Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.23.2
-
None
-
None
-
EKS Kube 1.27
Description
Running Nifi 1.23 as a containerized cluster on EKS with 'nifi.cluster.protocol.is.secure' set to true. Certificates are provisioned to Nifi keystores using mounted Kube Secrets, periodically copied from secret mount to keystore paths using sidecar container (avoiding NIFI-10425).
Upon certificate expiration and renewal (with nifi.security.autoreload.enabled 'true'), Jetty server detects new certificates and refreshes its SSLContext as expected.
However, cluster heartbeats (and potentially other cluster protocol messages) begin to fail upon certificate expiration due to SSL validation failures. Debugging of heartbeat events shows that nodes are sending heartbeats using an updated SSL context, but cluster SocketProtocolListener and underlying SocketListener continues to use stale SSLContext on an existing ServerSocket.
It may be required for the ServerSocket used by SocketProtocolListener to be closed/recreated in order to refresh the underlying SSLContext, in order to provide the same behaviour nifi.security.autoreload.enabled provides for the HTTPS interface.