We're investigating using internal SSL for our flink deployments, but I'm curious how it handles cases where the certificates expire while a job is running. We run a key distribution infrastructure with client/server keys that expire fairly quickly (~days), so for example, long-running streaming jobs could run into a case where the certificate that was loaded when the job started expires while the job is still running.
I looked through the code and see 3 places where certs are loaded: - Akka via CustomSSLEngineProvider (for actor communication) - NettyConfig.createServerSSLEngineFactory and similar (for shuffle communication) - SSLUtils.createRestNettySSLContext and similar (for the blob server) None of these seem to support reloading a certificate once created, but is it possible that this is handled somewhere else higher up the stack? Does anyone have experience running something like this that they could share? Thank you!
