Skip to main content
Version: 2.15

Artifact Storage

Accessing Artifact Storage over HTTPS with a Self-Signed Certificate

When you start a new Apache Flink® cluster by running a Deployment, the Flink JobManager pod fetches your application JAR artifact during initialization.

If you are fetching an external artifact over HTTPS with a certificate signed by a non-public CA, you must create a Java TrustStore and configure the artifact fetcher to use it:

  • Create a TrustStore containing your CA certificate as a trusted entity.
  • Create a Kubernetes Secret from the file.
  • Configure the artifact fetcher to use the secret.

Create a TrustStore

To create a TrustStore containing your CA certificate, refer to the official Java documentation for the keytool CLI tool.

Create a Kubernetes Secret

If your TrustStore is named trustStore, run the following command to create a Kubernetes Secret named artifact-fetcher-truststore in the my-namespace namespace:

kubectl \
  --namespace=my-namespace \
  create secret generic artifact-fetcher-truststore \
  --from-file=trustStore=/path/to/trustStore
note

Create the Secret in the namespace used for your Deployments.

If you use multiple Kubernetes namespaces for Deployments, you must create similar Secrets in all target namespaces. Secret names and file names must be the same.

Configure Ververica Platform Artifact Fetcher

The artifact fetcher configuration parameters are stored in the platform configuration.

To configure Ververica Platform with a self-signed certificate, use the following options under vvp.appmanager.cluster:

  • kubernetes.artifact-fetcher.http.trust-store.secret-name: Optional string. Kubernetes Secret name containing the TrustStore.
  • kubernetes.artifact-fetcher.http.trust-store.filename: Optional string. The key name under which the TrustStore is stored in the Kubernetes Secret.
  • kubernetes.artifact-fetcher.http.trust-store.type: Optional string. TrustStore format. Defaults to "JKS".
  • kubernetes.artifact-fetcher.http.trust-store.password: Optional string. Passphrase of the TrustStore.

These options produce the following example configuration:

cluster:
  kubernetes.artifact-fetcher.http.trust-store.secret-name: artifact-fetcher-truststore
  kubernetes.artifact-fetcher.http.trust-store.filename: trustStore

Configuring the Artifact Temporary Directory

Ververica Platform uses the Java default /tmp directory for Session Cluster deployments to copy the job artifact into the JobManager pod. You can configure a custom temporary directory to control the properties of the directory the artifact submission mechanism uses.

Add the following configuration to your values.yaml:

appmanager:
  artifactTmpDir: /artifacts-tmp
  artifactTmpDirSizeLimit: 2Gi
vvp:
  appmanager:
    cluster:
      kubernetes.session-cluster.artifact-tmp-dir: "/artifacts-tmp"
On this page