Kafka mTLS Client CA Secret Update Not Detected

[vinay-ghate]

We have enabled mTLS using type: custom, as referenced in issue #11052. However, we are encountering an issue during the renewal of the client CA certificate.

When we update the certificate in the custom-truststore secret, the changes are not being reflected in the Kafka cluster. Under normal behavior, updating a secret should trigger a rolling update of the Kafka pods so that the new certificates are picked up. In this case, the pods are not restarting, and the updated configuration is not being applied.

It is worth noting that updating the server/broker custom secret (configured under brokerCertChain) is working as expected, and the pods are rolling correctly in that scenario. The issue appears to be specific to the client CA configuration defined under the secrets: section.

spec:
  kafka:
    listeners:
      - name: tls
        port: 9093
        tls: true
        type: internal
        authentication:
          type: custom
          sasl: false
          listenerConfig:
            ssl.client.auth: required
            ssl.principal.mapping.rules: RULE:^CN=(.*?),(.*)$/CN=$1/
            ssl.truststore.location: /opt/kafka/custom-authn-secrets/custom-listener-tls-9093/custom-truststore/ca.crt
            ssl.truststore.type: PEM
          secrets:
            - key: ca.crt
              secretName: custom-truststore

Could you please advise on the correct approach to ensure that updates to the client CA secret are detected and applied by Kafka? Additionally, is there any recommended workaround or configuration required to trigger a rolling update for such changes?

[scholzj]

Strimzi does not really know what and how you use in the custom API. So we cannot do any reloading. I opened #12537 to maybe add it as a general feature. But for the time being, you have to reload it yourself.

[vinay-ghate]

kubectl annotate strimzipodset <cluster>-kafka strimzi.io/manual-rolling-update=true -n <namespace>

Currently we are refreshing using this method, is there any alternate method?

[scholzj]

No, I think this is a good one.

[vinay-ghate]

How can we configure multiple client CA certificates?

[scholzj]

That depends on what exactly you mean by that I guess.