rdkafka-sys: bump librdkafka to 2.14.2 with SSL certificate hot reload#841
Open
ngirish-code wants to merge 1 commit into
Open
rdkafka-sys: bump librdkafka to 2.14.2 with SSL certificate hot reload#841ngirish-code wants to merge 1 commit into
ngirish-code wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Repoints the
rdkafka-sys/librdkafkasubmodule to a librdkafka build that addsSSL certificate hot reload, bumping the vendored librdkafka from 2.12.1 → 2.14.2.
This lets a client pick up rotated TLS certificates without being recreated:
librdkafka rebuilds its
SSL_CTXfrom the configuredssl.*.locationfiles andatomically swaps it in for new broker connections.
Why
Long-lived producers/consumers using short-lived (rotated) TLS certs currently
have to be torn down and rebuilt to load renewed certs. The hot-reload path
avoids that disruption.
Changes
.gitmodules— point the submodule at the fork carrying the change and trackits branch.
rdkafka-sys/librdkafka— submodule pinned todcd0847a(librdkafka 2.14.2 +cert hot reload).
rdkafka-sys/Cargo.toml— version metadata4.10.0+2.12.1→4.10.0+2.14.2(kept in sync with the runtime
rd_kafka_version_str(), whichversion_check.rsasserts).Cargo.lock— synced.No Rust binding changes: the reload is driven entirely by a new config property,
so it works through the existing
ClientConfig::set()path.Usage
Only file-based certificate sources are supported (in-memory PEM / engine certs are not reloaded).
Testing
• cargo test -p rdkafka-sys --test version_check passes (reports
librdkafka version: 2.14.2).
• librdkafka.a builds from the vendored source via the default (mklove) build.
Notes / caveats
• The submodule currently tracks a personal fork. Before this is suitable for
a release, the librdkafka change should land upstream and the submodule be
re-pinned to an upstream commit (restoring the canonical URL).
• The bump pulls in the full 2.12.1 → 2.14.2 upstream delta (30 commits), not
just the cert-reload commit. The public header surface is unchanged apart from
the version macro and one new (unbound) rd_kafka_ssl_ctx_reload function, so
existing bindings remain valid.
• librdkafka also exposes an on-demand rd_kafka_ssl_ctx_reload() API; it is
intentionally not surfaced in the Rust API in this PR (polling only).