Related to T2544
Details
Details
- Reviewers
vsellier ardumont - Group Reviewers
System administrators - Maniphest Tasks
- T2544: The kafka service doesn't reload when its TLS certificates are renewed
- Commits
- rSPSITE41e061876fb2: Reload kafka TLS listeners automatically when updating the cert
Running the commands manually on kafka1 made it properly present its new certificate on both ports (checked with openssl s_client -connect -showcerts | openssl x509 -text).
octocatalog-diff on kafka[1-4] and journal0 yield the same results:
*** Running octocatalog-diff on host kafka1.internal.softwareheritage.org
I, [2021-06-14T13:01:47.205782 #136015] INFO -- : Catalogs compiled for kafka1.internal.softwareheritage.org
I, [2021-06-14T13:01:47.449599 #136015] INFO -- : Diffs computed for kafka1.internal.softwareheritage.org
diff origin/production/kafka1.internal.softwareheritage.org current/kafka1.internal.softwareheritage.org
*******************************************
+ Exec[kafka-reload-tls:EXTERNAL] =>
parameters =>
"command": ["/opt/kafka/bin/kafka-configs.sh", "--bootstrap-server", "kafka1.internal.softwareheritage.org:9092", "--entity-name", "1", "--entity-type", "brokers", "--add-config", "listener.name.EXTERNAL.ssl.keystore.location=/opt/kafka/config/broker.ks", "--alter"]
"refreshonly": true
*******************************************
+ Exec[kafka-reload-tls:INTERNAL] =>
parameters =>
"command": ["/opt/kafka/bin/kafka-configs.sh", "--bootstrap-server", "kafka1.internal.softwareheritage.org:9092", "--entity-name", "1", "--entity-type", "brokers", "--add-config", "listener.name.INTERNAL.ssl.keystore.location=/opt/kafka/config/broker.ks", "--alter"]
"refreshonly": true
*******************************************
- File[/opt/kafka/config/kafka_broker_jaas.conf]
*******************************************
Java_ks[kafka:broker] =>
parameters =>
notify =>
+ ["Exec[kafka-reload-tls:EXTERNAL]", "Exec[kafka-reload-tls:INTERNAL]"]
*******************************************
*** End octocatalog-diff on kafka1.internal.softwareheritage.orgDiff Detail
Diff Detail
- Repository
- rSPSITE puppet-swh-site
- Lint
Automatic diff as part of commit; lint not applicable. - Unit
Automatic diff as part of commit; unit tests not applicable.