Skip to content

Reload kafka TLS listeners automatically when updating the cert

Related to T2544

Test Plan

Running the commands manually on kafka1 made it properly present its new certificate on both ports (checked with openssl s_client -connect -showcerts | openssl x509 -text).

octocatalog-diff on kafka[1-4] and journal0 yield the same results:

*** Running octocatalog-diff on host kafka1.internal.softwareheritage.org
I, [2021-06-14T13:01:47.205782 #136015]  INFO -- : Catalogs compiled for kafka1.internal.softwareheritage.org
I, [2021-06-14T13:01:47.449599 #136015]  INFO -- : Diffs computed for kafka1.internal.softwareheritage.org
diff origin/production/kafka1.internal.softwareheritage.org current/kafka1.internal.softwareheritage.org
*******************************************
+ Exec[kafka-reload-tls:EXTERNAL] =>
   parameters =>
      "command": ["/opt/kafka/bin/kafka-configs.sh", "--bootstrap-server", "kafka1.internal.softwareheritage.org:9092", "--entity-name", "1", "--entity-type", "brokers", "--add-config", "listener.name.EXTERNAL.ssl.keystore.location=/opt/kafka/config/broker.ks", "--alter"]
      "refreshonly": true
*******************************************
+ Exec[kafka-reload-tls:INTERNAL] =>
   parameters =>
      "command": ["/opt/kafka/bin/kafka-configs.sh", "--bootstrap-server", "kafka1.internal.softwareheritage.org:9092", "--entity-name", "1", "--entity-type", "brokers", "--add-config", "listener.name.INTERNAL.ssl.keystore.location=/opt/kafka/config/broker.ks", "--alter"]
      "refreshonly": true
*******************************************
- File[/opt/kafka/config/kafka_broker_jaas.conf]
*******************************************
  Java_ks[kafka:broker] =>
   parameters =>
     notify =>
      + ["Exec[kafka-reload-tls:EXTERNAL]", "Exec[kafka-reload-tls:INTERNAL]"]
*******************************************
*** End octocatalog-diff on kafka1.internal.softwareheritage.org

Migrated from D5864 (view on Phabricator)

Merge request reports