You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pinot.apache.org by "mgranderath (via GitHub)" <gi...@apache.org> on 2023/12/07 09:00:14 UTC

[I] Support seamless TLS certificate rotation [pinot]

mgranderath opened a new issue, #12107:
URL: https://github.com/apache/pinot/issues/12107

   In our setup we use regularly rotated TLS certificates by essentially replacing the keystore/truststore (using K8s secrets) but the updated certificates don't get picked up by the nodes. This means that our nodes get restarted because the liveness probe starts failing which has some unintended consequences. Ideally we would want these to be picked up seamlessly.
   
   #### Possible Solution
   Wrapping the `KeyManager` and `TrustManager` and check every x interval whether the underlying files have been updated and replace the delegate. An example of an implementation somewhat similar is [here](https://github.com/Hakky54/sslcontext-kickstart/blob/master/sslcontext-kickstart/src/main/java/nl/altindag/ssl/keymanager/HotSwappableX509ExtendedKeyManager.java)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org

Re: [I] Support seamless TLS certificate rotation [pinot]

Posted by "zhtaoxiang (via GitHub)" <gi...@apache.org>.

zhtaoxiang commented on issue #12107:
URL: https://github.com/apache/pinot/issues/12107#issuecomment-1894682056

   Hi @mgranderath , we have similar issues as you described here.
   
   I am working on a PR to use the [sslcontext-kickstart](https://github.com/Hakky54/sslcontext-kickstart) to make the  `KeyManager` and `TrustManager` swappable. Will post the PR when it's ready for review


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org

Re: [I] Support seamless TLS certificate rotation [pinot]

Posted by "zhtaoxiang (via GitHub)" <gi...@apache.org>.

zhtaoxiang commented on issue #12107:
URL: https://github.com/apache/pinot/issues/12107#issuecomment-1958342716

   I will keep the following PR list updated:
   Merged PRs:
   https://github.com/apache/pinot/pull/12277
   https://github.com/apache/pinot/pull/12325
   https://github.com/apache/pinot/pull/12357
   https://github.com/apache/pinot/pull/12384
   https://github.com/apache/pinot/pull/12404
   https://github.com/apache/pinot/pull/12425
   https://github.com/apache/pinot/pull/12455
   
   Working in progress:
   https://github.com/apache/pinot/pull/12462


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org

Re: [I] Support seamless TLS certificate rotation [pinot]

Posted by "Jackie-Jiang (via GitHub)" <gi...@apache.org>.

Jackie-Jiang commented on issue #12107:
URL: https://github.com/apache/pinot/issues/12107#issuecomment-1846254583

   cc @xiangfu0 @zhtaoxiang 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org

Re: [I] Support seamless TLS certificate rotation [pinot]

Posted by "mgranderath (via GitHub)" <gi...@apache.org>.

mgranderath commented on issue #12107:
URL: https://github.com/apache/pinot/issues/12107#issuecomment-1846847561

   I can take a stab at this as well and upstream the changes if that would be helpful?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org