[
https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
zoli updated SPARK-36833:
-------------------------
Description:
Currently seems impossible to generate the correct cert for driver's service
because of the random naming.
I would like to use ssl on spark Ui which will be accessed by other pods using
the driver's service.
{code:java}
"spark.ssl.enabled"=true
"spark.ssl.keyStore"=my-spark.jks
"spark.ssl.keyStorePassword"=mypassword
..etc..{code}
At this point we already have to know the domain for the cert.
Which we don't because it will be generated at time when the driver pod
generated.
{code:java}
my-application-75f3654hj76gb67n-driver
my-application-75f3654hj76gb67n-driver-svc{code}
So SSL handshake will fail with :
{code:java}
" SSL: no alternative certificate subject name matches target host name
my-application-75f3654hj76gb67n-driver-svc{code}
I tried to mod the pod name with:
{code:java}
spark.kubernetes.driver.pod.name{code}
but it only affects the pod name and not the service name
I found a *partial solution* using wildcards for domain inside the cert, but
because it only works on subdomain level I have to refer the service with :
<pod-name>-*-driver-svc.<NS>.svc as alternatedomain inside the cert
and using it with the namespace , svc added just to conform the wildcard's rule
subdomain restriction
was:
Currently seems impossible to generate the correct cert for driver's service
because of the random naming.
I would like to use ssl on spark Ui which will be accessed by other pods using
the driver's service.
"spark.ssl.enabled"=true
"spark.ssl.keyStore"=my-spark.jks
"spark.ssl.keyStorePassword"=mypassword
..etc..
At this point we already have to know the domain for the cert.
Which we don't because it will be generated at time when the driver pod
generated.
my-application-75f3654hj76gb67n-driver
my-application-75f3654hj76gb67n-driver-svc
{{So SSL handshake will fail with }}
" SSL: no alternative certificate subject name matches target host name
my-application-75f3654hj76gb67n-driver-svc"{{
I tried to mod the pod name with}}
spark.kubernetes.driver.pod.name
{{but it only affects the pod and not the service
I found a partial solution using wildcards for domain inside the cert, but
because it only works on subdomain level I have to refer the service with :
}}
<SERVICE-NAME>.<NS>.<svc>{{
and using <pod-name>-*-driver-svc.<NS>.svc as alternatedomain inside the cert
}}
{{}}
> Can't use SSL with spark on kubernetes on service level
> -------------------------------------------------------
>
> Key: SPARK-36833
> URL: https://issues.apache.org/jira/browse/SPARK-36833
> Project: Spark
> Issue Type: Bug
> Components: Kubernetes, Security
> Affects Versions: 3.0.0
> Reporter: zoli
> Priority: Blocker
>
> Currently seems impossible to generate the correct cert for driver's service
> because of the random naming.
> I would like to use ssl on spark Ui which will be accessed by other pods
> using the driver's service.
> {code:java}
> "spark.ssl.enabled"=true
> "spark.ssl.keyStore"=my-spark.jks
> "spark.ssl.keyStorePassword"=mypassword
> ..etc..{code}
> At this point we already have to know the domain for the cert.
> Which we don't because it will be generated at time when the driver pod
> generated.
> {code:java}
> my-application-75f3654hj76gb67n-driver
> my-application-75f3654hj76gb67n-driver-svc{code}
> So SSL handshake will fail with :
> {code:java}
> " SSL: no alternative certificate subject name matches target host name
> my-application-75f3654hj76gb67n-driver-svc{code}
> I tried to mod the pod name with:
> {code:java}
> spark.kubernetes.driver.pod.name{code}
> but it only affects the pod name and not the service name
> I found a *partial solution* using wildcards for domain inside the cert, but
> because it only works on subdomain level I have to refer the service with :
> <pod-name>-*-driver-svc.<NS>.svc as alternatedomain inside the cert
> and using it with the namespace , svc added just to conform the wildcard's
> rule subdomain restriction
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
