Merge pull request #167 from trifork/feature/flink-customCiphers

disable custom ciphers by default
trifork · Nov 20, 2023 · 068ef87 · 068ef87
2 parents 5db2f19 + b9f51ab
commit 068ef87
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 11 deletions.
diff --git a/charts/flink-job/Chart.yaml b/charts/flink-job/Chart.yaml
@@ -7,7 +7,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.8.0
+version: 0.9.0
 
 dependencies:
   - name: image-automation

diff --git a/charts/flink-job/README.md b/charts/flink-job/README.md
@@ -1,6 +1,6 @@
 # flink-job
 
-![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 A Helm chart for handling Cheetah Data Platform Flink jobs
 
@@ -130,8 +130,9 @@ Read more about Flink and highly available job-managers [here](https://nightlies
 | imagePullSecrets | list | `[]` | Array of image pull secrets. Each entry follows the `name: <secret-name>` format |
 | version | string | `"v1_16"` | Which Flink version to use |
 | internalSsl.enabled | bool | `true` | Whether to use SSL between the job- and taskmanager |
-| internalSsl.algorithms | string | `"TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384"` | Set the algorithms allowed. see also: <https://nightlies.apache.org/flink/flink-docs-master/docs/deployment/security/security-ssl/#cipher-suites> |
-| internalSsl.protocol | string | `"TLSv1.3"` | Set the protocol allowed. |
+| internalSsl.customCiphers.enabled | bool | `false` | Whether to enable custom ciphers |
+| internalSsl.customCiphers.algorithms | string | `"TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` | Set the algorithms allowed. see also: <https://nightlies.apache.org/flink/flink-docs-master/docs/deployment/security/security-ssl/#cipher-suites> |
+| internalSsl.customCiphers.protocol | string | `"TLSv1.3"` | Set the protocol allowed. |
 | internalSsl.certDuration | string | `"26280h"` | What duration to give the certificates provisioned for the internal SSL. Value must be specified using a Go time.Duration string format |
 | internalSsl.certRenewBefore | string | `"2160h"` | When to renew the certificates provisioned for the internal SSL. Value must be specified using a Go time.Duration string format |
 | flinkConfiguration | object | (see [values.yaml](values.yaml)) | Flink configuration For more configuration options, see here: <https://nightlies.apache.org/flink/flink-docs-master/docs/deployment/config/> For specific metrics configuration, see here:  <https://nightlies.apache.org/flink/flink-docs-master/docs/deployment/metric_reporters/> |

diff --git a/charts/flink-job/templates/_helpers.tpl b/charts/flink-job/templates/_helpers.tpl
@@ -193,9 +193,11 @@ Add necessary ssl configuration
 {{- define "flink-job.sslConfiguration" -}}
   {{- $configs := .configs -}}
   {{- $password := sha1sum (nospace (toString .global.image)) | trunc 10 }}
+  {{- if .global.internalSsl.customCiphers.enabled -}}
+      {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.customCiphers.protocol" (toString .global.internalSsl.customCiphers.protocol))) -}}
+      {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.customCiphers.algorithms" (toString .global.internalSsl.customCiphers.algorithms))) -}}
+  {{- end -}}
   {{- if .global.internalSsl.enabled -}}
-    {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.protocol" (toString .global.internalSsl.protocol))) -}}
-    {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.algorithms" (toString .global.internalSsl.algorithms))) -}}
     {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.enabled" "true")) -}}
     {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.keystore" "/flinkkeystore/keystore.jks")) -}}
     {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.truststore" "/flinkkeystore/truststore.jks")) -}}

diff --git a/charts/flink-job/values.yaml b/charts/flink-job/values.yaml
@@ -33,11 +33,14 @@ version: v1_16
 internalSsl:
   # -- Whether to use SSL between the job- and taskmanager
   enabled: true
-  # -- Set the algorithms allowed.
-  # see also: <https://nightlies.apache.org/flink/flink-docs-master/docs/deployment/security/security-ssl/#cipher-suites>
-  algorithms: "TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384"
-  # -- Set the protocol allowed.
-  protocol: "TLSv1.3"
+  customCiphers:
+    # -- Whether to enable custom ciphers
+    enabled: false
+    # -- Set the algorithms allowed.
+    # see also: <https://nightlies.apache.org/flink/flink-docs-master/docs/deployment/security/security-ssl/#cipher-suites>
+    algorithms: "TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"
+    # -- Set the protocol allowed.
+    protocol: "TLSv1.3"
   # -- What duration to give the certificates provisioned for the internal SSL.
   # Value must be specified using a Go time.Duration string format
   certDuration: 26280h