Docs Home
Viewing docs for
Self-ManagedNot available for BYOC

Universal Blob Storage

On this page

Ververica Platform provides centralized configuration of blob storage for its services.

Configuration

In order to enable universal blob storage, configure a base URI for your blob storage provider. Add the following snippet to your Helm values.yaml file:

YAML
1vvp:
2  blobStorage:
3    baseUri: s3://my-bucket/vvp

The provided base URI will be picked up by all services that can make use of blob storage, for example Application Manager or Artifact Management.

Storage Providers

Storage ProviderSchemeArtifact ManagementFlink 1.19Flink 1.18Flink 1.17Flink 1.16Flink 1.15Flink 1.14Flink 1.13Flink 1.12
AWS S3s3://
Microsoft ABSwasbs://
Apache Hadoop® HDFShdfs://
Google GCSgs://(✓)(✓)(✓)(✓)(✓)(✓)
Alibaba OSSoss://xxxxxxxx
Microsoft ABS Workload Identitywiaz://✓*✓*✓*✓*✓*xxx

(✓): With custom Flink image

* : With VVP Flink image

Additional Provider Configuration

Some supported storage providers have additional options that can be configured in the blobStorage section of the values.yaml file, scoped by provider. The following options are configurable:

YAML
1blobStorage:
2  s3:
3    endpoint: "<if_applicable>"
4    region: "<if_applicable>"
5  oss:
6    endpoint: "<if_applicable>"

Microsoft ABS Workload Identity

For Microsoft ABS Workload Identity add the following snippet to your Helm values.yaml file:

YAML
1vvp:
2  blobStorage:
3    baseUri: wiaz://<blob-container-name>@<your account name>.blob.core.windows.net/<path>

You do not need to provide any credentials to set up access to Azure Blob Storage using Microsoft ABS Workload Identity. You just need to provide your Azure client-id and optionally the tenant-id.

YAML
1workloadIdentity:
2  azure:
3    clientId: xxxx–xxxx-xxxx-xxxx
4    (tenantId: yyyy-yyyy-yyyy-yyyy)

Before you can run a Deployment you must assign the service account names to pods:

YAML
1spec:
2  template:
3    spec:
4      kubernetes:
5        pods:
6          labels:
7            azure.workload.identity/use: 'true'
8          serviceAccountName: ververica-platform-ververica-platform

Alternatively, you can configure the taskManager and jobManager independently, for example:

YAML
1spec:
2  template:
3    spec:
4      kubernetes:
5        jobManagerPodTemplate:
6          metadata:
7            labels:
8              azure.workload.identity/use: 'true'
9          spec:
10            serviceAccountName: ververica-platform-ververica-platform
11        taskManagerPodTemplate:
12          metadata:
13            labels:
14              azure.workload.identity/use: 'true'
15          spec:
16            serviceAccountName: ververica-platform-ververica-platform

Credentials

Ververica Platform supports using a single set of credentials to access your configured blob storage, and will automatically distribute these credentials to Flink jobs that require them.

These credentials can be either specified directly in values.yaml, or added to a Kubernetes secret out-of-band and referenced in values.yaml by name.

Option 1: values.yaml

The following options are configurable, example values are shown:

YAML
1blobStorageCredentials:
2  azure:
3    connectionString: DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net;AccountName=vvpArtifacts;AccountKey=VGhpcyBpcyBub3QgYSB2YWxpZCBBQlMga2V5LiAgVGhhbmtzIGZvciB0aG9yb3VnaGx5IHJlYWRpbmcgdGhlIGRvY3MgOikgIA==;
4  s3:
5    accessKeyId: AKIAEXAMPLEACCESSKEY
6    secretAccessKey: qyRRoU+/4d5yYzOGZVz7P9ay9fAAMrexamplesecretkey
7  hdfs:
8    # Apache Hadoop® configuration files (core-site.xml, hdfs-site.xml)
9    # and optional Kerberos configuration files. Note that the keytab
10    # has to be base64 encoded.
11    core-site.xml: |
12      <?xml version="1.0" ?>
13      <configuration>
14        ...
15      </configuration>
16    hdfs-site.xml: |
17      <?xml version="1.0" ?>
18      <configuration>
19      ...
20      </configuration>
21    krb5.conf: |
22      [libdefaults]
23        ticket_lifetime = 10h
24      ...
25    keytab: BQIAA...AAAC
26    keytab-principal: flink

Option 2: Pre-create Kubernetes Secret

To use a pre-created Kubernetes secret, its keys must match the pattern <provider>.<key>. For example, s3.accessKeyId and s3.secretAccessKey. To configure Ververica Platform to use this secret, add the following snippet to your Helm values.yaml file:

YAML
1blobStorageCredentials:
2  existingSecret: my-blob-storage-credentials

Example: Apache Hadoop® HDFS

For UBS with Apache Hadoop® HDFS we recommend to pre-create a Kubernetes secret with the required configuration files in order to avoid duplication of the configuration files in the Ververica Platform values.yaml file.

BASH
1kubectl create secret generic my-blob-storage-credentials \
2--from-file hdfs.core-site.xml=core-site.xml \
3--from-file hdfs.hdfs-site.xml=hdfs-site.xml \
4--from-file hdfs.krb5.conf=krb5.conf \
5--from-file hdfs.keytab=keytab \ 
6--from-file hdfs.keytab-principal=keytab-principal

After you have created the Kubernetes secret, you can reference it in the values.yaml (#configuration) as an existing secret. Note that the Kerberos configuration is optional.

Option 3: Loading Credentials from Mounted Files

An alternative way to provide credentials securely to VVP is to access the credentials as mounted files.

To do so, each security key must be configured via a separate file, and the files must be named following the pattern <provider>.<key>.

Example: Blob Storage Credentials for https
YAML
1$ .cat ./http.basicAuthUser
2admin
3
4$ .cat ./http.basicAuthPassword
5password

The directory that contains the credentials files must then be mounted. Assuming the files are under the path /conf/blob-creds, they can be mounted either using environment variables, or using VVP properties. In both cases, the setting is made in values.yaml:

  1. Using environment variables:
YAML
1env:
2  - name: "vvp.blob-storage.credentials-dir"
3    value: "/conf/blob-creds"
  1. Using VVP properties:
YAML
1vvp:
2  blobStorage:
3    credentialsDir: /conf/blob-creds

Advanced Configuration

AWS EKS

When running on AWS EKS or AWS ECS your Kubernetes Pods inherit the roles attached to the underlying EC2 instances. If these roles already grant access to the required S3 resources you only need to configure vvp.blobStorage.baseUri without configuring any blobStorageCredentials.

Apache Hadoop® Versions

UBS with Apache Hadoop® HDFS uses a Hadoop 2 client for communication with the HDFS cluster. Hadoop 3 preserves wire compatibility with Hadoop 2 clients and you are able to use HDFS blob storage with both Hadoop 2 and Hadoop 3 HDFS clusters.

However, note that there may be incompatabilities between Hadoop 2 and 3 with respect to the configuration files core-site.xml and hdfs-site.xml. As an example, Hadoop 3 allows to configure durations with a unit suffix such as 30s which results in a configuration parsing error with Hadoop 2 clients. It's generally possible to work around these issues by limiting configuration to Hadoop 2 compatible keys/values.

Apache Flink® Hadoop Dependency

When using HDFS UBS, Ververica Platform dynamically adds the Hadoop dependency flink-shaded-hadoop-2-uber to the classpath. You can use the following annotation to skip this step:

YAML
1kind: Deployment
2spec:
3  template:
4    metadata:
5      annotations:
6        ubs.hdfs.hadoop-jar-provided: true

This is useful if you your Docker image provides a Hadoop dependency. If you use this annotation without a Hadoop dependency on the classpath, your Flink application will fail.

Services

The following services make use of the universal blob storage configuration.

Flink jobs are configured to store blobs at the following locations:

BlobStorage Location
Checkpoints${baseUri}/flink-jobs/namespaces/${ns}/jobs/${jobId}/checkpoints
Savepoints${baseUri}/flink-savepoints/namespaces/${ns}/deployments/${deploymentId}
High Availability${baseUri}/flink-savepoints/namespaces/${ns}/deployments/${deploymentId}

User-provided configuration has precedence over universal blob storage.

Artifact Management

Artifacts are stored in the following location:

BASH
1${baseUri}/artifacts/namespaces/${ns}

SQL Service

The SQL Service depends on blob storage for storing deployment information and JAR files of user-defined functions.

SQL Deployments

Before a SQL query can be deployed it needs to be optimized and translated to a Flink job. SQL Service stores the Flink job and all JAR files that contain an implementation of a user-defined function which is used by the query at the following locations:

BlobStorage Location
Job${baseUri}/flink-jobs/namespaces/${ns}/jobs/${jobId}/jobgraph
UDF JAR Files${baseUri}/flink-jobs/namespaces/${ns}/jobs/${jobId}/udfs

After a query has been deployed, Application Manager maintains the same blobs as for regular Flink jobs (#apache-flink-jobs), i.e., checkpoints, savepoints, and high-availability files.

UDF Artifacts

The JAR files of UDF Artifacts that are uploaded via the UI are stored in the following location:

BASH
1${baseUri}/sql-artifacts/namespaces/${ns}/udfs/${udfArtifact}

Connectors, Formats, and Catalogs

The JAR files of Custom Connectors and Formats and Custom Catalogs that are uploaded via the UI are stored in the following location:

BASH
1${baseUri}/sql-artifacts/namespaces/${ns}/custom-connectors/
Was this helpful?