Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-8336

Enable dynamic update of client-side SSL factory in brokers

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.0
    • Fix Version/s: 2.3.0
    • Component/s: core
    • Labels:
      None

      Description

      We currently support dynamic update of server-side keystores. This allows expired certs to be updated on brokers without a rolling restart. When mutual authentication is enabled for inter-broker-communication (ssl.client.auth=required), we dont currently dynamically update client-side keystores for controller or transaction coordinator. So a broker restart (or controller change) is required for cert update for this case. Since short-lived SSL cert is a common usecase, we should enable client-side cert updates for all client connections initiated by the broker to ensure that SSL certificate expiry can be handled with dynamic config updates on brokers for all configurations.

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rsivaram Rajini Sivaram
                Reporter:
                rsivaram Rajini Sivaram
                Reviewer:
                Manikumar
              • Votes:
                2 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: