Rajini Sivaram created KAFKA-8336:
-------------------------------------
Summary: Enable dynamic update of client-side SSL factory in
brokers
Key: KAFKA-8336
URL: https://issues.apache.org/jira/browse/KAFKA-8336
Project: Kafka
Issue Type: Improvement
Components: core
Affects Versions: 2.2.0
Reporter: Rajini Sivaram
Assignee: Rajini Sivaram
Fix For: 2.3.0
We currently support dynamic update of server-side keystores. This allows
expired certs to be updated on brokers without a rolling restart. When mutual
authentication is enabled for inter-broker-communication
(ssl.client.auth=required), we dont currently dynamically update client-side
keystores for controller or transaction coordinator. So a broker restart (or
controller change) is required for cert update for this case. Since short-lived
SSL cert is a common usecase, we should enable client-side cert updates for all
client connections initiated by the broker to ensure that SSL certificate
expiry can be handled with dynamic config updates on brokers for all
configurations.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
