegacyDES, LegacyRC2
+ # Modern2023 uses AES-256-CBC and is required for FIPS-compliant
environments.
+ pkcs12Profile: ""
serviceLabels: {}
defaultConfiguration:
