[PR] [FLINK-39216] - Add PKCS12 profile option for webhook certificate [flink-kubernetes-operator]

Mon, 25 May 2026 03:20:43 -0700 


KubeCraftsMan opened a new pull request, #1118:
URL: https://github.com/apache/flink-kubernetes-operator/pull/1118

   ## What is the purpose of the change
   
   This pull request adds a new Helm value `webhook.keystore.pkcs12Profile` to 
allow users to configure the PKCS12 encryption profile for the webhook 
certificate. This is required for FIPS-compliant environments where the default 
encryption algorithm (3DES/LegacyDES) is not supported by FIPS-compliant 
cert-manager images.
   
   **Problem:**
   When using cert-manager FIPS images, the Flink Operator webhook Certificate 
fails to renew with the error:
   
   **Solution:**
   Expose the `profile` field in the Certificate's PKCS12 keystore 
configuration, allowing users to set `Modern2023` (AES-256-CBC) which is 
FIPS-compliant.
   
   ## Brief change log
   
   - Added `webhook.keystore.pkcs12Profile` option to `values.yaml`
   - Added conditional profile field in 
`templates/cert-manager/certificate.yaml`
   - Added documentation for the new parameter in 
`docs/content/docs/operations/helm.md`
   
   ## Verifying this change
   
   This change is already covered by manual Helm template verification:
   
   ```bash
   # With profile set
   helm template test helm/flink-kubernetes-operator \
     --set webhook.keystore.pkcs12Profile=Modern2023 | grep -A15 "keystores:"
   # Output includes: profile: Modern2023
   
   # Without profile (default behavior unchanged)
   helm template test helm/flink-kubernetes-operator | grep -A10 "keystores:"
   # Output does not include profile field
   ```
   
   ## Does this pull request potentially affect one of the following parts:
   
   - Dependencies (does it add or upgrade a dependency): no
   - The public API, i.e., is any changes to the `CustomResourceDescriptors`: no
   - Core observer or reconciler logic that is regularly executed: no
   
   ## Documentation
   
   - Does this pull request introduce a new feature? yes
   - If yes, how is the feature documented? docs


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to