Hi Mickael,

Thank you for your feedback.

>- Can you provide the description and default value for the new
configuration?

Done. I amended the KIP.

>The KIP explicitly mentions brokers, consumer and producers, I assume it
also covers admin clients (and controllers)?

Correct. I believe both the controllers and admin clients would benefit
from the change since they use the SslFactory.

> The KIP states "To prevent redundant reconfigurations, a quiet period is
enforced across watched files". How long is this period? Is it configurable?

The period is 30 seconds. My reasoning is that this should be long enough
to allow an agent (such as a k8s Vault sidecar) to complete a few round
trips with a remote server, but not too long. Given that each SslFactory
(broker listener, client) has its own SSL properties, I thought it best to
have this quiet period be consistent across all factories since there will
only be one watcher thread. I chose not to make it configurable (one less
thing to worry about), but I’m happy to change that.

> I'm unsure about the configuration name. Have you considered alternative
like "ssl.auto.reload" or "ssl.stores.auto.reload"?
Agreed. I changed it to "ssl.auto.reload".

Let me know what you think.

Thanks again,
Moncef

On Wed, Mar 12, 2025 at 11:08 AM Mickael Maison <mickael.mai...@gmail.com>
wrote:

> Hi,
>
> Thanks for the KIP, it seems a useful improvement. I guess this would
> supersede KIP-687.
>
> The KIP is a bit light on details.
> - Can you provide the description and default value for the new
> configuration?
> - The KIP explicitly mentions brokers, consumer and producers, I
> assume it also covers admin clients (and controllers)?
> - The KIP states "To prevent redundant reconfigurations, a quiet
> period is enforced across watched files". How long is this period? Is
> it configurable?
> - I'm unsure about the configuration name. Have you considered
> alternative like "ssl.auto.reload" or "ssl.stores.auto.reload"?
>
> Thanks,
> Mickael
>
> On Thu, Dec 5, 2024 at 6:28 PM Moncef Abboud <moncef.abbou...@gmail.com>
> wrote:
> >
> > Hi Gaurav,
> >
> > Thank you for your reply.
> >
> > There is some overlap between the two. However, while KIP-687 focuses
> > primarily on brokers, this KIP targets consumers and producers, with
> > additional benefits for brokers.
> >
> > Best,
> > Moncef
> >
> > On Thu, Dec 5, 2024, 10:38 AM Gaurav Narula <ka...@gnarula.com> wrote:
> >
> > > Hi Moncef,
> > >
> > > Thank you for the KIP. It seems very similar in spirit to KIP-687 (
> > >
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-687%3A+Automatic+Reloading+of+Security+Store
> )
> > > which seems like it was approved but never fully implemented. Can you
> > > please confirm if it is the case indeed?
> > >
> > > Regards,
> > > Gaurav
> > >
> > > > On 2 Dec 2024, at 23:12, Moncef Abboud <moncef.abbou...@gmail.com>
> > > wrote:
> > > >
> > > > Hi all,
> > > >
> > > > I hope your week is off to a great start.
> > > >
> > > > I created a KIP to add support for SSL hot reloading.
> > > > https://cwiki.apache.org/confluence/x/eIrREw
> > > >
> > > > Thank you for your feedback!
> > > >
> > > >
> > > > Moncef
> > >
> > >
>


-- 
Moncef  ABBOUD

Reply via email to