[
https://issues.apache.org/jira/browse/FLINK-37504?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17936883#comment-17936883
]
David Radley commented on FLINK-37504:
--------------------------------------
Hi I think this should be a Flip - similar to
[https://cwiki.apache.org/confluence/display/KAFKA/KIP-1119:+Add+support+for+SSL+hot+reload|https://cwiki.apache.org/confluence/display/KAFKA/KIP-1119:+Add+support+for+SSL+hot+reload].
I see there is a seemingly simpler [Kafka
PR|https://github.com/apache/kafka/pull/17987/files] - based on the Spring
approach.
Searching in google - there appears to be approaches where we check for the
certificate to expire and prior to expiration, rotate the certificate by
requesting a new one. Would this approach be appropriate ? To avoid polling all
day for something that changes once a day which seems inefficient. This
approach is similar to the way short lived bearer tokens are requested with
OIDC.
Understanding he Kubenetes story would be good as well.
> Handle TLS Certificate Renewal
> ------------------------------
>
> Key: FLINK-37504
> URL: https://issues.apache.org/jira/browse/FLINK-37504
> Project: Flink
> Issue Type: Improvement
> Reporter: Nicolas Fraison
> Priority: Minor
> Labels: pull-request-available
>
> Flink does not reload certificate if underlying truststore and keytstore are
> updated.
> We aim at using 1 day validity certificate which currently means having to
> restart our jobs every day.
> In order to avoid this we will need to add a feature to be able to reload TLS
> certificate when underlying truststore and keytstore are updated
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
