I think you have already found the solution. Pod template[1] is exactly what you want.
[1]. https://nightlies.apache.org/flink/flink-docs-release-1.15/docs/deployment/resource-providers/native_kubernetes/#pod-template Best, Yang Hao t Chang <htch...@us.ibm.com> 于2022年9月13日周二 07:41写道: > Hi Biao > I think this modify basic-example FlinkDeployment should load the > existing keystore although I am not certain re-using the webhook keystore > recommended. > > apiVersion: flink.apache.org/v1beta1 > kind: FlinkDeployment > metadata: > name: basic-example > spec: > image: flink:1.15 > flinkVersion: v1_15 > flinkConfiguration: > taskmanager.numberOfTaskSlots: "2" > serviceAccount: flink > jobManager: > resource: > memory: "2048m" > cpu: 1 > taskManager: > resource: > memory: "2048m" > cpu: 1 > podTemplate: > apiVersion: v1 > kind: Pod > metadata: > name: pod-template > spec: > containers: > - name: flink-main-container > volumeMounts: > - mountPath: /certs > name: keystore > volumes: > - name: keystore > secret: > defaultMode: 420 > items: > - key: keystore.p12 > path: keystore.p12 > secretName: webhook-server-cert > job: > jarURI: local:///opt/flink/examples/streaming/StateMachineExample.jar > parallelism: 2 > upgradeMode: stateless > > Verify with curl > curl -v -k https://basic-example-rest:8081 > * Trying 172.21.126.88:8081... > * Connected to basic-example-rest (172.21.126.88) port 8081 (#0) > * ALPN, offering h2 > * ALPN, offering http/1.1 > * successfully set certificate verify locations: > * CAfile: /etc/ssl/certs/ca-certificates.crt > * CApath: /etc/ssl/certs > * TLSv1.3 (OUT), TLS handshake, Client hello (1): > * TLSv1.3 (IN), TLS handshake, Server hello (2): > * TLSv1.2 (IN), TLS handshake, Certificate (11): > * TLSv1.2 (IN), TLS handshake, Server key exchange (12): > * TLSv1.2 (IN), TLS handshake, Server finished (14): > * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): > * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): > * TLSv1.2 (OUT), TLS handshake, Finished (20): > * TLSv1.2 (IN), TLS handshake, Finished (20): > * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 > * ALPN, server did not agree to a protocol > * Server certificate: > * subject: CN=FlinkDeployment Validator > * start date: Sep 12 17:38:37 2022 GMT > * expire date: Dec 11 17:38:37 2022 GMT > * issuer: CN=FlinkDeployment Validator > * SSL certificate verify result: self signed certificate (18), continuing > anyway. > > GET / HTTP/1.1 > > Host: basic-example-rest:8081 > > User-Agent: curl/7.74.0 > > Accept: */* > > From: Hao t Chang <htch...@us.ibm.com> > Date: Friday, September 9, 2022 at 11:10 AM > To: dev@flink.apache.org <dev@flink.apache.org> > Subject: [EXTERNAL] Re: Recommended way to Enable SSL Flink Kubernetes > Operator > Hi Biao thanks for the quick reply. > The helm chart uses a standard Deployment to mount the keystore onto the > webhook container using volumes/volumeMounts for the operator but it’s not > clear to me how to mount the keystore using the FlinkDeployment CRD[2] for > a Flink application. > >