Pluggable Certificates
On this page
You can use your own certificates to enable SSL for Flink internal/external communications, via the following steps
- Generate Certificates for VVP and Flink Jobs
- Provide deployment with custom ssl Flink Configuration
- Provide configuration for VVP installation with custom keystore
Configuration
In order to begin using certificates for Flink internal and external communications, users will have to follow several configuration steps including generating keystores, Kubernetes environment preparation, SSL enablement, and finally deployment.
The commands in the following sections generate a keystore:
- For Ververica Platform:
vvp.keystore - For a Flink job
flink-rest.keystore - For Result Fetcher service:
result-fetcher-rest.keystore
If you want to use your own public/corporate CA signed certificate, please ask your security team to generate the three keystores by following the similar procedure.
The procedure below uses two Kubernetes namespaces:
vvp-namespace: the Kubernetes namespace where Ververica Platform runsjob-namespace: the Kubernetes namespace where Flink jobs and Result Fetcher service run
Substitute them with the namespaces you use in your own Kubernetes cluster if necessary.
Generate Ververica Platform keystore
In order to genereate the keystore for Ververica Platform appmanager, use the following commands:
1keytool -genkeypair -alias rootca/v2 -dname "cn=ca.app-manager.v2" -validity 10000 -keyalg RSA -keysize 4096 -ext "bc=ca:true" -ext KeyUsage:critical=keyCertSign -keystore vvp-root.keystore -keypass key-store-pass -storepass key-store-pass
2
3keytool -exportcert -keystore vvp-root.keystore -alias rootca/v2 -storepass key-store-pass -file vvp-root.cer
4
5keytool -genkeypair -alias client -dname "cn=me.app-manager" -validity 10000 -keyalg RSA -keysize 4096 -keystore vvp-client.keystore -keypass key-store-pass -storepass key-store-pass
6
7keytool -exportcert -keystore vvp-client.keystore -alias client -storepass key-store-pass -file vvp-client.cer
8
9keytool -importkeystore -srckeystore vvp-root.keystore -srcalias rootca/v2 -srckeypass key-store-pass -srcstorepass key-store-pass -destalias rootca/v2 -destkeystore vvp.keystore -destkeypass key-store-pass -deststorepass key-store-pass -deststoretype PKCS12
10
11keytool -importkeystore -srckeystore vvp-client.keystore -srcalias client -srckeypass key-store-pass -srcstorepass key-store-pass -destalias client -destkeystore vvp.keystore -destkeypass key-store-pass -deststorepass key-store-pass -deststoretype PKCS12Generate Result Fetcher keystore
To generate Result Fetcher keystore, use the following commands:
1keytool -genkeypair -alias result-fetcher.rest -dname "cn=me.result-fetcher" -validity 10000 -keyalg RSA -keysize 4096 -keystore result-fetcher-rest.keystore -keypass key-store-pass -storepass key-store-pass
2keytool -exportcert -keystore result-fetcher-rest.keystore -alias result-fetcher.rest -storepass key-store-pass -file result-fetcher-client.cer
3
4keytool -certreq -alias result-fetcher.rest -keystore result-fetcher-rest.keystore -storepass key-store-pass -file result-fetcher-client.csr
5keytool -gencert -alias rootca/v2 -keystore vvp-root.keystore -storepass key-store-pass -ext "SAN=dns:*.job-namespace.svc" -infile result-fetcher-client.csr -outfile result-fetcher-client.cer
6cat result-fetcher-client.cer vvp-root.cer > result-fetcher-chain.cer
7
8keytool -importcert -keystore result-fetcher-rest.keystore -storepass key-store-pass -file result-fetcher-chain.cer -alias result-fetcher.rest -nopromptGenerate Flink job keystore
To generate Flink job keystore, use the following commands:
1keytool -genkeypair -alias flink.rest -keystore flink-rest.keystore -dname "CN=*.job-namespace.svc" -ext "SAN=dns:*.job-namespace.svc.cluster.local" -storepass keystore_password -keyalg RSA -keysize 4096 -storetype PKCS12
2
3keytool -certreq -alias flink.rest -keystore flink-rest.keystore -storepass keystore_password -file rest.csr
4keytool -gencert -alias rootca/v2 -keystore vvp-root.keystore -storepass key-store-pass -ext "SAN=dns:*.job-namespace.svc" -infile rest.csr -outfile rest.cer
5cat rest.cer vvp-root.cer > chain.cer
6
7keytool -importcert -keystore flink-rest.keystore -storepass keystore_password -file vvp-client.cer -alias client -noprompt
8keytool -importcert -keystore flink-rest.keystore -storepass keystore_password -file chain.cer -alias flink.rest -nopromptImport Flink job certificate into Result Fetcher keystore
1keytool -importcert -keystore result-fetcher-rest.keystore -storepass key-store-pass -file flink-rest.cer -alias flink-client -nopromptKubernetes environment preparation
To prepare the Kubernetes environment for use, use the following command:
1kubectl --namespace=vvp-namespace create secret generic vvp-keystore --from-file=vvp.keystoreThe Ververica Platform configuration is provided by the values.yaml file.
1vvp:
2 appmanager:
3 ssl:
4 keystore: /vvp-keystore/vvp.keystore
5 keystore-password: key-store-pass
6 keystore-key-password: key-store-pass
7
8volumeMounts:
9 - name: vvp-keystore
10 mountPath: /vvp-keystore
11
12volumes:
13 - name: vvp-keystore
14 secret:
15 secretName: vvp-keystoreTo create Kubernetes secrets, use the following two commands:
1kubectl --namespace=job-namespace create secret generic flink-truststore --from-file=flink-rest.keystore
2kubectl --namespace=job-namespace create secret generic flink-keystore --from-file=flink-rest.keystore
3kubectl --namespace=job-namespace create secret generic result-fetcher-keystore --from-file=result-fetcher-rest.keystoreEnable SSL for Session Cluster network communication
To enable SSL Session Cluster network communication, set the following property in the YAML tab:
1metadata:
2 annotations:
3 flink.security.ssl.enabled: true
Or check the toggle in the Standard tab:

Flink configuration
To deploy the flinkConfiguration, use the following:
1spec:
2 template:
3 spec:
4 flinkConfiguration:
5 security.ssl.rest.enabled: 'true'
6 security.ssl.rest.key-password: keystore_password
7 security.ssl.rest.keystore: /flink-keystore/flink-rest.keystore
8 security.ssl.rest.keystore-password: keystore_password
9 security.ssl.rest.truststore: /flink-truststore/flink-rest.keystore
10 security.ssl.rest.truststore-password: keystore_passwordKubernetes configuration
For the Kubernetes configuration, deploy with the following:
1spec:
2 kubernetes:
3 jobManagerPodTemplate:
4 spec:
5 containers:
6 - name: flink-jobmanager
7 volumeMounts:
8 - mountPath: /flink-truststore
9 name: flink-truststore-vol
10 - mountPath: /flink-keystore
11 name: flink-keystore-vol
12 - env:
13 - name: vvp.result-fetcher.ssl.keystorePath
14 value: /result-fetcher-keystore/result-fetcher-rest.keystore
15 - name: vvp.result-fetcher.ssl.keystorePassword
16 value: key-store-pass
17 - name: vvp.result-fetcher.ssl.keyPassword
18 value: key-store-pass
19 name: result-fetcher
20 volumeMounts:
21 - mountPath: /result-fetcher-keystore
22 name: result-fetcher-keystore-vol
23 volumes:
24 - name: flink-truststore-vol
25 secret:
26 secretName: flink-truststore
27 - name: flink-keystore-vol
28 secret:
29 secretName: flink-keystore
30 - name: result-fetcher-keystore-vol
31 secret:
32 secretName: result-fetcher-keystore
33 taskManagerPodTemplate:
34 spec:
35 containers:
36 - name: flink-taskmanager
37 volumeMounts:
38 - mountPath: /flink-truststore
39 name: flink-truststore-vol
40 - mountPath: /flink-keystore
41 name: flink-keystore-vol
42 volumes:
43 - name: flink-truststore-vol
44 secret:
45 secretName: flink-truststore
46 - name: flink-keystore-vol
47 secret:
48 secretName: flink-keystore