Handling Cluster CA (default strimzi) and ClientCA (Our own CA) certificates renewals

[seemasanjaisinghani]

Hi Team,

Here is the scenario, how we are using Kafka using strimzi operator:

1. Use Strimzi generated certs for Cluster CA
2. Use Our own certificates for Client CA.
3. We have a KafkaUser created in system.
   After renewing ClusteCA -> Do we need to restrart all pods for zookeeper, brokers and entityoperators?
   After renewing ClienCA -> Do we need to recreate user and then update Kafka CLients connecting from outside with updated new certs?

Documents does suggest this -> 'Client applications must reload the cluster and clients CA certificates that were renewed by the
Cluster Operator.'
What should be the course of action to be followed for renewal in this case.
Help much appreciated.

[scholzj]

When renewing Strimzi' own CAs, the pods are rolled automatically and you do not need to worry about anything. For custom CAs, there are currently some bugs - @tombentley and @ppatierno were looking into it. But right now, you might need to roll the pods manually.

Documents does suggest this -> 'Client applications must reload the cluster and clients CA certificates that were renewed by the
Cluster Operator.'

This is about your clients consuming and producing Kafka messages. How exactly to do it and what is the best way depends really on the applications and cannot be easily answered in general. It depends where they run, how they are configured etc. But in general, yes, you might need to distribute the new certificates to them and restart them etc.

[seemasanjaisinghani]

@scholzj Thank you for your suggestion.