Renew Certs in Strimzi Entity Operator Created Secrets

[dbaarorapr]

We noticed that our entity operator when it creates kafkausers ,the certs in the associated secrets have a 1 years validity

Now after a year when the certs expire ,we have issues as the kafka user cannot connect to the kafka cluster

So ,the pattern we have is real crude and we just delete the secret and after a few minutes ,when entity operator notices that the secret is gone and kafkauser exists ,it goes ahead and re-creates the secret with new certs inside it that have a 1 years new validity

This pattern is not correct and wanted to know how others handle this and looking for a correct way to do this?

The pattern also has a pitfall that sometimes in some rare cases,the entity operator did not even notice the missing secret for many days and hence entity operator pod had to be restarted and all worked fine and it re-created the secret again

Much appreciate all help

[scholzj]

The User operator automatically renews the certificates before the expire. So you need to check your logs to see what is the problem.

[dbaarorapr]

We have had this situation a cope of time s with strimzi 0.19.1 and although we have now upgraded to strimzi 0.26.1 ,but since Certs have still many more months and I cannot confirm if this is going to happen again

is there some flexibility of creating a Kafka user with its Certs validity set to a lesser time than the 1 year default as I can test it better and how do we do that?

[scholzj]

We have had this situation a cope of time s with strimzi 0.19.1 and although we have now upgraded to strimzi 0.26.1 ,but since Certs have still many more months and I cannot confirm if this is going to happen again

TBH, 0.19 is quite old. There might have been some bug fixes since then.

is there some flexibility of creating a Kafka user with its Certs validity set to a lesser time than the 1 year default as I can test it better and how do we do that?

Is your User Operator part of a Strimzi Kafka cluster? Or is it standalone installation? (for exampel used with some other Kafka outside of Kubernetes?) If it is part of the Strimzi Kafka cluster, it is controlled by the validity of the Clients CA (which can be configured in the Kafka CR).