[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level
[
https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
zoli updated SPARK-36833:
-
Description:
Currently it seems impossible to create the correct cert for driver's pod
because of the random naming of the service.
I would like to use ssl on spark Ui which will be accessed by other pods using
the driver's service.
{code:java}
"spark.ssl.enabled"=true
"spark.ssl.keyStore"=my-spark.jks
"spark.ssl.keyStorePassword"=mypassword
..etc..{code}
At this point we already have to know the domain for the cert.
Which we don't because it will be generated at time when the driver pod
generated.
{code:java}
my-application-75f3654hj76gb67n-driver
my-application-75f3654hj76gb67n-driver-svc{code}
So SSL handshake will fail with :
{code:java}
" SSL: no alternative certificate subject name matches target host name
my-application-75f3654hj76gb67n-driver-svc{code}
I tried to mod the pod name with:
{code:java}
spark.kubernetes.driver.pod.name{code}
but it only affects the pod name and not the service name
If it is neither a bug nor a missed feature then please guide me how to use SSL
when hitting the driver's service (or how to define fixed name service like for
pods).
I found a *partial solution* using wildcards for domain inside the cert, but
because it only works on subdomain level I have to refer the service with :
-*-driver-svc..svc as alternatedomain inside the cert
and using it with the namespace , svc added just to conform the wildcard's
rule subdomain restriction
was:
Currently it seems impossible to create the correct cert for driver's pod
because of the random naming of the service.
I would like to use ssl on spark Ui which will be accessed by other pods using
the driver's service.
{code:java}
"spark.ssl.enabled"=true
"spark.ssl.keyStore"=my-spark.jks
"spark.ssl.keyStorePassword"=mypassword
..etc..{code}
At this point we already have to know the domain for the cert.
Which we don't because it will be generated at time when the driver pod
generated.
{code:java}
my-application-75f3654hj76gb67n-driver
my-application-75f3654hj76gb67n-driver-svc{code}
So SSL handshake will fail with :
{code:java}
" SSL: no alternative certificate subject name matches target host name
my-application-75f3654hj76gb67n-driver-svc{code}
I tried to mod the pod name with:
{code:java}
spark.kubernetes.driver.pod.name{code}
but it only affects the pod name and not the service name
If it is neither a bug nor a missed feature then please guide me how to use SSL
when hitting the driver's service.
I found a *partial solution* using wildcards for domain inside the cert, but
because it only works on subdomain level I have to refer the service with :
-*-driver-svc..svc as alternatedomain inside the cert
and using it with the namespace , svc added just to conform the wildcard's
rule subdomain restriction
> Can't use SSL with spark on kubernetes on service level
> ---
>
> Key: SPARK-36833
> URL: https://issues.apache.org/jira/browse/SPARK-36833
> Project: Spark
> Issue Type: Bug
> Components: Kubernetes, Security
>Affects Versions: 3.0.0
>Reporter: zoli
>Priority: Critical
>
> Currently it seems impossible to create the correct cert for driver's pod
> because of the random naming of the service.
> I would like to use ssl on spark Ui which will be accessed by other pods
> using the driver's service.
> {code:java}
> "spark.ssl.enabled"=true
> "spark.ssl.keyStore"=my-spark.jks
> "spark.ssl.keyStorePassword"=mypassword
> ..etc..{code}
> At this point we already have to know the domain for the cert.
> Which we don't because it will be generated at time when the driver pod
> generated.
> {code:java}
> my-application-75f3654hj76gb67n-driver
> my-application-75f3654hj76gb67n-driver-svc{code}
> So SSL handshake will fail with :
> {code:java}
> " SSL: no alternative certificate subject name matches target host name
> my-application-75f3654hj76gb67n-driver-svc{code}
> I tried to mod the pod name with:
> {code:java}
> spark.kubernetes.driver.pod.name{code}
> but it only affects the pod name and not the service name
> If it is neither a bug nor a missed feature then please guide me how to use
> SSL when hitting the driver's service (or how to define fixed name service
> like for pods).
>
> I found a *partial solution* using wildcards for domain inside the cert, but
> because it only works on subdomain level I have to refer the service with :
> -*-driver-svc..svc as
[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level
[
https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
zoli updated SPARK-36833:
-
Description:
Currently it seems impossible to create the correct cert for driver's pod
because of the random naming of the service.
I would like to use ssl on spark Ui which will be accessed by other pods using
the driver's service.
{code:java}
"spark.ssl.enabled"=true
"spark.ssl.keyStore"=my-spark.jks
"spark.ssl.keyStorePassword"=mypassword
..etc..{code}
At this point we already have to know the domain for the cert.
Which we don't because it will be generated at time when the driver pod
generated.
{code:java}
my-application-75f3654hj76gb67n-driver
my-application-75f3654hj76gb67n-driver-svc{code}
So SSL handshake will fail with :
{code:java}
" SSL: no alternative certificate subject name matches target host name
my-application-75f3654hj76gb67n-driver-svc{code}
I tried to mod the pod name with:
{code:java}
spark.kubernetes.driver.pod.name{code}
but it only affects the pod name and not the service name
If it is neither a bug nor a missed feature then please guide me how to use SSL
when hitting the driver's service.
I found a *partial solution* using wildcards for domain inside the cert, but
because it only works on subdomain level I have to refer the service with :
-*-driver-svc..svc as alternatedomain inside the cert
and using it with the namespace , svc added just to conform the wildcard's
rule subdomain restriction
was:
Currently it seems impossible to generate the correct cert for driver's pod
because of the random naming of the service.
I would like to use ssl on spark Ui which will be accessed by other pods using
the driver's service.
{code:java}
"spark.ssl.enabled"=true
"spark.ssl.keyStore"=my-spark.jks
"spark.ssl.keyStorePassword"=mypassword
..etc..{code}
At this point we already have to know the domain for the cert.
Which we don't because it will be generated at time when the driver pod
generated.
{code:java}
my-application-75f3654hj76gb67n-driver
my-application-75f3654hj76gb67n-driver-svc{code}
So SSL handshake will fail with :
{code:java}
" SSL: no alternative certificate subject name matches target host name
my-application-75f3654hj76gb67n-driver-svc{code}
I tried to mod the pod name with:
{code:java}
spark.kubernetes.driver.pod.name{code}
but it only affects the pod name and not the service name
If it is neither a bug nor a missed feature then please guide me how to use SSL
when hitting the driver's service.
I found a *partial solution* using wildcards for domain inside the cert, but
because it only works on subdomain level I have to refer the service with :
-*-driver-svc..svc as alternatedomain inside the cert
and using it with the namespace , svc added just to conform the wildcard's
rule subdomain restriction
> Can't use SSL with spark on kubernetes on service level
> ---
>
> Key: SPARK-36833
> URL: https://issues.apache.org/jira/browse/SPARK-36833
> Project: Spark
> Issue Type: Bug
> Components: Kubernetes, Security
>Affects Versions: 3.0.0
>Reporter: zoli
>Priority: Critical
>
> Currently it seems impossible to create the correct cert for driver's pod
> because of the random naming of the service.
> I would like to use ssl on spark Ui which will be accessed by other pods
> using the driver's service.
> {code:java}
> "spark.ssl.enabled"=true
> "spark.ssl.keyStore"=my-spark.jks
> "spark.ssl.keyStorePassword"=mypassword
> ..etc..{code}
> At this point we already have to know the domain for the cert.
> Which we don't because it will be generated at time when the driver pod
> generated.
> {code:java}
> my-application-75f3654hj76gb67n-driver
> my-application-75f3654hj76gb67n-driver-svc{code}
> So SSL handshake will fail with :
> {code:java}
> " SSL: no alternative certificate subject name matches target host name
> my-application-75f3654hj76gb67n-driver-svc{code}
> I tried to mod the pod name with:
> {code:java}
> spark.kubernetes.driver.pod.name{code}
> but it only affects the pod name and not the service name
> If it is neither a bug nor a missed feature then please guide me how to use
> SSL when hitting the driver's service.
> I found a *partial solution* using wildcards for domain inside the cert, but
> because it only works on subdomain level I have to refer the service with :
> -*-driver-svc..svc as alternatedomain inside the cert
> and using it with the namespace , svc added just to conform the wildcard's
> rule subdomain restriction
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level
[
https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
zoli updated SPARK-36833:
-
Priority: Critical (was: Major)
> Can't use SSL with spark on kubernetes on service level
> ---
>
> Key: SPARK-36833
> URL: https://issues.apache.org/jira/browse/SPARK-36833
> Project: Spark
> Issue Type: Bug
> Components: Kubernetes, Security
>Affects Versions: 3.0.0
>Reporter: zoli
>Priority: Critical
>
> Currently it seems impossible to generate the correct cert for driver's pod
> because of the random naming of the service.
> I would like to use ssl on spark Ui which will be accessed by other pods
> using the driver's service.
> {code:java}
> "spark.ssl.enabled"=true
> "spark.ssl.keyStore"=my-spark.jks
> "spark.ssl.keyStorePassword"=mypassword
> ..etc..{code}
> At this point we already have to know the domain for the cert.
> Which we don't because it will be generated at time when the driver pod
> generated.
> {code:java}
> my-application-75f3654hj76gb67n-driver
> my-application-75f3654hj76gb67n-driver-svc{code}
> So SSL handshake will fail with :
> {code:java}
> " SSL: no alternative certificate subject name matches target host name
> my-application-75f3654hj76gb67n-driver-svc{code}
> I tried to mod the pod name with:
> {code:java}
> spark.kubernetes.driver.pod.name{code}
> but it only affects the pod name and not the service name
> If it is neither a bug nor a missed feature then please guide me how to use
> SSL when hitting the driver's service.
> I found a *partial solution* using wildcards for domain inside the cert, but
> because it only works on subdomain level I have to refer the service with :
> -*-driver-svc..svc as alternatedomain inside the cert
> and using it with the namespace , svc added just to conform the wildcard's
> rule subdomain restriction
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level
[
https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
zoli updated SPARK-36833:
-
Description:
Currently it seems impossible to generate the correct cert for driver's pod
because of the random naming of the service.
I would like to use ssl on spark Ui which will be accessed by other pods using
the driver's service.
{code:java}
"spark.ssl.enabled"=true
"spark.ssl.keyStore"=my-spark.jks
"spark.ssl.keyStorePassword"=mypassword
..etc..{code}
At this point we already have to know the domain for the cert.
Which we don't because it will be generated at time when the driver pod
generated.
{code:java}
my-application-75f3654hj76gb67n-driver
my-application-75f3654hj76gb67n-driver-svc{code}
So SSL handshake will fail with :
{code:java}
" SSL: no alternative certificate subject name matches target host name
my-application-75f3654hj76gb67n-driver-svc{code}
I tried to mod the pod name with:
{code:java}
spark.kubernetes.driver.pod.name{code}
but it only affects the pod name and not the service name
If it is neither a bug nor a missed feature then please guide me how to use SSL
when hitting the driver's service.
I found a *partial solution* using wildcards for domain inside the cert, but
because it only works on subdomain level I have to refer the service with :
-*-driver-svc..svc as alternatedomain inside the cert
and using it with the namespace , svc added just to conform the wildcard's
rule subdomain restriction
was:
Currently it seems impossible to generate the correct cert for driver's pod
because of the random naming of the service.
I would like to use ssl on spark Ui which will be accessed by other pods using
the driver's service.
{code:java}
"spark.ssl.enabled"=true
"spark.ssl.keyStore"=my-spark.jks
"spark.ssl.keyStorePassword"=mypassword
..etc..{code}
At this point we already have to know the domain for the cert.
Which we don't because it will be generated at time when the driver pod
generated.
{code:java}
my-application-75f3654hj76gb67n-driver
my-application-75f3654hj76gb67n-driver-svc{code}
So SSL handshake will fail with :
{code:java}
" SSL: no alternative certificate subject name matches target host name
my-application-75f3654hj76gb67n-driver-svc{code}
I tried to mod the pod name with:
{code:java}
spark.kubernetes.driver.pod.name{code}
but it only affects the pod name and not the service name
If it is neither a bug nor a missed feature then please guide me how to use SSL
when hitting the driver's service.
I found a *partial solution* using wildcards for domain inside the cert, but
because it only works on subdomain level I have to refer the service with :
-*-driver-svc..svc as alternatedomain inside the cert
and using it with the namespace , svc added just to conform the wildcard's
rule subdomain restriction
> Can't use SSL with spark on kubernetes on service level
> ---
>
> Key: SPARK-36833
> URL: https://issues.apache.org/jira/browse/SPARK-36833
> Project: Spark
> Issue Type: Bug
> Components: Kubernetes, Security
>Affects Versions: 3.0.0
>Reporter: zoli
>Priority: Major
>
> Currently it seems impossible to generate the correct cert for driver's pod
> because of the random naming of the service.
> I would like to use ssl on spark Ui which will be accessed by other pods
> using the driver's service.
> {code:java}
> "spark.ssl.enabled"=true
> "spark.ssl.keyStore"=my-spark.jks
> "spark.ssl.keyStorePassword"=mypassword
> ..etc..{code}
> At this point we already have to know the domain for the cert.
> Which we don't because it will be generated at time when the driver pod
> generated.
> {code:java}
> my-application-75f3654hj76gb67n-driver
> my-application-75f3654hj76gb67n-driver-svc{code}
> So SSL handshake will fail with :
> {code:java}
> " SSL: no alternative certificate subject name matches target host name
> my-application-75f3654hj76gb67n-driver-svc{code}
> I tried to mod the pod name with:
> {code:java}
> spark.kubernetes.driver.pod.name{code}
> but it only affects the pod name and not the service name
> If it is neither a bug nor a missed feature then please guide me how to use
> SSL when hitting the driver's service.
> I found a *partial solution* using wildcards for domain inside the cert, but
> because it only works on subdomain level I have to refer the service with :
> -*-driver-svc..svc as alternatedomain inside the cert
> and using it with the namespace , svc added just to conform the wildcard's
> rule subdomain restriction
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level
[
https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
zoli updated SPARK-36833:
-
Description:
Currently it seems impossible to generate the correct cert for driver's pod
because of the random naming of the service.
I would like to use ssl on spark Ui which will be accessed by other pods using
the driver's service.
{code:java}
"spark.ssl.enabled"=true
"spark.ssl.keyStore"=my-spark.jks
"spark.ssl.keyStorePassword"=mypassword
..etc..{code}
At this point we already have to know the domain for the cert.
Which we don't because it will be generated at time when the driver pod
generated.
{code:java}
my-application-75f3654hj76gb67n-driver
my-application-75f3654hj76gb67n-driver-svc{code}
So SSL handshake will fail with :
{code:java}
" SSL: no alternative certificate subject name matches target host name
my-application-75f3654hj76gb67n-driver-svc{code}
I tried to mod the pod name with:
{code:java}
spark.kubernetes.driver.pod.name{code}
but it only affects the pod name and not the service name
If it is neither a bug nor a missed feature then please guide me how to use SSL
when hitting the driver's service.
I found a *partial solution* using wildcards for domain inside the cert, but
because it only works on subdomain level I have to refer the service with :
-*-driver-svc..svc as alternatedomain inside the cert
and using it with the namespace , svc added just to conform the wildcard's
rule subdomain restriction
was:
Currently it seems impossible to generate the correct cert for driver's pod
because of the random naming of the service.
I would like to use ssl on spark Ui which will be accessed by other pods using
the driver's service.
{code:java}
"spark.ssl.enabled"=true
"spark.ssl.keyStore"=my-spark.jks
"spark.ssl.keyStorePassword"=mypassword
..etc..{code}
At this point we already have to know the domain for the cert.
Which we don't because it will be generated at time when the driver pod
generated.
{code:java}
my-application-75f3654hj76gb67n-driver
my-application-75f3654hj76gb67n-driver-svc{code}
So SSL handshake will fail with :
{code:java}
" SSL: no alternative certificate subject name matches target host name
my-application-75f3654hj76gb67n-driver-svc{code}
I tried to mod the pod name with:
{code:java}
spark.kubernetes.driver.pod.name{code}
but it only affects the pod name and not the service name
If it is neither a bug nor a missed feature then please guide me how to use SSL
when hitting the driver's service.
I found a *partial solution* using wildcards for domain inside the cert, but
because it only works on subdomain level I have to refer the service with :
-*-driver-svc..svc as alternatedomain inside the cert
and using it with the namespace , svc added just to conform the wildcard's
rule subdomain restriction
> Can't use SSL with spark on kubernetes on service level
> ---
>
> Key: SPARK-36833
> URL: https://issues.apache.org/jira/browse/SPARK-36833
> Project: Spark
> Issue Type: Bug
> Components: Kubernetes, Security
>Affects Versions: 3.0.0
>Reporter: zoli
>Priority: Major
>
> Currently it seems impossible to generate the correct cert for driver's pod
> because of the random naming of the service.
> I would like to use ssl on spark Ui which will be accessed by other pods
> using the driver's service.
> {code:java}
> "spark.ssl.enabled"=true
> "spark.ssl.keyStore"=my-spark.jks
> "spark.ssl.keyStorePassword"=mypassword
> ..etc..{code}
> At this point we already have to know the domain for the cert.
> Which we don't because it will be generated at time when the driver pod
> generated.
> {code:java}
> my-application-75f3654hj76gb67n-driver
> my-application-75f3654hj76gb67n-driver-svc{code}
> So SSL handshake will fail with :
> {code:java}
> " SSL: no alternative certificate subject name matches target host name
> my-application-75f3654hj76gb67n-driver-svc{code}
> I tried to mod the pod name with:
> {code:java}
> spark.kubernetes.driver.pod.name{code}
> but it only affects the pod name and not the service name
> If it is neither a bug nor a missed feature then please guide me how to use
> SSL when hitting the driver's service.
> I found a *partial solution* using wildcards for domain inside the cert, but
> because it only works on subdomain level I have to refer the service with :
> -*-driver-svc..svc as alternatedomain inside the cert
> and using it with the namespace , svc added just to conform the wildcard's
> rule subdomain restriction
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level
[
https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
zoli updated SPARK-36833:
-
Description:
Currently it seems impossible to generate the correct cert for driver's pod
because of the random naming of the service.
I would like to use ssl on spark Ui which will be accessed by other pods using
the driver's service.
{code:java}
"spark.ssl.enabled"=true
"spark.ssl.keyStore"=my-spark.jks
"spark.ssl.keyStorePassword"=mypassword
..etc..{code}
At this point we already have to know the domain for the cert.
Which we don't because it will be generated at time when the driver pod
generated.
{code:java}
my-application-75f3654hj76gb67n-driver
my-application-75f3654hj76gb67n-driver-svc{code}
So SSL handshake will fail with :
{code:java}
" SSL: no alternative certificate subject name matches target host name
my-application-75f3654hj76gb67n-driver-svc{code}
I tried to mod the pod name with:
{code:java}
spark.kubernetes.driver.pod.name{code}
but it only affects the pod name and not the service name
If it is neither a bug nor a missed feature then please guide me how to use SSL
when hitting the driver's service.
I found a *partial solution* using wildcards for domain inside the cert, but
because it only works on subdomain level I have to refer the service with :
-*-driver-svc..svc as alternatedomain inside the cert
and using it with the namespace , svc added just to conform the wildcard's
rule subdomain restriction
was:
Currently it seems impossible to generate the correct cert for driver's pod
because of the random naming of the service.
I would like to use ssl on spark Ui which will be accessed by other pods using
the driver's service.
{code:java}
"spark.ssl.enabled"=true
"spark.ssl.keyStore"=my-spark.jks
"spark.ssl.keyStorePassword"=mypassword
..etc..{code}
At this point we already have to know the domain for the cert.
Which we don't because it will be generated at time when the driver pod
generated.
{code:java}
my-application-75f3654hj76gb67n-driver
my-application-75f3654hj76gb67n-driver-svc{code}
So SSL handshake will fail with :
{code:java}
" SSL: no alternative certificate subject name matches target host name
my-application-75f3654hj76gb67n-driver-svc{code}
I tried to mod the pod name with:
{code:java}
spark.kubernetes.driver.pod.name{code}
but it only affects the pod name and not the service name
If it is neither a bug nor a missed feature then please guide me how to use SSL
when hitting the driver's service.
I found a *partial solution* using wildcards for domain inside the cert, but
because it only works on subdomain level I have to refer the service with :
-*-driver-svc..svc as alternatedomain inside the cert
and using it with the namespace , svc added just to conform the wildcard's
rule subdomain restriction
> Can't use SSL with spark on kubernetes on service level
> ---
>
> Key: SPARK-36833
> URL: https://issues.apache.org/jira/browse/SPARK-36833
> Project: Spark
> Issue Type: Bug
> Components: Kubernetes, Security
>Affects Versions: 3.0.0
>Reporter: zoli
>Priority: Major
>
> Currently it seems impossible to generate the correct cert for driver's pod
> because of the random naming of the service.
> I would like to use ssl on spark Ui which will be accessed by other pods
> using the driver's service.
> {code:java}
> "spark.ssl.enabled"=true
> "spark.ssl.keyStore"=my-spark.jks
> "spark.ssl.keyStorePassword"=mypassword
> ..etc..{code}
> At this point we already have to know the domain for the cert.
> Which we don't because it will be generated at time when the driver pod
> generated.
> {code:java}
> my-application-75f3654hj76gb67n-driver
> my-application-75f3654hj76gb67n-driver-svc{code}
> So SSL handshake will fail with :
> {code:java}
> " SSL: no alternative certificate subject name matches target host name
> my-application-75f3654hj76gb67n-driver-svc{code}
> I tried to mod the pod name with:
> {code:java}
> spark.kubernetes.driver.pod.name{code}
> but it only affects the pod name and not the service name
> If it is neither a bug nor a missed feature then please guide me how to use
> SSL when hitting the driver's service.
> I found a *partial solution* using wildcards for domain inside the cert, but
> because it only works on subdomain level I have to refer the service with :
> -*-driver-svc..svc as alternatedomain inside the cert
> and using it with the namespace , svc added just to conform the wildcard's
> rule subdomain restriction
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level
[
https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
zoli updated SPARK-36833:
-
Priority: Major (was: Blocker)
> Can't use SSL with spark on kubernetes on service level
> ---
>
> Key: SPARK-36833
> URL: https://issues.apache.org/jira/browse/SPARK-36833
> Project: Spark
> Issue Type: Bug
> Components: Kubernetes, Security
>Affects Versions: 3.0.0
>Reporter: zoli
>Priority: Major
>
> Currently it seems impossible to generate the correct cert for driver's pod
> because of the random naming of the service.
> I would like to use ssl on spark Ui which will be accessed by other pods
> using the driver's service.
> {code:java}
> "spark.ssl.enabled"=true
> "spark.ssl.keyStore"=my-spark.jks
> "spark.ssl.keyStorePassword"=mypassword
> ..etc..{code}
> At this point we already have to know the domain for the cert.
> Which we don't because it will be generated at time when the driver pod
> generated.
> {code:java}
> my-application-75f3654hj76gb67n-driver
> my-application-75f3654hj76gb67n-driver-svc{code}
> So SSL handshake will fail with :
> {code:java}
> " SSL: no alternative certificate subject name matches target host name
> my-application-75f3654hj76gb67n-driver-svc{code}
> I tried to mod the pod name with:
> {code:java}
> spark.kubernetes.driver.pod.name{code}
> but it only affects the pod name and not the service name
> If it is neither a bug nor a missed feature then please guide me how to use
> SSL when hitting the driver's service.
> I found a *partial solution* using wildcards for domain inside the cert, but
> because it only works on subdomain level I have to refer the service with :
> -*-driver-svc..svc as alternatedomain inside the cert
> and using it with the namespace , svc added just to conform the wildcard's
> rule subdomain restriction
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level
[
https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
zoli updated SPARK-36833:
-
Description:
Currently it seems impossible to generate the correct cert for driver's pod
because of the random naming of the service.
I would like to use ssl on spark Ui which will be accessed by other pods using
the driver's service.
{code:java}
"spark.ssl.enabled"=true
"spark.ssl.keyStore"=my-spark.jks
"spark.ssl.keyStorePassword"=mypassword
..etc..{code}
At this point we already have to know the domain for the cert.
Which we don't because it will be generated at time when the driver pod
generated.
{code:java}
my-application-75f3654hj76gb67n-driver
my-application-75f3654hj76gb67n-driver-svc{code}
So SSL handshake will fail with :
{code:java}
" SSL: no alternative certificate subject name matches target host name
my-application-75f3654hj76gb67n-driver-svc{code}
I tried to mod the pod name with:
{code:java}
spark.kubernetes.driver.pod.name{code}
but it only affects the pod name and not the service name
If it is neither a bug nor a missed feature then please guide me how to use SSL
when hitting the driver's service.
I found a *partial solution* using wildcards for domain inside the cert, but
because it only works on subdomain level I have to refer the service with :
-*-driver-svc..svc as alternatedomain inside the cert
and using it with the namespace , svc added just to conform the wildcard's
rule subdomain restriction
was:
Currently it seems impossible to generate the correct cert for driver's pod
because of the random naming of the service.
I would like to use ssl on spark Ui which will be accessed by other pods using
the driver's service.
{code:java}
"spark.ssl.enabled"=true
"spark.ssl.keyStore"=my-spark.jks
"spark.ssl.keyStorePassword"=mypassword
..etc..{code}
At this point we already have to know the domain for the cert.
Which we don't because it will be generated at time when the driver pod
generated.
{code:java}
my-application-75f3654hj76gb67n-driver
my-application-75f3654hj76gb67n-driver-svc{code}
So SSL handshake will fail with :
{code:java}
" SSL: no alternative certificate subject name matches target host name
my-application-75f3654hj76gb67n-driver-svc{code}
I tried to mod the pod name with:
{code:java}
spark.kubernetes.driver.pod.name{code}
but it only affects the pod name and not the service name
I found a *partial solution* using wildcards for domain inside the cert, but
because it only works on subdomain level I have to refer the service with :
-*-driver-svc..svc as alternatedomain inside the cert
and using it with the namespace , svc added just to conform the wildcard's
rule subdomain restriction
> Can't use SSL with spark on kubernetes on service level
> ---
>
> Key: SPARK-36833
> URL: https://issues.apache.org/jira/browse/SPARK-36833
> Project: Spark
> Issue Type: Bug
> Components: Kubernetes, Security
>Affects Versions: 3.0.0
>Reporter: zoli
>Priority: Blocker
>
> Currently it seems impossible to generate the correct cert for driver's pod
> because of the random naming of the service.
> I would like to use ssl on spark Ui which will be accessed by other pods
> using the driver's service.
> {code:java}
> "spark.ssl.enabled"=true
> "spark.ssl.keyStore"=my-spark.jks
> "spark.ssl.keyStorePassword"=mypassword
> ..etc..{code}
> At this point we already have to know the domain for the cert.
> Which we don't because it will be generated at time when the driver pod
> generated.
> {code:java}
> my-application-75f3654hj76gb67n-driver
> my-application-75f3654hj76gb67n-driver-svc{code}
> So SSL handshake will fail with :
> {code:java}
> " SSL: no alternative certificate subject name matches target host name
> my-application-75f3654hj76gb67n-driver-svc{code}
> I tried to mod the pod name with:
> {code:java}
> spark.kubernetes.driver.pod.name{code}
> but it only affects the pod name and not the service name
> If it is neither a bug nor a missed feature then please guide me how to use
> SSL when hitting the driver's service.
> I found a *partial solution* using wildcards for domain inside the cert, but
> because it only works on subdomain level I have to refer the service with :
> -*-driver-svc..svc as alternatedomain inside the cert
> and using it with the namespace , svc added just to conform the wildcard's
> rule subdomain restriction
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level
[
https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
zoli updated SPARK-36833:
-
Description:
Currently it seems impossible to generate the correct cert for driver's pod
because of the random naming of the service.
I would like to use ssl on spark Ui which will be accessed by other pods using
the driver's service.
{code:java}
"spark.ssl.enabled"=true
"spark.ssl.keyStore"=my-spark.jks
"spark.ssl.keyStorePassword"=mypassword
..etc..{code}
At this point we already have to know the domain for the cert.
Which we don't because it will be generated at time when the driver pod
generated.
{code:java}
my-application-75f3654hj76gb67n-driver
my-application-75f3654hj76gb67n-driver-svc{code}
So SSL handshake will fail with :
{code:java}
" SSL: no alternative certificate subject name matches target host name
my-application-75f3654hj76gb67n-driver-svc{code}
I tried to mod the pod name with:
{code:java}
spark.kubernetes.driver.pod.name{code}
but it only affects the pod name and not the service name
I found a *partial solution* using wildcards for domain inside the cert, but
because it only works on subdomain level I have to refer the service with :
-*-driver-svc..svc as alternatedomain inside the cert
and using it with the namespace , svc added just to conform the wildcard's
rule subdomain restriction
was:
Currently seems impossible to generate the correct cert for driver's service
because of the random naming.
I would like to use ssl on spark Ui which will be accessed by other pods using
the driver's service.
{code:java}
"spark.ssl.enabled"=true
"spark.ssl.keyStore"=my-spark.jks
"spark.ssl.keyStorePassword"=mypassword
..etc..{code}
At this point we already have to know the domain for the cert.
Which we don't because it will be generated at time when the driver pod
generated.
{code:java}
my-application-75f3654hj76gb67n-driver
my-application-75f3654hj76gb67n-driver-svc{code}
So SSL handshake will fail with :
{code:java}
" SSL: no alternative certificate subject name matches target host name
my-application-75f3654hj76gb67n-driver-svc{code}
I tried to mod the pod name with:
{code:java}
spark.kubernetes.driver.pod.name{code}
but it only affects the pod name and not the service name
I found a *partial solution* using wildcards for domain inside the cert, but
because it only works on subdomain level I have to refer the service with :
-*-driver-svc..svc as alternatedomain inside the cert
and using it with the namespace , svc added just to conform the wildcard's rule
subdomain restriction
> Can't use SSL with spark on kubernetes on service level
> ---
>
> Key: SPARK-36833
> URL: https://issues.apache.org/jira/browse/SPARK-36833
> Project: Spark
> Issue Type: Bug
> Components: Kubernetes, Security
>Affects Versions: 3.0.0
>Reporter: zoli
>Priority: Blocker
>
> Currently it seems impossible to generate the correct cert for driver's pod
> because of the random naming of the service.
> I would like to use ssl on spark Ui which will be accessed by other pods
> using the driver's service.
> {code:java}
> "spark.ssl.enabled"=true
> "spark.ssl.keyStore"=my-spark.jks
> "spark.ssl.keyStorePassword"=mypassword
> ..etc..{code}
> At this point we already have to know the domain for the cert.
> Which we don't because it will be generated at time when the driver pod
> generated.
> {code:java}
> my-application-75f3654hj76gb67n-driver
> my-application-75f3654hj76gb67n-driver-svc{code}
> So SSL handshake will fail with :
> {code:java}
> " SSL: no alternative certificate subject name matches target host name
> my-application-75f3654hj76gb67n-driver-svc{code}
> I tried to mod the pod name with:
> {code:java}
> spark.kubernetes.driver.pod.name{code}
> but it only affects the pod name and not the service name
> I found a *partial solution* using wildcards for domain inside the cert, but
> because it only works on subdomain level I have to refer the service with :
> -*-driver-svc..svc as alternatedomain inside the cert
> and using it with the namespace , svc added just to conform the wildcard's
> rule subdomain restriction
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level
[
https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
zoli updated SPARK-36833:
-
Description:
Currently seems impossible to generate the correct cert for driver's service
because of the random naming.
I would like to use ssl on spark Ui which will be accessed by other pods using
the driver's service.
{code:java}
"spark.ssl.enabled"=true
"spark.ssl.keyStore"=my-spark.jks
"spark.ssl.keyStorePassword"=mypassword
..etc..{code}
At this point we already have to know the domain for the cert.
Which we don't because it will be generated at time when the driver pod
generated.
{code:java}
my-application-75f3654hj76gb67n-driver
my-application-75f3654hj76gb67n-driver-svc{code}
So SSL handshake will fail with :
{code:java}
" SSL: no alternative certificate subject name matches target host name
my-application-75f3654hj76gb67n-driver-svc{code}
I tried to mod the pod name with:
{code:java}
spark.kubernetes.driver.pod.name{code}
but it only affects the pod name and not the service name
I found a *partial solution* using wildcards for domain inside the cert, but
because it only works on subdomain level I have to refer the service with :
-*-driver-svc..svc as alternatedomain inside the cert
and using it with the namespace , svc added just to conform the wildcard's rule
subdomain restriction
was:
Currently seems impossible to generate the correct cert for driver's service
because of the random naming.
I would like to use ssl on spark Ui which will be accessed by other pods using
the driver's service.
"spark.ssl.enabled"=true
"spark.ssl.keyStore"=my-spark.jks
"spark.ssl.keyStorePassword"=mypassword
..etc..
At this point we already have to know the domain for the cert.
Which we don't because it will be generated at time when the driver pod
generated.
my-application-75f3654hj76gb67n-driver
my-application-75f3654hj76gb67n-driver-svc
{{So SSL handshake will fail with }}
" SSL: no alternative certificate subject name matches target host name
my-application-75f3654hj76gb67n-driver-svc"{{
I tried to mod the pod name with}}
spark.kubernetes.driver.pod.name
{{but it only affects the pod and not the service
I found a partial solution using wildcards for domain inside the cert, but
because it only works on subdomain level I have to refer the service with :
}}
..{{
and using -*-driver-svc..svc as alternatedomain inside the cert
}}
{{}}
> Can't use SSL with spark on kubernetes on service level
> ---
>
> Key: SPARK-36833
> URL: https://issues.apache.org/jira/browse/SPARK-36833
> Project: Spark
> Issue Type: Bug
> Components: Kubernetes, Security
>Affects Versions: 3.0.0
>Reporter: zoli
>Priority: Blocker
>
> Currently seems impossible to generate the correct cert for driver's service
> because of the random naming.
> I would like to use ssl on spark Ui which will be accessed by other pods
> using the driver's service.
> {code:java}
> "spark.ssl.enabled"=true
> "spark.ssl.keyStore"=my-spark.jks
> "spark.ssl.keyStorePassword"=mypassword
> ..etc..{code}
> At this point we already have to know the domain for the cert.
> Which we don't because it will be generated at time when the driver pod
> generated.
> {code:java}
> my-application-75f3654hj76gb67n-driver
> my-application-75f3654hj76gb67n-driver-svc{code}
> So SSL handshake will fail with :
> {code:java}
> " SSL: no alternative certificate subject name matches target host name
> my-application-75f3654hj76gb67n-driver-svc{code}
> I tried to mod the pod name with:
> {code:java}
> spark.kubernetes.driver.pod.name{code}
> but it only affects the pod name and not the service name
> I found a *partial solution* using wildcards for domain inside the cert, but
> because it only works on subdomain level I have to refer the service with :
> -*-driver-svc..svc as alternatedomain inside the cert
> and using it with the namespace , svc added just to conform the wildcard's
> rule subdomain restriction
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
