We've added something similar to the FKO: https://github.com/apache/flink-kubernetes-operator/pull/364
Best, Matyas On Fri, Dec 16, 2022 at 5:11 AM Martijn Visser <martijnvis...@apache.org> wrote: > Hi Steve, > > I don't think that Flink has added support for certificate rotation. It > would be quite a nice feature if someone could contribute to it. > > Best regards, > > Martijn > > On Fri, Dec 2, 2022 at 3:51 PM Steve Niemitz <sniem...@apache.org> wrote: > >> We're investigating using internal SSL for our flink deployments, but I'm >> curious how it handles cases where the certificates expire while a job is >> running. We run a key distribution infrastructure with client/server keys >> that expire fairly quickly (~days), so for example, long-running streaming >> jobs could run into a case where the certificate that was loaded when the >> job started expires while the job is still running. >> >> I looked through the code and see 3 places where certs are loaded: >> - Akka via CustomSSLEngineProvider (for actor communication) >> - NettyConfig.createServerSSLEngineFactory and similar (for shuffle >> communication) >> - SSLUtils.createRestNettySSLContext and similar (for the blob server) >> >> None of these seem to support reloading a certificate once created, but >> is it possible that this is handled somewhere else higher up the stack? >> >> Does anyone have experience running something like this that they >> could share? >> >> Thank you! >> >