Advanced Configuration¶
This section contains advanced configuration information that may be helpful in integrating Ververica Platform with your environment.
Using a Java TrustStore with Application Manager¶
Application Manager must be able to access your Flink application JAR artifacts via HTTP or HTTPS. If your artifact storage uses TLS, and serves a certificate signed by a non-public CA, you must create a Java TrustStore, make it accessible to Application Manager, and pass the requisite JVM flags to enable its use.
You can follow these steps, having made the necessary changes, to use a Java KeyStore with Application Manager.
- Create a TrustStore containing your CA certificate as a trusted entity
- Create a Kubernetes Secret from this file
- Mount the Secret as a Volume in the Application Manager Pod
- Configure Application Manager to use the TrustStore via an environment variable
- Configure Application Manager artifact fetcher to use the TrustStore via a service configuration
Create a TrustStore¶
Please reference the official Java documentation for the Java CLI tool keytool
for information on creating a
TrustStore containing your CA certificate.
Create a Kubernetes Secret¶
If your TrustStore is named trustStore
, use the following command to create a Kubernetes Secret
named daplatform-secrets
in the namespace my-namespace
that contains it:
$ kubectl \
--namespace=my-namespace \
create secret generic daplatform-secrets \
--from-file=trustStore
The Secret should be created in the same namespace that Application Manager is deployed in.
Mount the Secret as a Volume¶
Note
Kubernetes will restart Application Manager after the Deployment is edited.
Edit the Application Manager Deployment, adding an additional entry to
spec.template.spec.volumes
:
- name: daplatform-secrets
secret:
secretName: daplatform-secrets
And adding an additional entry to spec.template.spec.containers[0].volumeMounts
:
- mountPath: /etc/daplatform-secrets
name: daplatform-secrets
See the Kubernetes documentation for more information about mounting a Secret into a Pod.
Set Application Manager environment variable¶
Note
Kubernetes will restart Application Manager after the Deployment is edited.
Also in the Application Manager Deployment, add an entry to spec.template.spec.containers[0].env
along these lines (you may have to create the env
key):
- name: JAVA_OPTS
value: -Djavax.net.ssl.trustStore=/etc/daplatform-secrets/trustStore
Configure Application Manager artifact fetcher¶
Starting from Flink versions 1.7
and higher Application Manager has different deployment mechanism.
In particular, Flink application JAR artifacts are fetched directly from the pods dedicated for Flink cluster,
instead of by the Application Manager service.
This is done by artifact fetcher during pods initialisation process.
The artifact fetcher configuration parameters are stored in Application Manager’s config yaml (appmanager.yaml
).
For HTTPS artifact store with self signed certificate, the following options may be helpful:
kubernetes.artifact-fetcher.http.trust-store.secret-name
- optional string, Kubernetes secret name containing the TrustStore;kubernetes.artifact-fetcher.http.trust-store.filename
- optional string, the key name under which the TrustStore is kept in the Kubernetes secret;kubernetes.artifact-fetcher.http.trust-store.type
- optional string, the TrustStore format,"JKS"
by default;kubernetes.artifact-fetcher.http.trust-store.password
- optional string, pass phrase of TrustStore
The above configuration steps, would translate to the following example configuration:
cluster:
kubernetes.artifact-fetcher.http.trust-store.secret-name: daplatform-secrets
kubernetes.artifact-fetcher.http.trust-store.filename: trustStore