Hi Moncef, Have you tried experimenting the behaviour of JDK's WatchService with bind mounts?
Reading [0], it appears that inotify on linux doesn't emit events for bind mounts. This may pose a limitation in Kubernetes as that's how config maps are mounted. Another scenario to consider would be symlinks and how WatchService handles events on them. Regards, Gaurav [0]: https://blog.arkey.fr/2019/09/13/watchservice-and-bind-mount/ > On 21 Mar 2025, at 04:40, Moncef Abboud <moncef.abbou...@gmail.com> wrote: > > Hi Mickael, > > Thank you for your feedback. > >> - Can you provide the description and default value for the new > configuration? > > Done. I amended the KIP. > >> The KIP explicitly mentions brokers, consumer and producers, I assume it > also covers admin clients (and controllers)? > > Correct. I believe both the controllers and admin clients would benefit > from the change since they use the SslFactory. > >> The KIP states "To prevent redundant reconfigurations, a quiet period is > enforced across watched files". How long is this period? Is it configurable? > > The period is 30 seconds. My reasoning is that this should be long enough > to allow an agent (such as a k8s Vault sidecar) to complete a few round > trips with a remote server, but not too long. Given that each SslFactory > (broker listener, client) has its own SSL properties, I thought it best to > have this quiet period be consistent across all factories since there will > only be one watcher thread. I chose not to make it configurable (one less > thing to worry about), but I’m happy to change that. > >> I'm unsure about the configuration name. Have you considered alternative > like "ssl.auto.reload" or "ssl.stores.auto.reload"? > Agreed. I changed it to "ssl.auto.reload". > > Let me know what you think. > > Thanks again, > Moncef > > On Wed, Mar 12, 2025 at 11:08 AM Mickael Maison <mickael.mai...@gmail.com> > wrote: > >> Hi, >> >> Thanks for the KIP, it seems a useful improvement. I guess this would >> supersede KIP-687. >> >> The KIP is a bit light on details. >> - Can you provide the description and default value for the new >> configuration? >> - The KIP explicitly mentions brokers, consumer and producers, I >> assume it also covers admin clients (and controllers)? >> - The KIP states "To prevent redundant reconfigurations, a quiet >> period is enforced across watched files". How long is this period? Is >> it configurable? >> - I'm unsure about the configuration name. Have you considered >> alternative like "ssl.auto.reload" or "ssl.stores.auto.reload"? >> >> Thanks, >> Mickael >> >> On Thu, Dec 5, 2024 at 6:28 PM Moncef Abboud <moncef.abbou...@gmail.com> >> wrote: >>> >>> Hi Gaurav, >>> >>> Thank you for your reply. >>> >>> There is some overlap between the two. However, while KIP-687 focuses >>> primarily on brokers, this KIP targets consumers and producers, with >>> additional benefits for brokers. >>> >>> Best, >>> Moncef >>> >>> On Thu, Dec 5, 2024, 10:38 AM Gaurav Narula <ka...@gnarula.com> wrote: >>> >>>> Hi Moncef, >>>> >>>> Thank you for the KIP. It seems very similar in spirit to KIP-687 ( >>>> >> https://cwiki.apache.org/confluence/display/KAFKA/KIP-687%3A+Automatic+Reloading+of+Security+Store >> ) >>>> which seems like it was approved but never fully implemented. Can you >>>> please confirm if it is the case indeed? >>>> >>>> Regards, >>>> Gaurav >>>> >>>>> On 2 Dec 2024, at 23:12, Moncef Abboud <moncef.abbou...@gmail.com> >>>> wrote: >>>>> >>>>> Hi all, >>>>> >>>>> I hope your week is off to a great start. >>>>> >>>>> I created a KIP to add support for SSL hot reloading. >>>>> https://cwiki.apache.org/confluence/x/eIrREw >>>>> >>>>> Thank you for your feedback! >>>>> >>>>> >>>>> Moncef >>>> >>>> >> > > > -- > Moncef ABBOUD
