Uploaded image for project: 'AMQ Streams'
  1. AMQ Streams
  2. ENTMQST-4968

[KAFKA] SAN / DN change check on certificate should be opt-out

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Duplicate
    • Icon: Undefined Undefined
    • None
    • None
    • kafka-broker
    • False
    • None
    • False

      When a Kafka broker reloads a changed SSL certificate it performs some safety checks on it. For example that the Subject Alternative Names haven't changed. These checks prevent dynamically reloading certificates in Strimzi in most circumstances. Instead the operator has to restart brokers when certificates change. Restarting broker is generally undesirable because of the impact on clients (increased latency due to leader changes), time to JIT steady sate etc.

      This issue is to evaluate which of these checks really make sense in a dynamic Kubernetes environment and propose a KIP to make the other checks optional.

      If/when that KIP is approved we can open a followup issue to opt out of these checks in Strimzi and so avoid broker rolls in some cases.

              Unassigned Unassigned
              tbentley-1 Tom Bentley
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: