Artifact Storage

Accessing artifact storage via HTTPS with self-signed certificate

When starting a new Apache Flink® cluster, by running a Deployment, your application JAR artifact will be fetched by Flink Jobmanager Pod during initialization.

If you are using HTTPS to fetch an external artifact with a certificate signed by a non-public CA, you have to create a Java TrustStore and configure the artifact fetcher to use it:

  1. Create a TrustStore containing your CA certificate as a trusted entity
  2. Create a Kubernetes Secret from the file
  3. Configure artifact fetcher to use the secret

Create a TrustStore

Please reference the official Java documentation for the Java CLI tool keytool for information on creating a TrustStore containing your CA certificate.

Create a Kubernetes Secret

If your TrustStore is named trustStore, use the following command to create a Kubernetes Secret <> named artifact-fetcher-truststore in the namespace my-namespace that contains it:

$ kubectl \
    --namespace=my-namespace \
    create secret generic artifact-fetcher-truststore \


The Secret should be created in the Namespace that would be used for your Deployments.

If you are using multiple Kubernetes namespaces for Deployments, you have to create similar Secrets in all target namespaces. Secret names and file names must be the same.

Configure Ververica Platform’s Artifact Fetcher

The artifact fetcher configuration parameters are stored in the platform’s configuration.

To configure Ververica Platform with a self signed certificate, the following options may be helpful (under vvp.appmanager.cluster):

  • - optional string, Kubernetes secret name containing the TrustStore;
  • - optional string, the key name under which the TrustStore is kept in the Kubernetes secret;
  • - optional string, the TrustStore format, "JKS" by default;
  • - optional string, pass phrase of TrustStore

The above configuration steps, would translate to the following example configuration:

cluster: artifact-fetcher-truststore trustStore