Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feat][zk] Enable certificate refresh for Quorum and Netty Servers #18097

Merged
merged 1 commit into from
Oct 19, 2022
Merged

[feat][zk] Enable certificate refresh for Quorum and Netty Servers #18097

merged 1 commit into from
Oct 19, 2022

Conversation

michaeljmarshall
Copy link
Member

@michaeljmarshall michaeljmarshall commented Oct 18, 2022
edited
Loading

Fixes apache/pulsar-helm-chart#285

Motivation

The current Pulsar SSL Server Contexts always reload certificates from the file system. Zookeeper supports such options, but we do not enable them by default. I propose we do that.

Apache Zookeeper documentation:

sslQuorumReloadCertFiles : (No Java system property) New in 3.5.5, 3.6.0: Allows Quorum SSL keyStore and trustStore reloading when the certificates on the filesystem change without having to restart the ZK process. Default: false

client.certReload : (Java system property: zookeeper.client.certReload) New in 3.7.2, 3.8.1, 3.9.0: Allows client SSL keyStore and trustStore reloading when the certificates on the filesystem change without having to restart the ZK process. Default: false

Modifications

  • Enable the Quorum server to update its context (already available)
  • Enable the Netty Server to update its context (not available until ZK 3.8.1 or 3.9.0 https://issues.apache.org/jira/browse/ZOOKEEPER-3806, but won't hurt anything to get for free when we upgrade)

Verifying this change

This is a trivial configuration change.

Does this pull request potentially affect one of the following parts:

  • The default values of configurations

I do not believe this needs a PIP because our standard default is already to refresh certificates in the broker, function worker, the proxy, and the websocket proxy.

Documentation

  • doc-not-needed

Matching PR in forked repository

PR in forked repository: michaeljmarshall#5

@michaeljmarshall michaeljmarshall added this to the 2.12.0 milestone Oct 18, 2022
@michaeljmarshall michaeljmarshall self-assigned this Oct 18, 2022
@michaeljmarshall michaeljmarshall changed the title [zk] Enable certificate refresh for Quorum and Netty Servers [feat][zk] Enable certificate refresh for Quorum and Netty Servers Oct 18, 2022
@michaeljmarshall michaeljmarshall mentioned this pull request Oct 18, 2022
Closed
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Oct 18, 2022
nodece
nodece approved these changes Oct 19, 2022
View reviewed changes
Copy link
Member

@nodece nodece left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nodece
Copy link
Member

nodece commented Oct 19, 2022
edited
Loading

From ZK documentation:

sslQuorumReloadCertFiles : (No Java system property) New in 3.5.5, 3.6.0: Allows Quorum SSL keyStore and trustStore reloading when the certificates on the filesystem change without having to restart the ZK process. Default: false

client.certReload : (Java system property: zookeeper.client.certReload) New in 3.7.2, 3.8.1, 3.9.0: Allows client SSL keyStore and trustStore reloading when the certificates on the filesystem change without having to restart the ZK process. Default: false

@michaeljmarshall
Copy link
Member Author

Good idea to reference the ZK documentation @nodece. I updated my PR's description with it. Thanks!

@Technoboy- Technoboy- closed this Oct 19, 2022
@Technoboy- Technoboy- reopened this Oct 19, 2022
@codecov-commenter
Copy link

codecov-commenter commented Oct 19, 2022
edited
Loading

Codecov Report

❗ No coverage uploaded for pull request base (master@69deb1f). Click here to learn what that means.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff            @@
##             master   #18097   +/-   ##
=========================================
  Coverage          ?   46.93%           
  Complexity        ?    17937           
=========================================
  Files             ?     1574           
  Lines             ?   128342           
  Branches          ?    14121           
=========================================
  Hits              ?    60239           
  Misses            ?    61908           
  Partials          ?     6195
Flag Coverage Δ
unittests 46.93% <0.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

@nodece nodece merged commit 912f344 into apache:master Oct 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Technoboy- Technoboy- Technoboy- approved these changes

@nodece nodece nodece approved these changes

@RobertIndie RobertIndie RobertIndie approved these changes

@lhotari lhotari Awaiting requested review from lhotari

@eolivelli eolivelli Awaiting requested review from eolivelli

@codelipenghui codelipenghui Awaiting requested review from codelipenghui

Assignees

@michaeljmarshall michaeljmarshall

Labels
area/config doc-not-needed Your PR changes do not impact docs ready-to-test
Projects
None yet
Milestone
3.0.0
Development

Successfully merging this pull request may close these issues.

Automatic certificate renewal does not work
5 participants
@michaeljmarshall @nodece @codecov-commenter @Technoboy- @RobertIndie