Hi, I have a proposal for a Flink operator change – but I’m unsure whether it’s a) valuable, and b) large enough for a FLIP vs a Jira issue.
Scenario: * I am using a selection of connectors that will communicate via TLS * I would like to be able to connect to both internal and external services (i.e some use company issued certificates, others are signed by public authorities) * I don’t want to have to configure each connector with PEM certificates (and then edit the program whenever a certificate expires) The problem is that all I believe I can do is override the Flink JVM truststore to point to a truststore with the internal CA certificates: env.java.opts.taskmanager: >- -Djavax.net.ssl.trustStore=/certs/truststore.<keystore-extension> -Djavax.net.ssl.trustStorePassword=<chosen password> env.java.opts.jobmanager: >- -Djavax.net.ssl.trustStore=/certs/truststore.<keystore-extension> -Djavax.net.ssl.trustStorePassword=<chosen password> The problem here is that it overrides the default cacerts truststore in Java – so I cannot connect to externally signed endpoints. I know that I can merge cacerts and my truststore into a new truststore as a manual process. But it means that I have to remember to extract the cacerts every time I have a minor java change. Proposed scenario: * New property on the CR for a secret containing an “external truststore” (possibly an “external keystore” as well for MTLS) * The flink operator deploys Flink with an init container and mounts the secrets * The init container then combines the default cacerts on the Flink job/task manager with the “external truststore” and supplies that to the Flink runtime This means that you can enable connecting to both internal and externally signed endpoints from a Flink job. Thoughts as to whether this is big enough for a FLIP (if valuable)? -- Nic Townsend IBM Event Processing Senior Engineer / Technical Lead Slack: @nictownsend Unless otherwise stated above: IBM United Kingdom Limited Registered in England and Wales with number 741598 Registered office: Building C, IBM Hursley Office, Hursley Park Road, Winchester, Hampshire SO21 2JN
