Gaurav brings up a good point. However, we can work around that bug by doing polling every 5 or 10 minutes in addition to using WatchService.
best, Colin On Wed, Apr 23, 2025, at 00:39, Gaurav Narula wrote: > Hi Moncef, > > Have you tried experimenting the behaviour of JDK's WatchService with > bind mounts? > > Reading [0], it appears that inotify on linux doesn't emit events for > bind mounts. This may pose a limitation in Kubernetes as that's how > config maps are mounted. > > Another scenario to consider would be symlinks and how WatchService > handles events on them. > > Regards, > Gaurav > > [0]: https://blog.arkey.fr/2019/09/13/watchservice-and-bind-mount/ > > >> On 21 Mar 2025, at 04:40, Moncef Abboud <moncef.abbou...@gmail.com> wrote: >> >> Hi Mickael, >> >> Thank you for your feedback. >> >>> - Can you provide the description and default value for the new >> configuration? >> >> Done. I amended the KIP. >> >>> The KIP explicitly mentions brokers, consumer and producers, I assume it >> also covers admin clients (and controllers)? >> >> Correct. I believe both the controllers and admin clients would benefit >> from the change since they use the SslFactory. >> >>> The KIP states "To prevent redundant reconfigurations, a quiet period is >> enforced across watched files". How long is this period? Is it configurable? >> >> The period is 30 seconds. My reasoning is that this should be long enough >> to allow an agent (such as a k8s Vault sidecar) to complete a few round >> trips with a remote server, but not too long. Given that each SslFactory >> (broker listener, client) has its own SSL properties, I thought it best to >> have this quiet period be consistent across all factories since there will >> only be one watcher thread. I chose not to make it configurable (one less >> thing to worry about), but I’m happy to change that. >> >>> I'm unsure about the configuration name. Have you considered alternative >> like "ssl.auto.reload" or "ssl.stores.auto.reload"? >> Agreed. I changed it to "ssl.auto.reload". >> >> Let me know what you think. >> >> Thanks again, >> Moncef >> >> On Wed, Mar 12, 2025 at 11:08 AM Mickael Maison <mickael.mai...@gmail.com> >> wrote: >> >>> Hi, >>> >>> Thanks for the KIP, it seems a useful improvement. I guess this would >>> supersede KIP-687. >>> >>> The KIP is a bit light on details. >>> - Can you provide the description and default value for the new >>> configuration? >>> - The KIP explicitly mentions brokers, consumer and producers, I >>> assume it also covers admin clients (and controllers)? >>> - The KIP states "To prevent redundant reconfigurations, a quiet >>> period is enforced across watched files". How long is this period? Is >>> it configurable? >>> - I'm unsure about the configuration name. Have you considered >>> alternative like "ssl.auto.reload" or "ssl.stores.auto.reload"? >>> >>> Thanks, >>> Mickael >>> >>> On Thu, Dec 5, 2024 at 6:28 PM Moncef Abboud <moncef.abbou...@gmail.com> >>> wrote: >>>> >>>> Hi Gaurav, >>>> >>>> Thank you for your reply. >>>> >>>> There is some overlap between the two. However, while KIP-687 focuses >>>> primarily on brokers, this KIP targets consumers and producers, with >>>> additional benefits for brokers. >>>> >>>> Best, >>>> Moncef >>>> >>>> On Thu, Dec 5, 2024, 10:38 AM Gaurav Narula <ka...@gnarula.com> wrote: >>>> >>>>> Hi Moncef, >>>>> >>>>> Thank you for the KIP. It seems very similar in spirit to KIP-687 ( >>>>> >>> https://cwiki.apache.org/confluence/display/KAFKA/KIP-687%3A+Automatic+Reloading+of+Security+Store >>> ) >>>>> which seems like it was approved but never fully implemented. Can you >>>>> please confirm if it is the case indeed? >>>>> >>>>> Regards, >>>>> Gaurav >>>>> >>>>>> On 2 Dec 2024, at 23:12, Moncef Abboud <moncef.abbou...@gmail.com> >>>>> wrote: >>>>>> >>>>>> Hi all, >>>>>> >>>>>> I hope your week is off to a great start. >>>>>> >>>>>> I created a KIP to add support for SSL hot reloading. >>>>>> https://cwiki.apache.org/confluence/x/eIrREw >>>>>> >>>>>> Thank you for your feedback! >>>>>> >>>>>> >>>>>> Moncef >>>>> >>>>> >>> >> >> >> -- >> Moncef ABBOUD
