Galsza opened a new pull request, #4808: URL: https://github.com/apache/ozone/pull/4808
## What changes were proposed in this pull request? This enables the CertificateClient to read multiple root CA certificates. Also contains changes for another issue: [Prepare TrustManagers to handle multiple root CA certficates](https://issues.apache.org/jira/browse/HDDS-8589). These changes make it possible to read multiple root CAs from the file system and then add them to the trust managers during initialization. Even though multiple root CA certificates are present at the same time the certificates are still returned with a proper trustchain because they are already stored as a certificate path. The exception under this case is a case when a client still uses the old only the certificate is stored model, in that case it rebuilds the entire trust chain from the stored certificates. (Which adds a bit of complexity, but it shouldn't cause that many performance issues, because usually we are talking about cert chains with the length of 3 rn) ## What is the link to the Apache JIRA [Add initialization logic to CertificateClient to handle more than one root ca](https://issues.apache.org/jira/browse/HDDS-8588) [Prepare trust managers to store more than one root CA](https://issues.apache.org/jira/browse/HDDS-8589) ## How was this patch tested? Added unit test, and run on my gitlab fork: https://github.com/Galsza/ozone/actions/runs/5134600741 TestSecureOzoneCluster indirectly tests the certificate chain building part of the code. DefaultCertificateClient#getTrustChain might need additional unit tests, but it's being refactored by Pifta rn, and I'd prefer to keep changes to a minimum for methods that might be affected anyway. NOTE: this change might be failing on TestSecureOzoneCluster#testOMGrpcServerCertificateRenew , for which the fix is added to master, and it's going to be rebased to that once that change gets merged. Here is the pr for it: https://github.com/apache/ozone/pull/4807 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
