Sönke, Il giorno gio 1 feb 2024 alle ore 09:26 Sönke Liebau <soenke.lie...@stackable.tech.invalid> ha scritto: > > Hi all, > > we recently ran into issues with ZooKeeper on Kubernetes which caused us to > open [1] after a bit of analysis. > > We are happy to work on opening a PR to improve this behavior here, but I > wanted to start a discussion around what "improve" would look like exactly > before putting any effort into the PR. > > I'll keep this mail light on details - it is hopefully all covered in the > issue.
It is good to also write some details here, sometimes people are lazy to open JIRA, and also it will be easier to add inline questions/answers > > My basic question is: would people be okay with adding a check of the > certificate SAN entries against the hostnames from config? I think that this is good, especially if that can help people deploying ZK in k8s with security enabled. We should remove all the pain points for users. > > We cannot simply replace the existing check [2] of course, that'd run a > high risk of breaking existing setups, obvious options there would be to > either add a config option to replace the hostname check with this check, > or run this check in parallel with the hostname check and if either of them > succeeds allow the connection, but I'm sure there are many other potential > ways of doing this. Yes, we must add some flag, then we introduce it in the next major version, maybe it will become the new default behaviour at some point. Thanks Enrico > > Any thoughts or opinions on this would be very appreciated. > > Best regards, > Sönke > > > [1] https://issues.apache.org/jira/browse/ZOOKEEPER-4790 > [2] > https://github.com/apache/zookeeper/blob/11c07921c15e2fb7692375327b53f26a583b77ca/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKTrustManager.java#L158
