Advanced Configuration

This section contains advanced configuration information that may be helpful in integrating Ververica Platform with your environment.

Using a Java TrustStore with Application Manager

Application Manager must be able to access your Flink application JAR artifacts via HTTP or HTTPS. If your artifact storage uses TLS, and serves a certificate signed by a non-public CA, you must create a Java TrustStore, make it accessible to Application Manager, and pass the requisite JVM flags to enable its use.

You can follow these steps, having made the necessary changes, to use a Java KeyStore with Application Manager.

  1. Create a TrustStore containing your CA certificate as a trusted entity
  2. Create a Kubernetes Secret from this file
  3. Mount the Secret as a Volume in the Application Manager Pod
  4. Configure Application Manager to use the TrustStore via an environment variable
  5. Configure Application Manager artifact fetcher to use the TrustStore via a service configuration

Create a TrustStore

Please reference the official Java documentation for the Java CLI tool keytool for information on creating a TrustStore containing your CA certificate.

Create a Kubernetes Secret

If your TrustStore is named trustStore, use the following command to create a Kubernetes Secret named daplatform-secrets in the namespace my-namespace that contains it:

$ kubectl \
    --namespace=my-namespace \
    create secret generic daplatform-secrets \
    --from-file=trustStore

The Secret should be created in the same namespace that Application Manager is deployed in.

Mount the Secret as a Volume

Note

Kubernetes will restart Application Manager after the Deployment is edited.

Edit the Application Manager Deployment, adding an additional entry to spec.template.spec.volumes:

- name: daplatform-secrets
  secret:
    secretName: daplatform-secrets

And adding an additional entry to spec.template.spec.containers[0].volumeMounts:

- mountPath: /etc/daplatform-secrets
  name: daplatform-secrets

See the Kubernetes documentation for more information about mounting a Secret into a Pod.

Set Application Manager environment variable

Note

Kubernetes will restart Application Manager after the Deployment is edited.

Also in the Application Manager Deployment, add an entry to spec.template.spec.containers[0].env along these lines (you may have to create the env key):

- name: JAVA_OPTS
  value: -Djavax.net.ssl.trustStore=/etc/daplatform-secrets/trustStore

Configure Application Manager artifact fetcher

Starting from Flink versions 1.7 and higher Application Manager has different deployment mechanism. In particular, Flink application JAR artifacts are fetched directly from the pods dedicated for Flink cluster, instead of by the Application Manager service.

This is done by artifact fetcher during pods initialisation process.

The artifact fetcher configuration parameters are stored in Application Manager’s config yaml (appmanager.yaml).

For HTTPS artifact store with self signed certificate, the following options may be helpful:

  • kubernetes.artifact-fetcher.http.trust-store.secret-name - optional string, Kubernetes secret name containing the TrustStore;
  • kubernetes.artifact-fetcher.http.trust-store.filename - optional string, the key name under which the TrustStore is kept in the Kubernetes secret;
  • kubernetes.artifact-fetcher.http.trust-store.type - optional string, the TrustStore format, "JKS" by default;
  • kubernetes.artifact-fetcher.http.trust-store.password - optional string, pass phrase of TrustStore

The above configuration steps, would translate to the following example configuration:

cluster:
  kubernetes.artifact-fetcher.http.trust-store.secret-name: daplatform-secrets
  kubernetes.artifact-fetcher.http.trust-store.filename: trustStore