Skip to content

Added support for dynamic SSL certificate reload for controllers#22688

Open
aschmidt402 wants to merge 1 commit into
apache:trunkfrom
aschmidt402:KAFKA-20583
Open

Added support for dynamic SSL certificate reload for controllers#22688
aschmidt402 wants to merge 1 commit into
apache:trunkfrom
aschmidt402:KAFKA-20583

Conversation

@aschmidt402

Copy link
Copy Markdown

Implemented dynamic reloading of SSL certificates for the KRaft controller listener via kafka-configs --alter --entity-type controllers. This is done via:

  • Adding a new ConfigResource.Type.CONTROLLER (byte id = 64) to represent controller-specific configuration
  • Persisting controller SSL configs as ConfigRecord entries in the metadata log via the existing IncrementalAlterConfigs RPC
  • Replaying configs on startup and updates through a new ControllerDynamicConfigPublisher that implements Kafka's MetadataPublisher interface
  • Triggering SslFactory.reconfigure() on both sides of the controller's TLS surface

Testing

Unit Tests

ConfigurationControlManagerTest.testIncrementalAlterControllerConfigs: validates controller-specific validation (accepts SSL keys with listener prefix, rejects non-SSL keys, rejects non-numeric resource names)

  • DynamicControllerConfigTest: validates dispatch (updates reach all registered listeners, deduplicates identical configs, removeReconfigurable works)

Integration Tests

  • ControllerDynamicSslReloadTest:
    a. Boots isolated KRaft controller with SSL on CONTROLLER listener using keystore A
    b. Reads the baseline cert serial via SSLSocket handshake
    c. Issues IncrementalAlterConfigs against ConfigResource.Type.CONTROLLER pointing at keystore B
    d. Polls new TLS connections until the presented cert serial matches keystore B
    e. Asserts rotation occurred without restart

@github-actions github-actions Bot added core Kafka Broker tools kraft clients triage PRs from the community labels Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

clients core Kafka Broker kraft tools triage PRs from the community

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant