You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Gellért (Jira)" <ji...@apache.org> on 2022/12/08 12:44:00 UTC
[jira] [Commented] (SPARK-36833) Can't use SSL with spark on kubernetes on service level
[ https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17644792#comment-17644792 ]
Gellért commented on SPARK-36833:
---------------------------------
You could use on your sparkconf
.setAppName("name")
> Can't use SSL with spark on kubernetes on service level
> -------------------------------------------------------
>
> Key: SPARK-36833
> URL: https://issues.apache.org/jira/browse/SPARK-36833
> Project: Spark
> Issue Type: Bug
> Components: Kubernetes, Security
> Affects Versions: 3.0.0
> Reporter: zoli
> Priority: Critical
>
> Currently it seems impossible to create the correct cert for driver's pod because of the random naming of the service.
> I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service.
> {code:java}
> "spark.ssl.enabled"=true
> "spark.ssl.keyStore"=my-spark.jks
> "spark.ssl.keyStorePassword"=mypassword
> ..etc..{code}
> At this point we already have to know the domain for the cert.
> Which we don't because it will be generated at time when the driver pod generated.
> {code:java}
> my-application-75f3654hj76gb67n-driver
> my-application-75f3654hj76gb67n-driver-svc{code}
> So SSL handshake will fail with :
> {code:java}
> " SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc{code}
> I tried to mod the pod name with:
> {code:java}
> spark.kubernetes.driver.pod.name{code}
> but it only affects the pod name and not the service name
> If it is neither a bug nor a missed feature then please guide me how to use SSL when hitting the driver's service (or how to define fixed name service like for pods).
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------
> I found a *partial solution* using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with :
> <POD_NAME>-*-driver-svc.<NS>.svc as alternatedomain inside the cert
> and using it with the namespace , svc added just to conform the wildcard's rule subdomain restriction
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org