You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flink.apache.org by Hao t Chang <ht...@us.ibm.com> on 2022/09/09 16:24:48 UTC
Recommended way to Enable SSL Flink Kubernetes Operator
Hi
Is there a recommended way (similar to this [1] ) to enable the SSL REST/Internal connectivity for FlinkDeployment created by the Flink Kubernetes Operator?
First I added the required SSL config inside the flink-operator-config configmap.
The required SSL configs look like:
security.ssl.internal.enabled: true
security.ssl.internal.keystore: /certs/keystore.p12
security.ssl.internal.keystore-password: password
security.ssl.internal.key-password: password
security.ssl.internal.truststore: /certs/keystore.p12
security.ssl.internal.truststore-password: password
security.ssl.rest.enabled: true
security.ssl.rest.keystore: /certs/keystore.p12
security.ssl.rest.keystore-password: password
security.ssl.rest.key-password: password1234
security.ssl.rest.truststore: /certs/keystore.p12
security.ssl.rest.truststore-password: password
What’s not clear to me is how to Create and Mount the keystore and truststore in a FlinkDeployment CRD for the job/taskManagers to consume? Otherwise, the basic-example FlinkDeployment would fail to start with the following reason:
Shutting KubernetesApplicationClusterEntrypoint down with application status FAILED. Diagnostics java.io.IOException: Failed to initialize SSL for the blob server
Caused by: java.nio.file.NoSuchFileException: /certs/keystore.p12
[1] https://nightlies.apache.org/flink/flink-docs-master/docs/deployment/security/security-ssl/
Re: Recommended way to Enable SSL Flink Kubernetes Operator
Posted by Yang Wang <da...@gmail.com>.
I think you have already found the solution.
Pod template[1] is exactly what you want.
[1].
https://nightlies.apache.org/flink/flink-docs-release-1.15/docs/deployment/resource-providers/native_kubernetes/#pod-template
Best,
Yang
Hao t Chang <ht...@us.ibm.com> 于2022年9月13日周二 07:41写道:
> Hi Biao
> I think this modify basic-example FlinkDeployment should load the
> existing keystore although I am not certain re-using the webhook keystore
> recommended.
>
> apiVersion: flink.apache.org/v1beta1
> kind: FlinkDeployment
> metadata:
> name: basic-example
> spec:
> image: flink:1.15
> flinkVersion: v1_15
> flinkConfiguration:
> taskmanager.numberOfTaskSlots: "2"
> serviceAccount: flink
> jobManager:
> resource:
> memory: "2048m"
> cpu: 1
> taskManager:
> resource:
> memory: "2048m"
> cpu: 1
> podTemplate:
> apiVersion: v1
> kind: Pod
> metadata:
> name: pod-template
> spec:
> containers:
> - name: flink-main-container
> volumeMounts:
> - mountPath: /certs
> name: keystore
> volumes:
> - name: keystore
> secret:
> defaultMode: 420
> items:
> - key: keystore.p12
> path: keystore.p12
> secretName: webhook-server-cert
> job:
> jarURI: local:///opt/flink/examples/streaming/StateMachineExample.jar
> parallelism: 2
> upgradeMode: stateless
>
> Verify with curl
> curl -v -k https://basic-example-rest:8081
> * Trying 172.21.126.88:8081...
> * Connected to basic-example-rest (172.21.126.88) port 8081 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * successfully set certificate verify locations:
> * CAfile: /etc/ssl/certs/ca-certificates.crt
> * CApath: /etc/ssl/certs
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * TLSv1.3 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> * TLSv1.2 (IN), TLS handshake, Finished (20):
> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> * ALPN, server did not agree to a protocol
> * Server certificate:
> * subject: CN=FlinkDeployment Validator
> * start date: Sep 12 17:38:37 2022 GMT
> * expire date: Dec 11 17:38:37 2022 GMT
> * issuer: CN=FlinkDeployment Validator
> * SSL certificate verify result: self signed certificate (18), continuing
> anyway.
> > GET / HTTP/1.1
> > Host: basic-example-rest:8081
> > User-Agent: curl/7.74.0
> > Accept: */*
>
> From: Hao t Chang <ht...@us.ibm.com>
> Date: Friday, September 9, 2022 at 11:10 AM
> To: dev@flink.apache.org <de...@flink.apache.org>
> Subject: [EXTERNAL] Re: Recommended way to Enable SSL Flink Kubernetes
> Operator
> Hi Biao thanks for the quick reply.
> The helm chart uses a standard Deployment to mount the keystore onto the
> webhook container using volumes/volumeMounts for the operator but it’s not
> clear to me how to mount the keystore using the FlinkDeployment CRD[2] for
> a Flink application.
>
>
Re: Recommended way to Enable SSL Flink Kubernetes Operator
Posted by Hao t Chang <ht...@us.ibm.com>.
Hi Biao
I think this modify basic-example FlinkDeployment should load the existing keystore although I am not certain re-using the webhook keystore recommended.
apiVersion: flink.apache.org/v1beta1
kind: FlinkDeployment
metadata:
name: basic-example
spec:
image: flink:1.15
flinkVersion: v1_15
flinkConfiguration:
taskmanager.numberOfTaskSlots: "2"
serviceAccount: flink
jobManager:
resource:
memory: "2048m"
cpu: 1
taskManager:
resource:
memory: "2048m"
cpu: 1
podTemplate:
apiVersion: v1
kind: Pod
metadata:
name: pod-template
spec:
containers:
- name: flink-main-container
volumeMounts:
- mountPath: /certs
name: keystore
volumes:
- name: keystore
secret:
defaultMode: 420
items:
- key: keystore.p12
path: keystore.p12
secretName: webhook-server-cert
job:
jarURI: local:///opt/flink/examples/streaming/StateMachineExample.jar
parallelism: 2
upgradeMode: stateless
Verify with curl
curl -v -k https://basic-example-rest:8081
* Trying 172.21.126.88:8081...
* Connected to basic-example-rest (172.21.126.88) port 8081 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=FlinkDeployment Validator
* start date: Sep 12 17:38:37 2022 GMT
* expire date: Dec 11 17:38:37 2022 GMT
* issuer: CN=FlinkDeployment Validator
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> Host: basic-example-rest:8081
> User-Agent: curl/7.74.0
> Accept: */*
From: Hao t Chang <ht...@us.ibm.com>
Date: Friday, September 9, 2022 at 11:10 AM
To: dev@flink.apache.org <de...@flink.apache.org>
Subject: [EXTERNAL] Re: Recommended way to Enable SSL Flink Kubernetes Operator
Hi Biao thanks for the quick reply.
The helm chart uses a standard Deployment to mount the keystore onto the webhook container using volumes/volumeMounts for the operator but it’s not clear to me how to mount the keystore using the FlinkDeployment CRD[2] for a Flink application.
Re: Recommended way to Enable SSL Flink Kubernetes Operator
Posted by Hao t Chang <ht...@us.ibm.com>.
Hi Biao thanks for the quick reply.
The helm chart uses a standard Deployment to mount the keystore onto the webhook container using volumes/volumeMounts for the operator but it’s not clear to me how to mount the keystore using the FlinkDeployment CRD[2] for a Flink application.
[2] https://github.com/apache/flink-kubernetes-operator/blob/main/helm/flink-kubernetes-operator/crds/flinkdeployments.flink.apache.org-v1.yml
From: Geng Biao <bi...@gmail.com>
Date: Friday, September 9, 2022 at 9:33 AM
To: dev@flink.apache.org <de...@flink.apache.org>
Subject: [EXTERNAL] Re: Recommended way to Enable SSL Flink Kubernetes Operator
Hi Hao,
You may take a look at codes for webhook in the helm charts of the Flink k8s project as it also utilizes cert-manager to create and mount the keystore for ssl.
Best,
Biao Geng
Re: Recommended way to Enable SSL Flink Kubernetes Operator
Posted by Geng Biao <bi...@gmail.com>.
Hi Hao,
You may take a look at codes for webhook in the helm charts of the Flink k8s project as it also utilizes cert-manager to create and mount the keystore for ssl.
Best,
Biao Geng
获取 Outlook for iOS<https://aka.ms/o0ukef>
________________________________
发件人: Hao t Chang <ht...@us.ibm.com>
发送时间: Saturday, September 10, 2022 12:24:48 AM
收件人: dev@flink.apache.org <de...@flink.apache.org>
主题: Recommended way to Enable SSL Flink Kubernetes Operator
Hi
Is there a recommended way (similar to this [1] ) to enable the SSL REST/Internal connectivity for FlinkDeployment created by the Flink Kubernetes Operator?
First I added the required SSL config inside the flink-operator-config configmap.
The required SSL configs look like:
security.ssl.internal.enabled: true
security.ssl.internal.keystore: /certs/keystore.p12
security.ssl.internal.keystore-password: password
security.ssl.internal.key-password: password
security.ssl.internal.truststore: /certs/keystore.p12
security.ssl.internal.truststore-password: password
security.ssl.rest.enabled: true
security.ssl.rest.keystore: /certs/keystore.p12
security.ssl.rest.keystore-password: password
security.ssl.rest.key-password: password1234
security.ssl.rest.truststore: /certs/keystore.p12
security.ssl.rest.truststore-password: password
What’s not clear to me is how to Create and Mount the keystore and truststore in a FlinkDeployment CRD for the job/taskManagers to consume? Otherwise, the basic-example FlinkDeployment would fail to start with the following reason:
Shutting KubernetesApplicationClusterEntrypoint down with application status FAILED. Diagnostics java.io.IOException: Failed to initialize SSL for the blob server
Caused by: java.nio.file.NoSuchFileException: /certs/keystore.p12
[1] https://nightlies.apache.org/flink/flink-docs-master/docs/deployment/security/security-ssl/