dkranchii opened a new pull request, #18483: URL: https://github.com/apache/pinot/pull/18483
## What Switch the key store and trust store `InputStream`s in `RenewableTlsUtils.createSSLFactory` to try-with-resources. ## Why The streams were closed only on the success path, after `SSLFactory.builder().build()` returned. Any exception thrown in between — null trust-store password, malformed keystore, failure in `nl.altindag.ssl`'s builder, etc. — was caught and rewrapped as `IllegalStateException`, but the open stream was never closed. The leak is most likely to trigger during cert rotation (`reloadSslFactory` retries 3x and the file watcher catches mid-write states), which compounds it on long-running broker/server/controller/minion processes. `TlsUtils.createKeyManagerFactory` and `TlsUtils.createTrustManagerFactory` in the same package already use this idiom, so the change also removes inconsistency. ## Safety - `withIdentityMaterial(InputStream, char[], String)` and `withTrustMaterial(InputStream, char[], String)` consume the stream synchronously into a `KeyStore`; the stream is not retained for `build()`. Closing right after the `with...` call is equivalent to the prior post-`build()` close on the success path. - No public API, wire-format, or config change. - Exception type on failure is unchanged (`IllegalStateException` wrapping the cause). ## Test plan - [ ] `./mvnw -pl pinot-common -am -Dtest=RenewableTlsUtilsTest -Dsurefire.failIfNoSpecifiedTests=false test` - [ ] `./mvnw spotless:apply -pl pinot-common` - [ ] `./mvnw checkstyle:check -pl pinot-common` - [ ] `./mvnw license:check -pl pinot-common` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
