From a4150776440c3d3575fa83517659fd3fcb479d1c Mon Sep 17 00:00:00 2001 From: Casper Thygesen Date: Mon, 20 Nov 2023 09:59:32 +0000 Subject: [PATCH 1/3] disable custom ciphers by default --- charts/flink-job/Chart.yaml | 2 +- charts/flink-job/README.md | 5 +++-- charts/flink-job/templates/_helpers.tpl | 6 ++++-- charts/flink-job/values.yaml | 13 ++++++++----- 4 files changed, 16 insertions(+), 10 deletions(-) diff --git a/charts/flink-job/Chart.yaml b/charts/flink-job/Chart.yaml index 24510079..f6b83bd6 100644 --- a/charts/flink-job/Chart.yaml +++ b/charts/flink-job/Chart.yaml @@ -7,7 +7,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.8.0 +version: 0.9.0 dependencies: - name: image-automation diff --git a/charts/flink-job/README.md b/charts/flink-job/README.md index c3e1527f..5230b916 100644 --- a/charts/flink-job/README.md +++ b/charts/flink-job/README.md @@ -130,8 +130,9 @@ Read more about Flink and highly available job-managers [here](https://nightlies | imagePullSecrets | list | `[]` | Array of image pull secrets. Each entry follows the `name: ` format | | version | string | `"v1_16"` | Which Flink version to use | | internalSsl.enabled | bool | `true` | Whether to use SSL between the job- and taskmanager | -| internalSsl.algorithms | string | `"TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384"` | Set the algorithms allowed. see also: | -| internalSsl.protocol | string | `"TLSv1.3"` | Set the protocol allowed. | +| internalSsl.customCiphers.enabled | bool | `false` | Whether to enable custom ciphers | +| internalSsl.customCiphers.algorithms | string | `"TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` | Set the algorithms allowed. see also: | +| internalSsl.customCiphers.protocol | string | `"TLSv1.3"` | Set the protocol allowed. | | internalSsl.certDuration | string | `"26280h"` | What duration to give the certificates provisioned for the internal SSL. Value must be specified using a Go time.Duration string format | | internalSsl.certRenewBefore | string | `"2160h"` | When to renew the certificates provisioned for the internal SSL. Value must be specified using a Go time.Duration string format | | flinkConfiguration | object | (see [values.yaml](values.yaml)) | Flink configuration For more configuration options, see here: For specific metrics configuration, see here: | diff --git a/charts/flink-job/templates/_helpers.tpl b/charts/flink-job/templates/_helpers.tpl index d6a58071..564df950 100644 --- a/charts/flink-job/templates/_helpers.tpl +++ b/charts/flink-job/templates/_helpers.tpl @@ -193,9 +193,11 @@ Add necessary ssl configuration {{- define "flink-job.sslConfiguration" -}} {{- $configs := .configs -}} {{- $password := sha1sum (nospace (toString .global.image)) | trunc 10 }} + {{- if .global.internalSsl.customCiphers.enabled -}} + {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.customCiphers.protocol" (toString .global.internalSsl.protocol))) -}} + {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.customCiphers.algorithms" (toString .global.internalSsl.algorithms))) -}} + {{- end -}} {{- if .global.internalSsl.enabled -}} - {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.protocol" (toString .global.internalSsl.protocol))) -}} - {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.algorithms" (toString .global.internalSsl.algorithms))) -}} {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.enabled" "true")) -}} {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.keystore" "/flinkkeystore/keystore.jks")) -}} {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.truststore" "/flinkkeystore/truststore.jks")) -}} diff --git a/charts/flink-job/values.yaml b/charts/flink-job/values.yaml index 003af393..c696f26e 100644 --- a/charts/flink-job/values.yaml +++ b/charts/flink-job/values.yaml @@ -33,11 +33,14 @@ version: v1_16 internalSsl: # -- Whether to use SSL between the job- and taskmanager enabled: true - # -- Set the algorithms allowed. - # see also: - algorithms: "TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384" - # -- Set the protocol allowed. - protocol: "TLSv1.3" + customCiphers: + # -- Whether to enable custom ciphers + enabled: false + # -- Set the algorithms allowed. + # see also: + algorithms: "TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256" + # -- Set the protocol allowed. + protocol: "TLSv1.3" # -- What duration to give the certificates provisioned for the internal SSL. # Value must be specified using a Go time.Duration string format certDuration: 26280h From 625ea21adf923742f5e4a94b16065427bb78ce82 Mon Sep 17 00:00:00 2001 From: Casper Thygesen Date: Mon, 20 Nov 2023 10:00:54 +0000 Subject: [PATCH 2/3] customCiphers copy paste mistake --- charts/flink-job/templates/_helpers.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/flink-job/templates/_helpers.tpl b/charts/flink-job/templates/_helpers.tpl index 564df950..4fcb6543 100644 --- a/charts/flink-job/templates/_helpers.tpl +++ b/charts/flink-job/templates/_helpers.tpl @@ -194,8 +194,8 @@ Add necessary ssl configuration {{- $configs := .configs -}} {{- $password := sha1sum (nospace (toString .global.image)) | trunc 10 }} {{- if .global.internalSsl.customCiphers.enabled -}} - {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.customCiphers.protocol" (toString .global.internalSsl.protocol))) -}} - {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.customCiphers.algorithms" (toString .global.internalSsl.algorithms))) -}} + {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.customCiphers.protocol" (toString .global.internalSsl.customCiphers.protocol))) -}} + {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.customCiphers.algorithms" (toString .global.internalSsl.customCiphers.algorithms))) -}} {{- end -}} {{- if .global.internalSsl.enabled -}} {{- $configs = fromJson (include "flink-job._dictSet" (list $configs "security.ssl.internal.enabled" "true")) -}} From b9f51ab9c836f1f7eac2b8c565a10dfa4efd2aff Mon Sep 17 00:00:00 2001 From: Casper Thygesen Date: Mon, 20 Nov 2023 10:02:47 +0000 Subject: [PATCH 3/3] helm docs --- charts/flink-job/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/flink-job/README.md b/charts/flink-job/README.md index 5230b916..2c48f454 100644 --- a/charts/flink-job/README.md +++ b/charts/flink-job/README.md @@ -1,6 +1,6 @@ # flink-job -![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) A Helm chart for handling Cheetah Data Platform Flink jobs