Hi all, we recently ran into issues with ZooKeeper on Kubernetes which caused us to open [1] after a bit of analysis.
We are happy to work on opening a PR to improve this behavior here, but I wanted to start a discussion around what "improve" would look like exactly before putting any effort into the PR. I'll keep this mail light on details - it is hopefully all covered in the issue. My basic question is: would people be okay with adding a check of the certificate SAN entries against the hostnames from config? We cannot simply replace the existing check [2] of course, that'd run a high risk of breaking existing setups, obvious options there would be to either add a config option to replace the hostname check with this check, or run this check in parallel with the hostname check and if either of them succeeds allow the connection, but I'm sure there are many other potential ways of doing this. Any thoughts or opinions on this would be very appreciated. Best regards, Sönke [1] https://issues.apache.org/jira/browse/ZOOKEEPER-4790 [2] https://github.com/apache/zookeeper/blob/11c07921c15e2fb7692375327b53f26a583b77ca/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKTrustManager.java#L158
