You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pinot.apache.org by "mgranderath (via GitHub)" <gi...@apache.org> on 2023/12/07 09:00:14 UTC
[I] Support seamless TLS certificate rotation [pinot]
mgranderath opened a new issue, #12107:
URL: https://github.com/apache/pinot/issues/12107
In our setup we use regularly rotated TLS certificates by essentially replacing the keystore/truststore (using K8s secrets) but the updated certificates don't get picked up by the nodes. This means that our nodes get restarted because the liveness probe starts failing which has some unintended consequences. Ideally we would want these to be picked up seamlessly.
#### Possible Solution
Wrapping the `KeyManager` and `TrustManager` and check every x interval whether the underlying files have been updated and replace the delegate. An example of an implementation somewhat similar is [here](https://github.com/Hakky54/sslcontext-kickstart/blob/master/sslcontext-kickstart/src/main/java/nl/altindag/ssl/keymanager/HotSwappableX509ExtendedKeyManager.java)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org
Re: [I] Support seamless TLS certificate rotation [pinot]
Posted by "zhtaoxiang (via GitHub)" <gi...@apache.org>.
zhtaoxiang commented on issue #12107:
URL: https://github.com/apache/pinot/issues/12107#issuecomment-1894682056
Hi @mgranderath , we have similar issues as you described here.
I am working on a PR to use the [sslcontext-kickstart](https://github.com/Hakky54/sslcontext-kickstart) to make the `KeyManager` and `TrustManager` swappable. Will post the PR when it's ready for review
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org
Re: [I] Support seamless TLS certificate rotation [pinot]
Posted by "zhtaoxiang (via GitHub)" <gi...@apache.org>.
zhtaoxiang commented on issue #12107:
URL: https://github.com/apache/pinot/issues/12107#issuecomment-1958342716
I will keep the following PR list updated:
Merged PRs:
https://github.com/apache/pinot/pull/12277
https://github.com/apache/pinot/pull/12325
https://github.com/apache/pinot/pull/12357
https://github.com/apache/pinot/pull/12384
https://github.com/apache/pinot/pull/12404
https://github.com/apache/pinot/pull/12425
https://github.com/apache/pinot/pull/12455
Working in progress:
https://github.com/apache/pinot/pull/12462
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org
Re: [I] Support seamless TLS certificate rotation [pinot]
Posted by "Jackie-Jiang (via GitHub)" <gi...@apache.org>.
Jackie-Jiang commented on issue #12107:
URL: https://github.com/apache/pinot/issues/12107#issuecomment-1846254583
cc @xiangfu0 @zhtaoxiang
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org
Re: [I] Support seamless TLS certificate rotation [pinot]
Posted by "mgranderath (via GitHub)" <gi...@apache.org>.
mgranderath commented on issue #12107:
URL: https://github.com/apache/pinot/issues/12107#issuecomment-1846847561
I can take a stab at this as well and upstream the changes if that would be helpful?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org