Docs Home
Viewing docs for
Self-ManagedNot available for BYOC

Pluggable Certificates

On this page

You can use your own certificates to enable SSL for Flink internal/external communications, via the following steps

  • Generate Certificates for VVP and Flink Jobs
  • Provide deployment with custom ssl Flink Configuration
  • Provide configuration for VVP installation with custom keystore

Configuration

In order to begin using certificates for Flink internal and external communications, users will have to follow several configuration steps including generating keystores, Kubernetes environment preparation, SSL enablement, and finally deployment.

The commands in the following sections generate a keystore:

  • For Ververica Platform: vvp.keystore
  • For a Flink job flink-rest.keystore
  • For Result Fetcher service: result-fetcher-rest.keystore

If you want to use your own public/corporate CA signed certificate, please ask your security team to generate the three keystores by following the similar procedure.

The procedure below uses two Kubernetes namespaces:

  • vvp-namespace: the Kubernetes namespace where Ververica Platform runs
  • job-namespace: the Kubernetes namespace where Flink jobs and Result Fetcher service run

Substitute them with the namespaces you use in your own Kubernetes cluster if necessary.

Generate Ververica Platform keystore

In order to genereate the keystore for Ververica Platform appmanager, use the following commands:

YAML
1keytool -genkeypair -alias rootca/v2 -dname "cn=ca.app-manager.v2" -validity 10000 -keyalg RSA -keysize 4096 -ext "bc=ca:true" -ext KeyUsage:critical=keyCertSign -keystore vvp-root.keystore -keypass key-store-pass -storepass key-store-pass
2
3keytool -exportcert -keystore vvp-root.keystore -alias rootca/v2 -storepass key-store-pass -file vvp-root.cer
4
5keytool -genkeypair -alias client -dname "cn=me.app-manager" -validity 10000 -keyalg RSA -keysize 4096 -keystore vvp-client.keystore -keypass key-store-pass -storepass key-store-pass
6
7keytool -exportcert -keystore vvp-client.keystore -alias client -storepass key-store-pass -file vvp-client.cer
8
9keytool -importkeystore -srckeystore vvp-root.keystore -srcalias rootca/v2 -srckeypass key-store-pass -srcstorepass key-store-pass -destalias rootca/v2 -destkeystore vvp.keystore -destkeypass key-store-pass -deststorepass key-store-pass -deststoretype PKCS12 
10
11keytool -importkeystore -srckeystore vvp-client.keystore -srcalias client -srckeypass key-store-pass -srcstorepass key-store-pass -destalias client -destkeystore vvp.keystore -destkeypass key-store-pass -deststorepass key-store-pass -deststoretype PKCS12

Generate Result Fetcher keystore

To generate Result Fetcher keystore, use the following commands:

YAML
1keytool -genkeypair -alias result-fetcher.rest -dname "cn=me.result-fetcher" -validity 10000 -keyalg RSA -keysize 4096 -keystore result-fetcher-rest.keystore -keypass key-store-pass -storepass key-store-pass
2keytool -exportcert -keystore result-fetcher-rest.keystore -alias result-fetcher.rest -storepass key-store-pass -file result-fetcher-client.cer
3
4keytool -certreq -alias result-fetcher.rest -keystore result-fetcher-rest.keystore -storepass key-store-pass -file result-fetcher-client.csr
5keytool -gencert -alias rootca/v2 -keystore vvp-root.keystore -storepass key-store-pass -ext "SAN=dns:*.job-namespace.svc" -infile result-fetcher-client.csr -outfile result-fetcher-client.cer
6cat result-fetcher-client.cer vvp-root.cer > result-fetcher-chain.cer
7
8keytool -importcert -keystore result-fetcher-rest.keystore -storepass key-store-pass -file result-fetcher-chain.cer -alias result-fetcher.rest -noprompt

To generate Flink job keystore, use the following commands:

YAML
1keytool -genkeypair -alias flink.rest -keystore flink-rest.keystore -dname "CN=*.job-namespace.svc" -ext "SAN=dns:*.job-namespace.svc.cluster.local" -storepass keystore_password -keyalg RSA -keysize 4096 -storetype PKCS12
2
3keytool -certreq -alias flink.rest -keystore flink-rest.keystore -storepass keystore_password -file rest.csr
4keytool -gencert -alias rootca/v2 -keystore vvp-root.keystore -storepass key-store-pass -ext "SAN=dns:*.job-namespace.svc" -infile rest.csr -outfile rest.cer
5cat rest.cer vvp-root.cer > chain.cer
6
7keytool -importcert -keystore flink-rest.keystore -storepass keystore_password -file vvp-client.cer -alias client -noprompt
8keytool -importcert -keystore flink-rest.keystore -storepass keystore_password -file chain.cer -alias flink.rest -noprompt
YAML
1keytool -importcert -keystore result-fetcher-rest.keystore -storepass key-store-pass -file flink-rest.cer -alias flink-client -noprompt

Kubernetes environment preparation

To prepare the Kubernetes environment for use, use the following command:

BASH
1kubectl --namespace=vvp-namespace create secret generic vvp-keystore --from-file=vvp.keystore

The Ververica Platform configuration is provided by the values.yaml file.

YAML
1vvp:
2  appmanager:
3    ssl:
4      keystore: /vvp-keystore/vvp.keystore
5      keystore-password: key-store-pass
6      keystore-key-password: key-store-pass    
7
8volumeMounts:
9  - name: vvp-keystore
10    mountPath: /vvp-keystore
11
12volumes:
13  - name: vvp-keystore
14    secret:
15      secretName: vvp-keystore

To create Kubernetes secrets, use the following two commands:

YAML
1kubectl --namespace=job-namespace create secret generic flink-truststore --from-file=flink-rest.keystore
2kubectl --namespace=job-namespace create secret generic flink-keystore --from-file=flink-rest.keystore
3kubectl --namespace=job-namespace create secret generic result-fetcher-keystore --from-file=result-fetcher-rest.keystore

Enable SSL for Session Cluster network communication

To enable SSL Session Cluster network communication, set the following property in the YAML tab:

YAML
1metadata:
2  annotations:
3    flink.security.ssl.enabled: true

Enable Session Cluster SSL YAML

Or check the toggle in the Standard tab:

Enable Session Cluster SSL Standard tab

To deploy the flinkConfiguration, use the following:

YAML
1spec:
2  template:
3    spec:
4      flinkConfiguration:
5        security.ssl.rest.enabled: 'true'
6        security.ssl.rest.key-password: keystore_password
7        security.ssl.rest.keystore: /flink-keystore/flink-rest.keystore
8        security.ssl.rest.keystore-password: keystore_password
9        security.ssl.rest.truststore: /flink-truststore/flink-rest.keystore
10        security.ssl.rest.truststore-password: keystore_password

Kubernetes configuration

For the Kubernetes configuration, deploy with the following:

YAML
1spec:
2  kubernetes:
3    jobManagerPodTemplate:
4      spec:
5        containers:
6          - name: flink-jobmanager
7            volumeMounts:
8              - mountPath: /flink-truststore
9                name: flink-truststore-vol
10              - mountPath: /flink-keystore
11                name: flink-keystore-vol
12          - env:
13              - name: vvp.result-fetcher.ssl.keystorePath
14                value: /result-fetcher-keystore/result-fetcher-rest.keystore
15              - name: vvp.result-fetcher.ssl.keystorePassword
16                value: key-store-pass
17              - name: vvp.result-fetcher.ssl.keyPassword
18                value: key-store-pass
19            name: result-fetcher
20            volumeMounts:
21              - mountPath: /result-fetcher-keystore
22                name: result-fetcher-keystore-vol
23        volumes:
24          - name: flink-truststore-vol
25            secret:
26              secretName: flink-truststore
27          - name: flink-keystore-vol
28            secret:
29              secretName: flink-keystore
30          - name: result-fetcher-keystore-vol
31            secret:
32              secretName: result-fetcher-keystore
33    taskManagerPodTemplate:
34      spec:
35        containers:
36          - name: flink-taskmanager
37            volumeMounts:
38              - mountPath: /flink-truststore
39                name: flink-truststore-vol
40              - mountPath: /flink-keystore
41                name: flink-keystore-vol
42        volumes:
43          - name: flink-truststore-vol
44            secret:
45              secretName: flink-truststore
46          - name: flink-keystore-vol
47            secret:
48              secretName: flink-keystore
Was this helpful?