apucher opened a new pull request #8082: URL: https://github.com/apache/pinot/pull/8082
## Description This is a draft. Some enterprise scenarios require multiple TLS certs to be served by pinot components. The TLS specification (in Java) limits us to a single certificte per entry point, thus necessitating the creation of dedicated listeners per certificate. This PR adds listener-specific TLS configuration options. It leverages the existing TLS settings as defaults and enables listener specs to override individual properties, including keystore, truststore, etc. The PR further contains a number of smaller enhancements and bug fixes to TLS support in pinot. The PR further adds a dedicated integration test for TLS scenarios that test the correctness of accepting and rejecting secure connection attempts. ## Upgrade Notes Does this PR prevent a zero down-time upgrade? (Assume upgrade order: Controller, Broker, Server, Minion) * [ ] Yes (Please label as **<code>backward-incompat</code>**, and complete the section below on Release Notes) Does this PR fix a zero-downtime upgrade introduced earlier? * [ ] Yes (Please label this as **<code>backward-incompat</code>**, and complete the section below on Release Notes) Does this PR otherwise need attention when creating release notes? Things to consider: * [X] Yes (Please label this PR as **<code>release-notes</code>** and complete the section on Release Notes) ## Release Notes Listener specs can now use arbitrary names if they specify a protocol: > controller.access.protocols=internal,external > controller.access.protocols.internal.protocol=http > controller.access.protocols.external.protocol=https Listener specs can now override TLS settings on a per-property basis: > controller.tls.keystore.path=./mykeystore.p12 > controller.tls.truststore.path=./mytruststore.p12 > controller.access.protocols.external.tls.keystore.path=./mycustomtruststore.p12 ## Documentation -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org For additional commands, e-mail: commits-h...@pinot.apache.org
