Skip to content
This repository has been archived by the owner on Sep 2, 2022. It is now read-only.

Mount sensitive Flink Properties as Secrets #383

Open
EnriqueL8 opened this issue Dec 9, 2020 · 5 comments · May be fixed by #449
Open

Mount sensitive Flink Properties as Secrets #383

EnriqueL8 opened this issue Dec 9, 2020 · 5 comments · May be fixed by #449
Labels
feature #a2eeef

Comments

@EnriqueL8
Copy link
Contributor

EnriqueL8 commented Dec 9, 2020
edited

When setting up security for Flink through the Flink Properties as #309 describes, the following properties are stored in a ConfigMap and mounted into the JobManager and TaskManager containers:

security.ssl.internal.keystore: "/internal.keystore"
security.ssl.internal.truststore: "/internal.keystore"
security.ssl.internal.keystore-password: "internal_store_password"
security.ssl.internal.truststore-password: "internal_store_password"
security.ssl.internal.key-password: "internal_store_password"

These passwords are stored in the ConfigMap, and should instead be stored in a Secret.

Has this been thought about before? or something that could be planned? Thanks!
@functicons
Copy link
Collaborator

functicons commented Dec 10, 2020
edited

This is a nice security feature that we could support in the future. I think there are 2 things here: 1) CRD: some properties shouldn't be presented as plain text in the flinkProperties field, instead it should have a flinkPropertiesSecret field which tells the operator to load properties from the secret. 2) the operator should use a Secret instead of a ConfigMap to store the generated flink-conf.yaml.

We welcome your contribution if you could make the PR.

@functicons functicons added the feature #a2eeef label Dec 10, 2020
@shashken shashken mentioned this issue Dec 10, 2020
Open
@shashken
Copy link
Contributor

There are 2 problems with this (might not be problems for everyone) ,

  • ConfigMap volume on disk is read only - if your solution for secrets is to download them on startup (init container) you wont be able to write them to the created file
  • If you want the created file containing secret to be in a memory only volume the only way to achieve that is with a emptyDir with a memory as a medium.

I have a solution if we want to take those problems into consideration but its not as elegant.

  • Use flinkPropertiesSecret option in CRD and mount the entire properties into a Secret like @functicons suggested.
  • Write the config into a temp directory.
  • Create the config directory to be an emptyDir with a memory medium.
  • Create an init container that copies the temp dir into the config dir (internal to the operator, the user won't have to define anything) - (cp /tempdir/flink-conf.yaml /opt/flink/conf)

More complex but supports all secret solutions. I can go ahead and make a PR for this if this gets approved. What do you think?
@functicons @EnriqueL8

@chrispatmore
Copy link

The only problem with this, is you lose the ability to react to updates to the configmap without restarting the pod. However it seems like we are limited by the capabilities of Flink configuration here. So if the loss of those while running updates is fine, then this approach seems sensible to me

@functicons
Copy link
Collaborator

@shashken LGTM, but can we do it in a way that use tempDir/emptyDir and init container only when necessary? Because most of the cases the current design is good enough and simpler.

@shashken
Copy link
Contributor

Thanks for the feedback, ill try to create a PR this week. And the flag you suggested sounds like a good idea, ill try to do that @functicons

devholic added a commit to devholic/flink-on-k8s-operator that referenced this issue May 12, 2021
@devholic
Add flinkPropertiesSecret for supporting secret properties
2add80b 
Resolves GoogleCloudPlatform#383

Signed-off-by: Sunghoon Kang <me@hoon.dev>
@devholic devholic linked a pull request May 12, 2021 that will close this issue
Open
devholic added a commit to devholic/flink-on-k8s-operator that referenced this issue May 18, 2021
@devholic
Add flinkPropertiesSecret for supporting secret properties
b147dc2 
Resolves GoogleCloudPlatform#383

Signed-off-by: Sunghoon Kang <me@hoon.dev>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
feature #a2eeef
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add flinkPropertiesSecret for supporting secret properties devholic/flink-on-k8s-operator
4 participants
@chrispatmore @EnriqueL8 @functicons @shashken