Is this the same ClusterData object stored in zookeeper? If so, it seems risky to store these certs there because many Pulsar components access ZK.
I started work to support retrieving in-memory TLS certificates to the Java Client's ClientConfiguration object [0] but my priorities changed, and I wasn't able to get the PR in a good enough place to complete the feature. It's not the same, but it follows a similar pattern of having a different way to configure TLS certs. Would it make sense to add a pluggable supplier that retrieves and decodes certs? Then, it wouldn't require pulsar code changes for minor nuances in implementation. Thanks, Michael [0] https://github.com/apache/pulsar/pull/18121 On Wed, Feb 8, 2023 at 10:12 PM Zixuan Liu <node...@gmail.com> wrote: > > Hi all, > > In the ClusterData, we have two types of the key/certificate, one is PEM, > and one is JKS. > > I would like to discuss the bae64-encoded key/certificate in PEM format. > > The Pulsar can only load the key/certificate by the file path. When > configuring the key/certificate, we must copy the key/certificate files to > each cluster. Sometimes duplicating certificates is a chore, so I want to > add base64-encoded format support. > > Based-64 encoded: > ``` > brokerClientKeyFilePath="data:application/x-pem-file;base64,BASE64-ENCODED-KEY-FILE-BODY" > brokerClientCertificateFilePath="data:application/x-pem-file;base64,BASE64-ENCODED-CERTIFICATE-FILE-BODY" > brokerClientTrustCertsFilePath="data:application/x-pem-file;base64,BASE64-ENCODED-TRUST-CERTS-FILE-BODY" > ``` > > File path: > ``` > brokerClientKeyFilePath="/path/to/KEY-FILE.pem" > brokerClientCertificateFilePath="/path/to/CERTIFICATE-FILE.pem" > brokerClientTrustCertsFilePath="/path/to/TRUST-CERTS-FILE.pem" > ``` > > Please let me know what you think. > > Thanks, > Zixuan
