> Is this the same ClusterData object stored in zookeeper? Sure, it is unsafe, I have the same concern, so I made this issue.
> Would it make sense to add a pluggable supplier that retrieves and decodes certs? Then, it wouldn't require pulsar code changes for minor nuances in implementation. This is a good idea, but there's a little trouble for users, who need to implement their provider. Thank you for your idea, I will refer to that. Thanks, Zixuan Michael Marshall <mmarsh...@apache.org> 于2023年2月10日周五 14:54写道: > Is this the same ClusterData object stored in zookeeper? If so, it > seems risky to store these certs there because many Pulsar components > access ZK. > > I started work to support retrieving in-memory TLS certificates to the > Java Client's ClientConfiguration object [0] but my priorities > changed, and I wasn't able to get the PR in a good enough place to > complete the feature. It's not the same, but it follows a similar > pattern of having a different way to configure TLS certs. > > Would it make sense to add a pluggable supplier that retrieves and > decodes certs? Then, it wouldn't require pulsar code changes for minor > nuances in implementation. > > Thanks, > Michael > > [0] https://github.com/apache/pulsar/pull/18121 > > On Wed, Feb 8, 2023 at 10:12 PM Zixuan Liu <node...@gmail.com> wrote: > > > > Hi all, > > > > In the ClusterData, we have two types of the key/certificate, one is PEM, > > and one is JKS. > > > > I would like to discuss the bae64-encoded key/certificate in PEM format. > > > > The Pulsar can only load the key/certificate by the file path. When > > configuring the key/certificate, we must copy the key/certificate files > to > > each cluster. Sometimes duplicating certificates is a chore, so I want to > > add base64-encoded format support. > > > > Based-64 encoded: > > ``` > > > brokerClientKeyFilePath="data:application/x-pem-file;base64,BASE64-ENCODED-KEY-FILE-BODY" > > > brokerClientCertificateFilePath="data:application/x-pem-file;base64,BASE64-ENCODED-CERTIFICATE-FILE-BODY" > > > brokerClientTrustCertsFilePath="data:application/x-pem-file;base64,BASE64-ENCODED-TRUST-CERTS-FILE-BODY" > > ``` > > > > File path: > > ``` > > brokerClientKeyFilePath="/path/to/KEY-FILE.pem" > > brokerClientCertificateFilePath="/path/to/CERTIFICATE-FILE.pem" > > brokerClientTrustCertsFilePath="/path/to/TRUST-CERTS-FILE.pem" > > ``` > > > > Please let me know what you think. > > > > Thanks, > > Zixuan >
