KIP-1288 — SSL Hot Reload for Kafka Clients
Discussion SecurityClient
Adds opt-in SSL hot reload to Kafka clients by monitoring keystore and truststore files for changes and automatically reconfiguring the SSL context without restarting the client. Currently, SSL credentials are loaded once at startup and never refreshed, so certificate rotation or expiry requires restarting every client—a significant operational burden in environments using short-lived certificates.
Details
| Author | Skander Soltane |
| Status | Discussion |
| JIRA | KAFKA-10731 |
| Wiki | View on Apache Wiki |
| Created | 2026-02-21 |
| Last Modified | 2026-03-16 |
Explore how this KIP affects the Kafka protocol in the Protocol Explorer, or see the full KIP database.