Github user EronWright commented on the issue:
https://github.com/apache/flink/pull/5966
This looks great but let's please separate the intra-cluster SSL
configuration options from the external-cluster options. In particular, the
web/API endpoints should be governed by a different keystore and truststore
than are the internal endpoints. Likewise, the "hostname verification" option
should pertain only to external connectivity.
My rationale is that:
1. the truststore to be used for internal connectivity must be highly
restrictive; it should never be the system truststore. Meanwhile, the
truststore for external connectivity (e.g. from the Flink client) should
typically be the system truststore.
2. The certificate to be used for internal connectivity may simply be a
generated certificate. Meanwhile, the certificate for external connectivity
should be obtained from a cluster CA. For example, in K8s one might expect a
cert obtained from the cluster CA and with a CN corresponding to a Service
resource (`flink.default.svc.cluster.local`).
The whole issue of using a restrictive truststore for internal connectivity
has been discussed on various Akka forums, for example [this
PR](https://github.com/akka/akka/pull/23568#issuecomment-331919364). Keep in
mind that Akka has no authorization layer; any authenticated client is
considered authorized. Therefore, a liberal truststore (such as the system
truststore) would present an extremely low barrier of entry since public SSL
certs are easy to get.
---
