Hi Jiahui, thanks for reaching out to the mailing list. This is not something I have expertise in. But have you checked out the Flink SSL Setup documentation [1]? Maybe, you'd find some help there.
Additionally, I did go through the code a bit: A SecurityContext is loaded during ClusterEntrypoint startup [2]. It supports dynamic loading of security modules. You might have to implement org.apache.flink.runtime.security.contexts.SecurityContextFactory and configure it in your flink-conf.yaml. Is this something that might help you? I'm adding Aljoscha to this thread as he worked on dynamically loading these modules recently. Best, Matthias [1] https://ci.apache.org/projects/flink/flink-docs-release-1.11/ops/security-ssl.html [2] https://github.com/apache/flink/blob/2c8631a4eb7a247ce8fb4205f838e8c0f8019367/flink-runtime/src/main/java/org/apache/flink/runtime/entrypoint/ClusterEntrypoint.java#L170 On Wed, Nov 11, 2020 at 6:17 AM Jiahui Jiang <qzhzm173...@hotmail.com> wrote: > Ping on this 🙂 It there anyway I can run a script or implement some > interface to run before the Dispatcher service starts up to dynamically > generate the keystore? > > Thank you! > ------------------------------ > *From:* Jiahui Jiang <qzhzm173...@hotmail.com> > *Sent:* Monday, November 9, 2020 3:19 PM > *To:* user@flink.apache.org <user@flink.apache.org> > *Subject:* SSL setup for YARN deployment when hostnames are unknown. > > Hello Flink! > > We are working on turning on REST SSL for YARN deployments. We built a > generic orchestration server that can submit Flink clusters to any YARN > clusters given the relevant Hadoop configs. But this means we may not know > the hostname the Job Managers can be deployed onto - not even through wild > card DNS names > <https://ci.apache.org/projects/flink/flink-docs-stable/ops/security-ssl.html#tips-for-yarn--mesos-deployment> > as recommended in the documentation. > > I’m wondering is there any factory class that I can implement that can > allow me to generate a private key and import that to JM’s keystore at > runtime? > Or is there any other recommended way to handle the cases where we don’t > know the potential JM hosts at all? > > Thank you! > >
