Re: Recommended way to Enable SSL Flink Kubernetes Operator

Mon, 12 Sep 2022 16:41:54 -0700 

Hi Biao
I think this modify basic-example FlinkDeployment  should load the existing 
keystore although I am not certain re-using the webhook keystore recommended.

apiVersion: flink.apache.org/v1beta1
kind: FlinkDeployment
metadata:
  name: basic-example
spec:
  image: flink:1.15
  flinkVersion: v1_15
  flinkConfiguration:
    taskmanager.numberOfTaskSlots: "2"
  serviceAccount: flink
  jobManager:
    resource:
      memory: "2048m"
      cpu: 1
  taskManager:
    resource:
      memory: "2048m"
      cpu: 1
  podTemplate:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-template
    spec:
      containers:
      - name: flink-main-container
        volumeMounts:
          - mountPath: /certs
            name: keystore
      volumes:
      - name: keystore
        secret:
          defaultMode: 420
          items:
          - key: keystore.p12
            path: keystore.p12
          secretName: webhook-server-cert
  job:
    jarURI: local:///opt/flink/examples/streaming/StateMachineExample.jar
    parallelism: 2
    upgradeMode: stateless

Verify with curl
curl -v -k https://basic-example-rest:8081
*   Trying 172.21.126.88:8081...
* Connected to basic-example-rest (172.21.126.88) port 8081 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=FlinkDeployment Validator
*  start date: Sep 12 17:38:37 2022 GMT
*  expire date: Dec 11 17:38:37 2022 GMT
*  issuer: CN=FlinkDeployment Validator
*  SSL certificate verify result: self signed certificate (18), continuing 
anyway.
> GET / HTTP/1.1
> Host: basic-example-rest:8081
> User-Agent: curl/7.74.0
> Accept: */*

From: Hao t Chang <[email protected]>
Date: Friday, September 9, 2022 at 11:10 AM
To: [email protected] <[email protected]>
Subject: [EXTERNAL] Re: Recommended way to Enable SSL Flink Kubernetes Operator
Hi Biao thanks for the quick reply.
The helm chart uses a standard Deployment to mount the keystore onto the 
webhook container using volumes/volumeMounts for the operator but it’s not 
clear to me how to mount the keystore using the FlinkDeployment CRD[2] for a 
Flink application.

Reply via email to