Kafka force JKS re-load

I have a kafka client which uses ssl.

bootstrap.servers=kafka1:9093
security.protocol=SSL
ssl.truststore.location=/var/private/ssl/kafka.client.truststore.jks
ssl.truststore.password=test1234
ssl.keystore.location=/var/private/ssl/kafka.client.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234

Circumstances:
The jks files upgraded periodically,because they expire after a while. So the JKS is up to date all the time on the filesystem.

But the kafka client still uses the old jks, because it only reads it when the client is created.

Expired JKS doesn’t matter if:

  • Is an ongoing session (because the handshake already happened at the beginning of the session)
  • The client is restarted (it will pickup the new jks and do the handshake)

The issue:

When in the middle of a session kafka broker is down and come back to life, the handshake process starts over again WITHOUT reading the JKS from the file-system causing a handshake error.

This leads to an unreliable KafkaClient if SSL is in place.

What is the solution?
Is there anything like ssl.keystore.forceread=true ?

Answer

While org.apache.kafka.common.network.SslChannelBuilder provides reconfigure method, it appears to be used only by the Kafka broker code.

In case of clients, it looks like you’d need to restart them, as the ChannelBuilder instance is configured only once, at startup.

Reference (Kafka 2.8):