[
https://issues.apache.org/jira/browse/FLINK-37504?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17936883#comment-17936883
]
David Radley edited comment on FLINK-37504 at 3/19/25 4:26 PM:
---------------------------------------------------------------
Hi I think this should be a Flip - similar to
[https://cwiki.apache.org/confluence/display/KAFKA/KIP-1119:+Add+support+for+SSL+hot+reload|https://cwiki.apache.org/confluence/display/KAFKA/KIP-1119:+Add+support+for+SSL+hot+reload]
and
[https://cwiki.apache.org/confluence/display/KAFKA/KIP-687%3A+Automatic+Reloading+of+Security+Store|https://cwiki.apache.org/confluence/display/KAFKA/KIP-687%3A+Automatic+Reloading+of+Security+Store].
I see there is a seemingly simpler [Kafka
PR|https://github.com/apache/kafka/pull/17987/files] - based on the Spring
approach.
Searching in google - there appears to be approaches where we check for the
certificate to expire and prior to expiration, rotate the certificate by
requesting a new one. Would this approach be appropriate ? To avoid polling all
day for something that changes once a day which seems inefficient. This
approach is similar to the way short lived bearer tokens are requested with
OIDC.
Understanding he Kubenetes story would be good as well.
was (Author: davidrad):
Hi I think this should be a Flip - similar to
[https://cwiki.apache.org/confluence/display/KAFKA/KIP-1119:+Add+support+for+SSL+hot+reload|https://cwiki.apache.org/confluence/display/KAFKA/KIP-1119:+Add+support+for+SSL+hot+reload].
I see there is a seemingly simpler [Kafka
PR|https://github.com/apache/kafka/pull/17987/files] - based on the Spring
approach.
Searching in google - there appears to be approaches where we check for the
certificate to expire and prior to expiration, rotate the certificate by
requesting a new one. Would this approach be appropriate ? To avoid polling all
day for something that changes once a day which seems inefficient. This
approach is similar to the way short lived bearer tokens are requested with
OIDC.
Understanding he Kubenetes story would be good as well.
> Handle TLS Certificate Renewal
> ------------------------------
>
> Key: FLINK-37504
> URL: https://issues.apache.org/jira/browse/FLINK-37504
> Project: Flink
> Issue Type: Improvement
> Reporter: Nicolas Fraison
> Priority: Minor
> Labels: pull-request-available
>
> Flink does not reload certificate if underlying truststore and keytstore are
> updated.
> We aim at using 1 day validity certificate which currently means having to
> restart our jobs every day.
> In order to avoid this we will need to add a feature to be able to reload TLS
> certificate when underlying truststore and keytstore are updated
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
