Flink SSL/TLS

For deployments with Flink Version 1.6 or higher, Application Manager supports auto provisioned Flink SSL setup.

To enable it, set flink.security.ssl.enabled: true in deployment template’s annotation. This switches on SSL mutual auth for Flink internal network communication and makes Flink REST API and web UI served via https. If the flinkVersion is 1.6.2 or higher, this will additionally enable SSL mutual authentication (for clients of Flink REST API and web UI).

By default, SSL is disabled (same as explicit setting flink.security.ssl.enabled: false).

Note

Enabling this option will set the required Flink SSL configuration parameters. Effectively this would ignore matching user settings in Flink Configuration (flink-conf.yaml).

Attention

Direct requests to Flink’s REST API will require a trusted client certificate when SSL mutual authentication is enabled. Access to the Flink web user interface (and REST api) is still possible through Application Manager’s Flink proxy.

Implementation details

To provision Flink clusters with key stores and trust stores required for transport security, Application Manager generates once

• a self signed certificate: the public key is shared with Flink JobManager instances to facilitate Flink REST API and web UI SSL client auth;
• a self signed signing certificate (CA) for signing SSL certificates for Flink JobManager.

Both certificates (with private keys) are stored in a key store under the persisted directory of Application Manager.

Before starting a deployment with the configuration enabled, Application Manager will generate

• a self signed certificate, used to enable secure Flink internal connectivity;
• a certificate signed by the signing certificate, to enable https on Flink JobManager’s REST API and web UI.

Both certificates (with private keys) are saved in a Kubernetes secret, which later is mounted to each deployment’s Flink nodes.

The implementation can be summarized in the following diagram: