[jira] [Updated] (SPARK-36833) Can't use SSL with spark on kubernetes on service level

["zoli (Jira)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/SPARK-36833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

zoli updated SPARK-36833:
-------------------------
    Description: 
Currently it seems impossible to generate the correct cert for driver's pod because of the random naming of the service.

I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service.
{code:java}
"spark.ssl.enabled"=true
 "spark.ssl.keyStore"=my-spark.jks
 "spark.ssl.keyStorePassword"=mypassword
 ..etc..{code}
At this point we already have to know the domain for the cert.

Which we don't because it will be generated at time when the driver pod generated.
{code:java}
my-application-75f3654hj76gb67n-driver
 my-application-75f3654hj76gb67n-driver-svc{code}
So SSL handshake will fail with :
{code:java}
" SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc{code}
I tried to mod the pod name with:
{code:java}
 spark.kubernetes.driver.pod.name{code}
but it only affects the pod name and not the service name

I found a *partial solution* using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with :
 <pod-name>-*-driver-svc.<NS>.svc as alternatedomain inside the cert
 and using it with the namespace , svc added just to conform the wildcard's rule subdomain restriction

  was:
Currently seems impossible to generate the correct cert for driver's service because of the random naming.

I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service.
{code:java}
"spark.ssl.enabled"=true
 "spark.ssl.keyStore"=my-spark.jks
 "spark.ssl.keyStorePassword"=mypassword
 ..etc..{code}
At this point we already have to know the domain for the cert.

Which we don't because it will be generated at time when the driver pod generated.
{code:java}
my-application-75f3654hj76gb67n-driver
 my-application-75f3654hj76gb67n-driver-svc{code}

 So SSL handshake will fail with :
{code:java}
" SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc{code}
I tried to mod the pod name with:
{code:java}
 spark.kubernetes.driver.pod.name{code}
but it only affects the pod name and not the service name

I found a *partial solution* using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with :
 <pod-name>-*-driver-svc.<NS>.svc as alternatedomain inside the cert
and using it with the namespace , svc added just to conform the wildcard's rule subdomain restriction


> Can't use SSL with spark on kubernetes on service level
> -------------------------------------------------------
>
>                 Key: SPARK-36833
>                 URL: https://issues.apache.org/jira/browse/SPARK-36833
>             Project: Spark
>          Issue Type: Bug
>          Components: Kubernetes, Security
>    Affects Versions: 3.0.0
>            Reporter: zoli
>            Priority: Blocker
>
> Currently it seems impossible to generate the correct cert for driver's pod because of the random naming of the service.
> I would like to use ssl on spark Ui which will be accessed by other pods using the driver's service.
> {code:java}
> "spark.ssl.enabled"=true
>  "spark.ssl.keyStore"=my-spark.jks
>  "spark.ssl.keyStorePassword"=mypassword
>  ..etc..{code}
> At this point we already have to know the domain for the cert.
> Which we don't because it will be generated at time when the driver pod generated.
> {code:java}
> my-application-75f3654hj76gb67n-driver
>  my-application-75f3654hj76gb67n-driver-svc{code}
> So SSL handshake will fail with :
> {code:java}
> " SSL: no alternative certificate subject name matches target host name my-application-75f3654hj76gb67n-driver-svc{code}
> I tried to mod the pod name with:
> {code:java}
>  spark.kubernetes.driver.pod.name{code}
> but it only affects the pod name and not the service name
> I found a *partial solution* using wildcards for domain inside the cert, but because it only works on subdomain level I have to refer the service with :
>  <pod-name>-*-driver-svc.<NS>.svc as alternatedomain inside the cert
>  and using it with the namespace , svc added just to conform the wildcard's rule subdomain restriction



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org