[jira] [Commented] (FLINK-25866) Support additional TLS configuration.

Mon, 31 Jan 2022 03:13:08 -0800 


    [ 
https://issues.apache.org/jira/browse/FLINK-25866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17484614#comment-17484614
 ] 

Igal Shilman commented on FLINK-25866:
--------------------------------------

Hi [~Fil Karnicki] , thanks for providing an additional context!

I think that attaching secrets (private keys) directly into these yaml's will 
limit the way we can evolve the usage of these yamls. For example we can no 
longer fetch them from a k8s api server, or even from a predefined location in 
an s3 bucket.

I would really want to avoid having secrets inline within these resources.

 

Regarding your particular deployment,  I'm not familiar with the Cloudera 
shared clusters or how secrets are managed there, so I can't give you any 
advice there.

But if you are submitting this as a Flink job then perhaps you can bundle the 
certificates within the jar, and lets find a way to reference them from the 
yaml.

 

We already are doing something similar with the ResourceLocator class, that is 
able to find resources by either fully qualified path, or relative to the 
classpath. 

(let's say that if the path is not fully qualified path, we assume that this 
resource needs to be located in the classpath)

 

What do you think about that?

 

> Support additional TLS configuration.
> -------------------------------------
>
>                 Key: FLINK-25866
>                 URL: https://issues.apache.org/jira/browse/FLINK-25866
>             Project: Flink
>          Issue Type: Improvement
>          Components: Stateful Functions
>            Reporter: Igal Shilman
>            Priority: Major
>
> Currently the default HTTP client used to invoke remote functions does not 
> support customising the TLS settings as part of the endpoint spec definition. 
> This includes
> using self-signed certificates, and providing client side certificates for 
> authentication (which is a slightly different requirement).
> This issue is about including additional TLS settings to the default endpoint 
> resource definition, and supporting them in statefun-core.
> User mailing list threads:
>  * [client cert auth in remote 
> function|https://lists.apache.org/thread/97nw245kxqp32qglwfynhhgyhgp2pxvg]
>  * [endpoint self-signed certificate 
> problem|https://lists.apache.org/thread/y2m2bpwg4n71rxfont6pgky2t8m19n7w]
>  
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to