fapifta opened a new pull request, #3930: URL: https://github.com/apache/ozone/pull/3930
## What changes were proposed in this pull request? In this PR I would like to add a check to the security initialization code, that check if a certificate is about to be expire soon, and if yes, then it will remove the certificate materials of the service, re-initializes the certificate client in a state where there are no keys and certificates anymore, and with that forces the new instance to get a new certificate as it does during the basic security initialization. This would help to renew certificates with a restart instead of a tedious manual process that involves a restart and removing the files by hand. For Ozone Manager the code would run when the OM is started with the --init option, as that code is responsible to initialize certificates also when security gets enabled. For DataNode and for Recon it works during regular startup as it does when first enabling security. And it will skip SCM as SCMs does not have a regular but a CA certificate and that is more complex to clean up when expires, but at least by default it expires after 5 years compared to the regular certificates with 1 year expiration date. ## What is the link to the Apache JIRA https://issues.apache.org/jira/browse/HDDS-7453 ## How was this patch tested? JUnit test added to the core functionality, also tested the changes on a regular cluster with certificates have an expiration date shorter than the renew grace period and it was renewing certificates fine at every service startup as expected. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
