[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level
[ https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zoli updated SPARK-36833: - Description: Currently it seems impossible to create the correct cert for driver's pod because of the random naming of the service. I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service. {code:java} "spark.ssl.enabled"=true "spark.ssl.keyStore"=my-spark.jks "spark.ssl.keyStorePassword"=mypassword ..etc..{code} At this point we already have to know the domain for the cert. Which we don't because it will be generated at time when the driver pod generated. {code:java} my-application-75f3654hj76gb67n-driver my-application-75f3654hj76gb67n-driver-svc{code} So SSL handshake will fail with : {code:java} " SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc{code} I tried to mod the pod name with: {code:java} spark.kubernetes.driver.pod.name{code} but it only affects the pod name and not the service name If it is neither a bug nor a missed feature then please guide me how to use SSL when hitting the driver's service (or how to define fixed name service like for pods). I found a *partial solution* using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with : -*-driver-svc..svc as alternatedomain inside the cert and using it with the namespace , svc added just to conform the wildcard's rule subdomain restriction was: Currently it seems impossible to create the correct cert for driver's pod because of the random naming of the service. I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service. {code:java} "spark.ssl.enabled"=true "spark.ssl.keyStore"=my-spark.jks "spark.ssl.keyStorePassword"=mypassword ..etc..{code} At this point we already have to know the domain for the cert. Which we don't because it will be generated at time when the driver pod generated. {code:java} my-application-75f3654hj76gb67n-driver my-application-75f3654hj76gb67n-driver-svc{code} So SSL handshake will fail with : {code:java} " SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc{code} I tried to mod the pod name with: {code:java} spark.kubernetes.driver.pod.name{code} but it only affects the pod name and not the service name If it is neither a bug nor a missed feature then please guide me how to use SSL when hitting the driver's service. I found a *partial solution* using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with : -*-driver-svc..svc as alternatedomain inside the cert and using it with the namespace , svc added just to conform the wildcard's rule subdomain restriction > Can't use SSL with spark on kubernetes on service level > --- > > Key: SPARK-36833 > URL: https://issues.apache.org/jira/browse/SPARK-36833 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.0.0 >Reporter: zoli >Priority: Critical > > Currently it seems impossible to create the correct cert for driver's pod > because of the random naming of the service. > I would like to use ssl on spark Ui which will be accessed by other pods > using the driver's service. > {code:java} > "spark.ssl.enabled"=true > "spark.ssl.keyStore"=my-spark.jks > "spark.ssl.keyStorePassword"=mypassword > ..etc..{code} > At this point we already have to know the domain for the cert. > Which we don't because it will be generated at time when the driver pod > generated. > {code:java} > my-application-75f3654hj76gb67n-driver > my-application-75f3654hj76gb67n-driver-svc{code} > So SSL handshake will fail with : > {code:java} > " SSL: no alternative certificate subject name matches target host name > my-application-75f3654hj76gb67n-driver-svc{code} > I tried to mod the pod name with: > {code:java} > spark.kubernetes.driver.pod.name{code} > but it only affects the pod name and not the service name > If it is neither a bug nor a missed feature then please guide me how to use > SSL when hitting the driver's service (or how to define fixed name service > like for pods). > > I found a *partial solution* using wildcards for domain inside the cert, but > because it only works on subdomain level I have to refer the service with : > -*-driver-svc..svc as
[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level
[ https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zoli updated SPARK-36833: - Description: Currently it seems impossible to create the correct cert for driver's pod because of the random naming of the service. I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service. {code:java} "spark.ssl.enabled"=true "spark.ssl.keyStore"=my-spark.jks "spark.ssl.keyStorePassword"=mypassword ..etc..{code} At this point we already have to know the domain for the cert. Which we don't because it will be generated at time when the driver pod generated. {code:java} my-application-75f3654hj76gb67n-driver my-application-75f3654hj76gb67n-driver-svc{code} So SSL handshake will fail with : {code:java} " SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc{code} I tried to mod the pod name with: {code:java} spark.kubernetes.driver.pod.name{code} but it only affects the pod name and not the service name If it is neither a bug nor a missed feature then please guide me how to use SSL when hitting the driver's service. I found a *partial solution* using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with : -*-driver-svc..svc as alternatedomain inside the cert and using it with the namespace , svc added just to conform the wildcard's rule subdomain restriction was: Currently it seems impossible to generate the correct cert for driver's pod because of the random naming of the service. I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service. {code:java} "spark.ssl.enabled"=true "spark.ssl.keyStore"=my-spark.jks "spark.ssl.keyStorePassword"=mypassword ..etc..{code} At this point we already have to know the domain for the cert. Which we don't because it will be generated at time when the driver pod generated. {code:java} my-application-75f3654hj76gb67n-driver my-application-75f3654hj76gb67n-driver-svc{code} So SSL handshake will fail with : {code:java} " SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc{code} I tried to mod the pod name with: {code:java} spark.kubernetes.driver.pod.name{code} but it only affects the pod name and not the service name If it is neither a bug nor a missed feature then please guide me how to use SSL when hitting the driver's service. I found a *partial solution* using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with : -*-driver-svc..svc as alternatedomain inside the cert and using it with the namespace , svc added just to conform the wildcard's rule subdomain restriction > Can't use SSL with spark on kubernetes on service level > --- > > Key: SPARK-36833 > URL: https://issues.apache.org/jira/browse/SPARK-36833 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.0.0 >Reporter: zoli >Priority: Critical > > Currently it seems impossible to create the correct cert for driver's pod > because of the random naming of the service. > I would like to use ssl on spark Ui which will be accessed by other pods > using the driver's service. > {code:java} > "spark.ssl.enabled"=true > "spark.ssl.keyStore"=my-spark.jks > "spark.ssl.keyStorePassword"=mypassword > ..etc..{code} > At this point we already have to know the domain for the cert. > Which we don't because it will be generated at time when the driver pod > generated. > {code:java} > my-application-75f3654hj76gb67n-driver > my-application-75f3654hj76gb67n-driver-svc{code} > So SSL handshake will fail with : > {code:java} > " SSL: no alternative certificate subject name matches target host name > my-application-75f3654hj76gb67n-driver-svc{code} > I tried to mod the pod name with: > {code:java} > spark.kubernetes.driver.pod.name{code} > but it only affects the pod name and not the service name > If it is neither a bug nor a missed feature then please guide me how to use > SSL when hitting the driver's service. > I found a *partial solution* using wildcards for domain inside the cert, but > because it only works on subdomain level I have to refer the service with : > -*-driver-svc..svc as alternatedomain inside the cert > and using it with the namespace , svc added just to conform the wildcard's > rule subdomain restriction -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level
[ https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zoli updated SPARK-36833: - Priority: Critical (was: Major) > Can't use SSL with spark on kubernetes on service level > --- > > Key: SPARK-36833 > URL: https://issues.apache.org/jira/browse/SPARK-36833 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.0.0 >Reporter: zoli >Priority: Critical > > Currently it seems impossible to generate the correct cert for driver's pod > because of the random naming of the service. > I would like to use ssl on spark Ui which will be accessed by other pods > using the driver's service. > {code:java} > "spark.ssl.enabled"=true > "spark.ssl.keyStore"=my-spark.jks > "spark.ssl.keyStorePassword"=mypassword > ..etc..{code} > At this point we already have to know the domain for the cert. > Which we don't because it will be generated at time when the driver pod > generated. > {code:java} > my-application-75f3654hj76gb67n-driver > my-application-75f3654hj76gb67n-driver-svc{code} > So SSL handshake will fail with : > {code:java} > " SSL: no alternative certificate subject name matches target host name > my-application-75f3654hj76gb67n-driver-svc{code} > I tried to mod the pod name with: > {code:java} > spark.kubernetes.driver.pod.name{code} > but it only affects the pod name and not the service name > If it is neither a bug nor a missed feature then please guide me how to use > SSL when hitting the driver's service. > I found a *partial solution* using wildcards for domain inside the cert, but > because it only works on subdomain level I have to refer the service with : > -*-driver-svc..svc as alternatedomain inside the cert > and using it with the namespace , svc added just to conform the wildcard's > rule subdomain restriction -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level
[ https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zoli updated SPARK-36833: - Description: Currently it seems impossible to generate the correct cert for driver's pod because of the random naming of the service. I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service. {code:java} "spark.ssl.enabled"=true "spark.ssl.keyStore"=my-spark.jks "spark.ssl.keyStorePassword"=mypassword ..etc..{code} At this point we already have to know the domain for the cert. Which we don't because it will be generated at time when the driver pod generated. {code:java} my-application-75f3654hj76gb67n-driver my-application-75f3654hj76gb67n-driver-svc{code} So SSL handshake will fail with : {code:java} " SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc{code} I tried to mod the pod name with: {code:java} spark.kubernetes.driver.pod.name{code} but it only affects the pod name and not the service name If it is neither a bug nor a missed feature then please guide me how to use SSL when hitting the driver's service. I found a *partial solution* using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with : -*-driver-svc..svc as alternatedomain inside the cert and using it with the namespace , svc added just to conform the wildcard's rule subdomain restriction was: Currently it seems impossible to generate the correct cert for driver's pod because of the random naming of the service. I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service. {code:java} "spark.ssl.enabled"=true "spark.ssl.keyStore"=my-spark.jks "spark.ssl.keyStorePassword"=mypassword ..etc..{code} At this point we already have to know the domain for the cert. Which we don't because it will be generated at time when the driver pod generated. {code:java} my-application-75f3654hj76gb67n-driver my-application-75f3654hj76gb67n-driver-svc{code} So SSL handshake will fail with : {code:java} " SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc{code} I tried to mod the pod name with: {code:java} spark.kubernetes.driver.pod.name{code} but it only affects the pod name and not the service name If it is neither a bug nor a missed feature then please guide me how to use SSL when hitting the driver's service. I found a *partial solution* using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with : -*-driver-svc..svc as alternatedomain inside the cert and using it with the namespace , svc added just to conform the wildcard's rule subdomain restriction > Can't use SSL with spark on kubernetes on service level > --- > > Key: SPARK-36833 > URL: https://issues.apache.org/jira/browse/SPARK-36833 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.0.0 >Reporter: zoli >Priority: Major > > Currently it seems impossible to generate the correct cert for driver's pod > because of the random naming of the service. > I would like to use ssl on spark Ui which will be accessed by other pods > using the driver's service. > {code:java} > "spark.ssl.enabled"=true > "spark.ssl.keyStore"=my-spark.jks > "spark.ssl.keyStorePassword"=mypassword > ..etc..{code} > At this point we already have to know the domain for the cert. > Which we don't because it will be generated at time when the driver pod > generated. > {code:java} > my-application-75f3654hj76gb67n-driver > my-application-75f3654hj76gb67n-driver-svc{code} > So SSL handshake will fail with : > {code:java} > " SSL: no alternative certificate subject name matches target host name > my-application-75f3654hj76gb67n-driver-svc{code} > I tried to mod the pod name with: > {code:java} > spark.kubernetes.driver.pod.name{code} > but it only affects the pod name and not the service name > If it is neither a bug nor a missed feature then please guide me how to use > SSL when hitting the driver's service. > I found a *partial solution* using wildcards for domain inside the cert, but > because it only works on subdomain level I have to refer the service with : > -*-driver-svc..svc as alternatedomain inside the cert > and using it with the namespace , svc added just to conform the wildcard's > rule subdomain restriction -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level
[ https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zoli updated SPARK-36833: - Description: Currently it seems impossible to generate the correct cert for driver's pod because of the random naming of the service. I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service. {code:java} "spark.ssl.enabled"=true "spark.ssl.keyStore"=my-spark.jks "spark.ssl.keyStorePassword"=mypassword ..etc..{code} At this point we already have to know the domain for the cert. Which we don't because it will be generated at time when the driver pod generated. {code:java} my-application-75f3654hj76gb67n-driver my-application-75f3654hj76gb67n-driver-svc{code} So SSL handshake will fail with : {code:java} " SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc{code} I tried to mod the pod name with: {code:java} spark.kubernetes.driver.pod.name{code} but it only affects the pod name and not the service name If it is neither a bug nor a missed feature then please guide me how to use SSL when hitting the driver's service. I found a *partial solution* using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with : -*-driver-svc..svc as alternatedomain inside the cert and using it with the namespace , svc added just to conform the wildcard's rule subdomain restriction was: Currently it seems impossible to generate the correct cert for driver's pod because of the random naming of the service. I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service. {code:java} "spark.ssl.enabled"=true "spark.ssl.keyStore"=my-spark.jks "spark.ssl.keyStorePassword"=mypassword ..etc..{code} At this point we already have to know the domain for the cert. Which we don't because it will be generated at time when the driver pod generated. {code:java} my-application-75f3654hj76gb67n-driver my-application-75f3654hj76gb67n-driver-svc{code} So SSL handshake will fail with : {code:java} " SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc{code} I tried to mod the pod name with: {code:java} spark.kubernetes.driver.pod.name{code} but it only affects the pod name and not the service name If it is neither a bug nor a missed feature then please guide me how to use SSL when hitting the driver's service. I found a *partial solution* using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with : -*-driver-svc..svc as alternatedomain inside the cert and using it with the namespace , svc added just to conform the wildcard's rule subdomain restriction > Can't use SSL with spark on kubernetes on service level > --- > > Key: SPARK-36833 > URL: https://issues.apache.org/jira/browse/SPARK-36833 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.0.0 >Reporter: zoli >Priority: Major > > Currently it seems impossible to generate the correct cert for driver's pod > because of the random naming of the service. > I would like to use ssl on spark Ui which will be accessed by other pods > using the driver's service. > {code:java} > "spark.ssl.enabled"=true > "spark.ssl.keyStore"=my-spark.jks > "spark.ssl.keyStorePassword"=mypassword > ..etc..{code} > At this point we already have to know the domain for the cert. > Which we don't because it will be generated at time when the driver pod > generated. > {code:java} > my-application-75f3654hj76gb67n-driver > my-application-75f3654hj76gb67n-driver-svc{code} > So SSL handshake will fail with : > {code:java} > " SSL: no alternative certificate subject name matches target host name > my-application-75f3654hj76gb67n-driver-svc{code} > I tried to mod the pod name with: > {code:java} > spark.kubernetes.driver.pod.name{code} > but it only affects the pod name and not the service name > If it is neither a bug nor a missed feature then please guide me how to use > SSL when hitting the driver's service. > I found a *partial solution* using wildcards for domain inside the cert, but > because it only works on subdomain level I have to refer the service with : > -*-driver-svc..svc as alternatedomain inside the cert > and using it with the namespace , svc added just to conform the wildcard's > rule subdomain restriction -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level
[ https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zoli updated SPARK-36833: - Description: Currently it seems impossible to generate the correct cert for driver's pod because of the random naming of the service. I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service. {code:java} "spark.ssl.enabled"=true "spark.ssl.keyStore"=my-spark.jks "spark.ssl.keyStorePassword"=mypassword ..etc..{code} At this point we already have to know the domain for the cert. Which we don't because it will be generated at time when the driver pod generated. {code:java} my-application-75f3654hj76gb67n-driver my-application-75f3654hj76gb67n-driver-svc{code} So SSL handshake will fail with : {code:java} " SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc{code} I tried to mod the pod name with: {code:java} spark.kubernetes.driver.pod.name{code} but it only affects the pod name and not the service name If it is neither a bug nor a missed feature then please guide me how to use SSL when hitting the driver's service. I found a *partial solution* using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with : -*-driver-svc..svc as alternatedomain inside the cert and using it with the namespace , svc added just to conform the wildcard's rule subdomain restriction was: Currently it seems impossible to generate the correct cert for driver's pod because of the random naming of the service. I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service. {code:java} "spark.ssl.enabled"=true "spark.ssl.keyStore"=my-spark.jks "spark.ssl.keyStorePassword"=mypassword ..etc..{code} At this point we already have to know the domain for the cert. Which we don't because it will be generated at time when the driver pod generated. {code:java} my-application-75f3654hj76gb67n-driver my-application-75f3654hj76gb67n-driver-svc{code} So SSL handshake will fail with : {code:java} " SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc{code} I tried to mod the pod name with: {code:java} spark.kubernetes.driver.pod.name{code} but it only affects the pod name and not the service name If it is neither a bug nor a missed feature then please guide me how to use SSL when hitting the driver's service. I found a *partial solution* using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with : -*-driver-svc..svc as alternatedomain inside the cert and using it with the namespace , svc added just to conform the wildcard's rule subdomain restriction > Can't use SSL with spark on kubernetes on service level > --- > > Key: SPARK-36833 > URL: https://issues.apache.org/jira/browse/SPARK-36833 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.0.0 >Reporter: zoli >Priority: Major > > Currently it seems impossible to generate the correct cert for driver's pod > because of the random naming of the service. > I would like to use ssl on spark Ui which will be accessed by other pods > using the driver's service. > {code:java} > "spark.ssl.enabled"=true > "spark.ssl.keyStore"=my-spark.jks > "spark.ssl.keyStorePassword"=mypassword > ..etc..{code} > At this point we already have to know the domain for the cert. > Which we don't because it will be generated at time when the driver pod > generated. > {code:java} > my-application-75f3654hj76gb67n-driver > my-application-75f3654hj76gb67n-driver-svc{code} > So SSL handshake will fail with : > {code:java} > " SSL: no alternative certificate subject name matches target host name > my-application-75f3654hj76gb67n-driver-svc{code} > I tried to mod the pod name with: > {code:java} > spark.kubernetes.driver.pod.name{code} > but it only affects the pod name and not the service name > If it is neither a bug nor a missed feature then please guide me how to use > SSL when hitting the driver's service. > I found a *partial solution* using wildcards for domain inside the cert, but > because it only works on subdomain level I have to refer the service with : > -*-driver-svc..svc as alternatedomain inside the cert > and using it with the namespace , svc added just to conform the wildcard's > rule subdomain restriction -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level
[ https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zoli updated SPARK-36833: - Priority: Major (was: Blocker) > Can't use SSL with spark on kubernetes on service level > --- > > Key: SPARK-36833 > URL: https://issues.apache.org/jira/browse/SPARK-36833 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.0.0 >Reporter: zoli >Priority: Major > > Currently it seems impossible to generate the correct cert for driver's pod > because of the random naming of the service. > I would like to use ssl on spark Ui which will be accessed by other pods > using the driver's service. > {code:java} > "spark.ssl.enabled"=true > "spark.ssl.keyStore"=my-spark.jks > "spark.ssl.keyStorePassword"=mypassword > ..etc..{code} > At this point we already have to know the domain for the cert. > Which we don't because it will be generated at time when the driver pod > generated. > {code:java} > my-application-75f3654hj76gb67n-driver > my-application-75f3654hj76gb67n-driver-svc{code} > So SSL handshake will fail with : > {code:java} > " SSL: no alternative certificate subject name matches target host name > my-application-75f3654hj76gb67n-driver-svc{code} > I tried to mod the pod name with: > {code:java} > spark.kubernetes.driver.pod.name{code} > but it only affects the pod name and not the service name > If it is neither a bug nor a missed feature then please guide me how to use > SSL when hitting the driver's service. > I found a *partial solution* using wildcards for domain inside the cert, but > because it only works on subdomain level I have to refer the service with : > -*-driver-svc..svc as alternatedomain inside the cert > and using it with the namespace , svc added just to conform the wildcard's > rule subdomain restriction -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level
[ https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zoli updated SPARK-36833: - Description: Currently it seems impossible to generate the correct cert for driver's pod because of the random naming of the service. I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service. {code:java} "spark.ssl.enabled"=true "spark.ssl.keyStore"=my-spark.jks "spark.ssl.keyStorePassword"=mypassword ..etc..{code} At this point we already have to know the domain for the cert. Which we don't because it will be generated at time when the driver pod generated. {code:java} my-application-75f3654hj76gb67n-driver my-application-75f3654hj76gb67n-driver-svc{code} So SSL handshake will fail with : {code:java} " SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc{code} I tried to mod the pod name with: {code:java} spark.kubernetes.driver.pod.name{code} but it only affects the pod name and not the service name If it is neither a bug nor a missed feature then please guide me how to use SSL when hitting the driver's service. I found a *partial solution* using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with : -*-driver-svc..svc as alternatedomain inside the cert and using it with the namespace , svc added just to conform the wildcard's rule subdomain restriction was: Currently it seems impossible to generate the correct cert for driver's pod because of the random naming of the service. I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service. {code:java} "spark.ssl.enabled"=true "spark.ssl.keyStore"=my-spark.jks "spark.ssl.keyStorePassword"=mypassword ..etc..{code} At this point we already have to know the domain for the cert. Which we don't because it will be generated at time when the driver pod generated. {code:java} my-application-75f3654hj76gb67n-driver my-application-75f3654hj76gb67n-driver-svc{code} So SSL handshake will fail with : {code:java} " SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc{code} I tried to mod the pod name with: {code:java} spark.kubernetes.driver.pod.name{code} but it only affects the pod name and not the service name I found a *partial solution* using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with : -*-driver-svc..svc as alternatedomain inside the cert and using it with the namespace , svc added just to conform the wildcard's rule subdomain restriction > Can't use SSL with spark on kubernetes on service level > --- > > Key: SPARK-36833 > URL: https://issues.apache.org/jira/browse/SPARK-36833 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.0.0 >Reporter: zoli >Priority: Blocker > > Currently it seems impossible to generate the correct cert for driver's pod > because of the random naming of the service. > I would like to use ssl on spark Ui which will be accessed by other pods > using the driver's service. > {code:java} > "spark.ssl.enabled"=true > "spark.ssl.keyStore"=my-spark.jks > "spark.ssl.keyStorePassword"=mypassword > ..etc..{code} > At this point we already have to know the domain for the cert. > Which we don't because it will be generated at time when the driver pod > generated. > {code:java} > my-application-75f3654hj76gb67n-driver > my-application-75f3654hj76gb67n-driver-svc{code} > So SSL handshake will fail with : > {code:java} > " SSL: no alternative certificate subject name matches target host name > my-application-75f3654hj76gb67n-driver-svc{code} > I tried to mod the pod name with: > {code:java} > spark.kubernetes.driver.pod.name{code} > but it only affects the pod name and not the service name > If it is neither a bug nor a missed feature then please guide me how to use > SSL when hitting the driver's service. > I found a *partial solution* using wildcards for domain inside the cert, but > because it only works on subdomain level I have to refer the service with : > -*-driver-svc..svc as alternatedomain inside the cert > and using it with the namespace , svc added just to conform the wildcard's > rule subdomain restriction -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level
[ https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zoli updated SPARK-36833: - Description: Currently it seems impossible to generate the correct cert for driver's pod because of the random naming of the service. I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service. {code:java} "spark.ssl.enabled"=true "spark.ssl.keyStore"=my-spark.jks "spark.ssl.keyStorePassword"=mypassword ..etc..{code} At this point we already have to know the domain for the cert. Which we don't because it will be generated at time when the driver pod generated. {code:java} my-application-75f3654hj76gb67n-driver my-application-75f3654hj76gb67n-driver-svc{code} So SSL handshake will fail with : {code:java} " SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc{code} I tried to mod the pod name with: {code:java} spark.kubernetes.driver.pod.name{code} but it only affects the pod name and not the service name I found a *partial solution* using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with : -*-driver-svc..svc as alternatedomain inside the cert and using it with the namespace , svc added just to conform the wildcard's rule subdomain restriction was: Currently seems impossible to generate the correct cert for driver's service because of the random naming. I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service. {code:java} "spark.ssl.enabled"=true "spark.ssl.keyStore"=my-spark.jks "spark.ssl.keyStorePassword"=mypassword ..etc..{code} At this point we already have to know the domain for the cert. Which we don't because it will be generated at time when the driver pod generated. {code:java} my-application-75f3654hj76gb67n-driver my-application-75f3654hj76gb67n-driver-svc{code} So SSL handshake will fail with : {code:java} " SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc{code} I tried to mod the pod name with: {code:java} spark.kubernetes.driver.pod.name{code} but it only affects the pod name and not the service name I found a *partial solution* using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with : -*-driver-svc..svc as alternatedomain inside the cert and using it with the namespace , svc added just to conform the wildcard's rule subdomain restriction > Can't use SSL with spark on kubernetes on service level > --- > > Key: SPARK-36833 > URL: https://issues.apache.org/jira/browse/SPARK-36833 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.0.0 >Reporter: zoli >Priority: Blocker > > Currently it seems impossible to generate the correct cert for driver's pod > because of the random naming of the service. > I would like to use ssl on spark Ui which will be accessed by other pods > using the driver's service. > {code:java} > "spark.ssl.enabled"=true > "spark.ssl.keyStore"=my-spark.jks > "spark.ssl.keyStorePassword"=mypassword > ..etc..{code} > At this point we already have to know the domain for the cert. > Which we don't because it will be generated at time when the driver pod > generated. > {code:java} > my-application-75f3654hj76gb67n-driver > my-application-75f3654hj76gb67n-driver-svc{code} > So SSL handshake will fail with : > {code:java} > " SSL: no alternative certificate subject name matches target host name > my-application-75f3654hj76gb67n-driver-svc{code} > I tried to mod the pod name with: > {code:java} > spark.kubernetes.driver.pod.name{code} > but it only affects the pod name and not the service name > I found a *partial solution* using wildcards for domain inside the cert, but > because it only works on subdomain level I have to refer the service with : > -*-driver-svc..svc as alternatedomain inside the cert > and using it with the namespace , svc added just to conform the wildcard's > rule subdomain restriction -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level
[ https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zoli updated SPARK-36833: - Description: Currently seems impossible to generate the correct cert for driver's service because of the random naming. I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service. {code:java} "spark.ssl.enabled"=true "spark.ssl.keyStore"=my-spark.jks "spark.ssl.keyStorePassword"=mypassword ..etc..{code} At this point we already have to know the domain for the cert. Which we don't because it will be generated at time when the driver pod generated. {code:java} my-application-75f3654hj76gb67n-driver my-application-75f3654hj76gb67n-driver-svc{code} So SSL handshake will fail with : {code:java} " SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc{code} I tried to mod the pod name with: {code:java} spark.kubernetes.driver.pod.name{code} but it only affects the pod name and not the service name I found a *partial solution* using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with : -*-driver-svc..svc as alternatedomain inside the cert and using it with the namespace , svc added just to conform the wildcard's rule subdomain restriction was: Currently seems impossible to generate the correct cert for driver's service because of the random naming. I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service. "spark.ssl.enabled"=true "spark.ssl.keyStore"=my-spark.jks "spark.ssl.keyStorePassword"=mypassword ..etc.. At this point we already have to know the domain for the cert. Which we don't because it will be generated at time when the driver pod generated. my-application-75f3654hj76gb67n-driver my-application-75f3654hj76gb67n-driver-svc {{So SSL handshake will fail with }} " SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc"{{ I tried to mod the pod name with}} spark.kubernetes.driver.pod.name {{but it only affects the pod and not the service I found a partial solution using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with : }} ..{{ and using -*-driver-svc..svc as alternatedomain inside the cert }} {{}} > Can't use SSL with spark on kubernetes on service level > --- > > Key: SPARK-36833 > URL: https://issues.apache.org/jira/browse/SPARK-36833 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.0.0 >Reporter: zoli >Priority: Blocker > > Currently seems impossible to generate the correct cert for driver's service > because of the random naming. > I would like to use ssl on spark Ui which will be accessed by other pods > using the driver's service. > {code:java} > "spark.ssl.enabled"=true > "spark.ssl.keyStore"=my-spark.jks > "spark.ssl.keyStorePassword"=mypassword > ..etc..{code} > At this point we already have to know the domain for the cert. > Which we don't because it will be generated at time when the driver pod > generated. > {code:java} > my-application-75f3654hj76gb67n-driver > my-application-75f3654hj76gb67n-driver-svc{code} > So SSL handshake will fail with : > {code:java} > " SSL: no alternative certificate subject name matches target host name > my-application-75f3654hj76gb67n-driver-svc{code} > I tried to mod the pod name with: > {code:java} > spark.kubernetes.driver.pod.name{code} > but it only affects the pod name and not the service name > I found a *partial solution* using wildcards for domain inside the cert, but > because it only works on subdomain level I have to refer the service with : > -*-driver-svc..svc as alternatedomain inside the cert > and using it with the namespace , svc added just to conform the wildcard's > rule subdomain restriction -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org