[I] Truststore.jks and keystore.jks are not refreshed after certificate rotation [pulsar-helm-chart]

Mon, 26 Aug 2024 07:15:27 -0700 


bhavyaravilla opened a new issue, #524:
URL: https://github.com/apache/pulsar-helm-chart/issues/524

   **Describe the bug**
   After the cert-manager refreshes the certificates for bookie, broker. The 
file where the secrets are loaded gets updated but the truststore.jks and 
keystore.jks do not get refreshed with the new certificates. Therefore the 
communication with zookeeper fails. We have to restart the pods so that the 
truststore.jks and keystore.jks are recreated and the communication is restored.
   
   **To Reproduce**
   Once the cert-manager updates the certificates for Bookie and broker below 
error comes up
   `60:2281, Closing socket connection. Attempting reconnect except it is a 
SessionExpiredException.org.apache.zookeeper.ClientCnxn$EndOfStreamException: 
channel for sessionid 0x303844ec7980001 is lost       
       at 
org.apache.zookeeper.ClientCnxnSocketNetty.doTransport(ClientCnxnSocketNetty.java:286)
 ~[org.apache.zookeeper-zookeeper-3.8.3.jar:3.8.3]      
       at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1289) 
~[org.apache.zookeeper-zookeeper-3.8.3.jar:3.8.3]
   2024-08-13T10:45:36,645+0000 [epollEventLoopGroup-164-1] ERROR 
org.apache.zookeeper.ClientCnxnSocketNetty - Unexpected 
throwableio.netty.handler.codec.DecoderException: 
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown  
    
       at 
io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:499)
 ~[io.netty-netty-codec-4.1.100.Final.jar:4.1.100.Final] 
       at 
io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
 ~[io.netty-netty-codec-4.1.100.Final.jar:4.1.100.Final]        
       at 
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
 ~[io.netty-netty-transport-4.1.100.Final.jar:4.1.100.Final]  `
   
   **Expected behavior**
   The truststore.jks and keystore.jks should also be recreated or refreshed 
with the new certificates
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to