Hi Pulsar community, I want share some feedback about the current brokerClient certificate implementation and an idea to improve:
The use case is configuring the geo-replication to a remote cluster with TLS enabled and will require to set brokerClientTlsEnabled as true and configure the brokerClientTrustCertsFilePath when using the createCluster API. But this is hard to maintain because users need to : 1. Users need to copy and deploy the destination cluster trusted TLS certificate file to the local cluster for each broker. 2. Users need to make sure the destination cluster trusted TLS certificate file location is consistent with each broker. 3. Users need to record and maintain the certificate file path on brokers, cleaning this location will impact the geo-replication. So, I am wondering whether it is possible to support uploading the tls certs on the createCluster API and the broker can store the destination cluster trusted TLS certificate file in ZooKeeper or BookKeeper since they are existing data storage systems. When the local cluster needs to connect to the destination cluster, local cluster brokers can extract the trusted TLS certificate file from ZooKeeper or BookKeeper and setup the connection to the destination cluster. More detailed information and some diagrams are on this issue: https://github.com/apache/pulsar/issues/20079 --- Best regards, Eric Shen
