Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[pulsar-broker] auto refresh new tls certs for jetty webserver #3645

Merged
merged 3 commits into from
Feb 22, 2019
Merged

[pulsar-broker] auto refresh new tls certs for jetty webserver #3645

merged 3 commits into from
Feb 22, 2019

Conversation

rdhabalia
Copy link
Contributor

Motivation

Right now, broker starts webservice on jetty in tls mode but jetty doesn't have capabilities to refresh the tls certs if certs have been rotated. So, added capability to refresh certs for tls-webservice.

Modification

  • refactored existing SSLContextRefresher that used by netty channel initializer.
  • added auto refresher ssl-context factory for tls-webservice.
  • added this capabilities to broker, discovery, websocket and proxy.

Note:

  • I have tested this changes with expired certs and rotating them with new valid certs.

@rdhabalia rdhabalia added this to the 2.3.1 milestone Feb 21, 2019
@rdhabalia rdhabalia self-assigned this Feb 21, 2019
merlimat
merlimat reviewed Feb 22, 2019
View reviewed changes
conf/broker.conf
@@ -240,6 +240,9 @@ authenticateOriginalAuthData=false
# Deprecated - Use webServicePortTls and brokerServicePortTls instead
tlsEnabled=false

# Tls cert refresh duration in seconds (set 0 to check on every new connection)
tlsCertRefreshCheckDurationSec=300
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't we already have a refresh time from #3568?

Copy link
Contributor Author

@rdhabalia rdhabalia Feb 22, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, it's the same but I have renamed with tls prefix and we also missed to define it into all conf files.

merlimat
merlimat approved these changes Feb 22, 2019
View reviewed changes
Copy link
Contributor

@merlimat merlimat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@rdhabalia rdhabalia merged commit d3643a0 into apache:master Feb 22, 2019
@merlimat merlimat modified the milestones: 2.3.1, 2.4.0 Mar 29, 2019
@rdhabalia rdhabalia deleted the jetty_ssl branch September 3, 2019 21:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@merlimat merlimat merlimat approved these changes

@sijie sijie Awaiting requested review from sijie

@jai1 jai1 Awaiting requested review from jai1

@saandrews saandrews Awaiting requested review from saandrews

Assignees

@rdhabalia rdhabalia

Labels
area/broker
Projects
None yet
Milestone
2.4.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rdhabalia @merlimat