[
https://issues.apache.org/jira/browse/KAFKA-8336?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16840150#comment-16840150
]
ASF GitHub Bot commented on KAFKA-8336:
---------------------------------------
rajinisivaram commented on pull request #6721: KAFKA-8336; Enable dynamic
reconfiguration of broker's client-side certs
URL: https://github.com/apache/kafka/pull/6721
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Enable dynamic update of client-side SSL factory in brokers
> -----------------------------------------------------------
>
> Key: KAFKA-8336
> URL: https://issues.apache.org/jira/browse/KAFKA-8336
> Project: Kafka
> Issue Type: Improvement
> Components: core
> Affects Versions: 2.2.0
> Reporter: Rajini Sivaram
> Assignee: Rajini Sivaram
> Priority: Major
> Fix For: 2.3.0
>
>
> We currently support dynamic update of server-side keystores. This allows
> expired certs to be updated on brokers without a rolling restart. When mutual
> authentication is enabled for inter-broker-communication
> (ssl.client.auth=required), we dont currently dynamically update client-side
> keystores for controller or transaction coordinator. So a broker restart (or
> controller change) is required for cert update for this case. Since
> short-lived SSL cert is a common usecase, we should enable client-side cert
> updates for all client connections initiated by the broker to ensure that SSL
> certificate expiry can be handled with dynamic config updates on brokers for
> all configurations.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
