FLINK-37953: Add OBF password obfuscation support for SSL configurations

[basapuram-kumar]

What is the purpose of the change

This PR implements OBF password obfuscation support for Flink's SSL configurations to eliminate plaintext password exposure in configuration files

Brief change log

New Features:
Added support for Jetty OBF password obfuscation format (OBF:...) for all SSL-related passwords:

1. keystore-password
2. key-password
3. truststore-password

Changes

• Modified SSLUtils to automatically detect and decrypt OBF passwords
• Updated configuration validation to handle both plaintext and OBF formats

Backwards Compatibility:

• Maintained full support for existing plaintext passwords
• No configuration format changes required
• History server Web server UI launches as usual in this OBF mode too.

Verifying this change

With OBF password obfuscation way, the functionality of the Flink's works seamlessly and the history server webUI also launches in SSL mode same as the Plain-text mode.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

[flinkbot]

CI report:

• 6f3beab Azure: FAILURE

Bot commands

The @flinkbot bot supports the following commands:

• @flinkbot run azure re-run the last Azure build

[gaborgsomogyi]

Adding OBF password support significantly improves Flink's security by eliminating plaintext password exposure in config files.

I don't see any increase because the stolen obfuscated passwords can be de-obfuscated on any machine which has java compiler. There are solutions which can be added to decrease the attack surface but that:

• is encryption and not reversible obfuscation
• has KMS system involved
• has pluggable implementations