Pluggable Certificates
Users can use their own certificates to enable SSL for Flink internal/external communications, via the following steps
- Generate Certificates for VVP and Flink Jobs
- Provide deployment with custom ssl Flink Configuration
- Provide configuration for VVP installation with custom keystore
Note that session clusters are not supported in this configuration. The instructions provided are specifically designed for job clusters. Using these configurations with session clusters might lead to unexpected behavior or compatibility issues. Ensure that you are deploying job clusters to avoid any potential problems related to SSL and certificate management.
Configuration
In order to begin using certificates for Flink internal and external communications, users will have to follow several configuration steps including generating keystores, Kubernetes environment preparation, SSL enablement, and finally deployment.
The commands in the following two sections generate a keystore for Ververica Platform vvp.keystore and a keystore for a Flink job flink-rest.keystore. If you want to use your own public/corporate CA signed certificate, please ask your security team to generate the two keystores by following the similar procedure.
The procedure below uses two Kubernetes namespaces:
vvp-namespace: the Kubernetes namespace where Ververica Platform runsjob-namespace: the Kubernetes namespace where Flink jobs run
Substitute them with the namespaces you use in your own Kubernetes cluster if necessary.
Generate Ververica Platform keystore
In order to genereate the keystore for Ververica Platform appmanager, use the following commands:
keytool -genkeypair -alias rootca/v2 -dname "cn=ca.app-manager.v2" -validity 10000 -keyalg RSA -keysize 4096 -ext "bc=ca:true" -ext KeyUsage:critical=keyCertSign -keystore vvp-root.keystore -keypass key-store-pass -storepass key-store-pass
keytool -exportcert -keystore vvp-root.keystore -alias rootca/v2 -storepass key-store-pass -file vvp-root.cer
keytool -genkeypair -alias client -dname "cn=me.app-manager" -validity 10000 -keyalg RSA -keysize 4096 -keystore vvp-client.keystore -keypass key-store-pass -storepass key-store-pass
keytool -exportcert -keystore vvp-client.keystore -alias client -storepass key-store-pass -file vvp-client.cer
keytool -importkeystore -srckeystore vvp-root.keystore -srcalias rootca/v2 -srckeypass key-store-pass -srcstorepass key-store-pass -destalias rootca/v2 -destkeystore vvp.keystore -destkeypass key-store-pass -deststorepass key-store-pass -deststoretype PKCS12
keytool -importkeystore -srckeystore vvp-client.keystore -srcalias client -srckeypass key-store-pass -srcstorepass key-store-pass -destalias client -destkeystore vvp.keystore -destkeypass key-store-pass -deststorepass key-store-pass -deststoretype PKCS12
Generate Flink job keystore
To generate Flink job keystore, use the following commands:
keytool -genkeypair -alias flink.rest -keystore flink-rest.keystore -dname "CN=*.job-namespace.svc" -ext "SAN=dns:*.job-namespace.svc.cluster.local" -storepass keystore_password -keyalg RSA -keysize 4096 -storetype PKCS12
keytool -certreq -alias flink.rest -keystore flink-rest.keystore -storepass keystore_password -file rest.csr
keytool -gencert -alias rootca/v2 -keystore vvp-root.keystore -storepass key-store-pass -ext "SAN=dns:*.job-namespace.svc" -infile rest.csr -outfile rest.cer
cat rest.cer vvp-root.cer > chain.cer
keytool -importcert -keystore flink-rest.keystore -storepass keystore_password -file vvp-client.cer -alias client -noprompt
keytool -importcert -keystore flink-rest.keystore -storepass keystore_password -file chain.cer -alias flink.rest -noprompt
Kubernetes environment preparation
To prepare the Kubernetes environment for use, use the following command:
kubectl --namespace=vvp-namespace create secret generic vvp-keystore --from-file=vvp.keystore
The Ververica Platform configuration is provided by the values.yaml file.
vvp:
appmanager:
ssl:
keystore: /vvp-keystore/vvp.keystore
keystore-password: key-store-pass
keystore-key-password: key-store-pass
volumeMounts:
- name: vvp-keystore
mountPath: /vvp-keystore
volumes:
- name: vvp-keystore
secret:
secretName: vvp-keystore
To create Kubernetes secrets, use the following two commands:
kubectl --namespace=job-namespace create secret generic flink-truststore --from-file=flink-rest.keystore
kubectl --namespace=job-namespace create secret generic flink-keystore --from-file=flink-rest.keystore
Enable SSL for network communication
In setup the SSL network communication, enable SSL with the following command:
spec:
template:
metadata:
annotations:
flink.security.ssl.enabled: true
Deployments
To deploy the flinkConfiguration, use the following:
spec:
template:
spec:
flinkConfiguration:
security.ssl.rest.enabled: 'true'
security.ssl.rest.key-password: keystore_password
security.ssl.rest.keystore: /flink-keystore/flink-rest.keystore
security.ssl.rest.keystore-password: keystore_password
security.ssl.rest.truststore: /flink-truststore/flink-rest.keystore
security.ssl.rest.truststore-password: keystore_password
For the Kubernetes configuration, deploy with the following:
spec:
template:
spec:
kubernetes:
jobManagerPodTemplate:
spec:
containers:
- name: flink-jobmanager
volumeMounts:
- mountPath: /flink-truststore
name: flink-truststore
- mountPath: /flink-keystore
name: flink-keystore
volumes:
- name: flink-truststore
secret:
secretName: flink-truststore
- name: flink-keystore
secret:
secretName: flink-keystore
taskManagerPodTemplate:
spec:
containers:
- name: flink-taskmanager
volumeMounts:
- mountPath: /flink-truststore
name: flink-truststore
- mountPath: /flink-keystore
name: flink-keystore
volumes:
- name: flink-truststore
secret:
secretName: flink-truststore
- name: flink-keystore
secret:
secretName: flink-keystore