Unexpected certificate renewal during unplanned operator restarts

[ananthk01]

In my environment, I have the strimzi operator and the kafka brokers and zookeeper pods on one namespace and in another name space we have another service which acts as wrapper for producers and consumers to publish and consume messages. In the wrapper service, we copy over the certificate which is available from strimzi operator setup across name spaces using this command,

kubectl get secret kafka-cluster-ca-cert --namespace=kafka --export -o yaml |  kubectl apply --namespace=default -f -

I have had instances when the certificate has expired and had to manually copy over it to the default cluster using the same command. I have had circumstance when I have tried to start fresh which results in the certificate getting replaced even though the certificate has almost the whole validity period remaining. This causes the wrapper service to have handshake issues as a result causes downtime. For all the services, there is an istio side car that is present which takes care of the security. This brings me to the following questions,

1. Why does the certificate renewal have to happen for valid certificates?
2. Do you have any suggestions on how to avoid this downtime?
3. Is Istio support in the roadmap?

[scholzj]

Why does the certificate renewal have to happen for valid certificates?
Do you have any suggestions on how to avoid this downtime?

The certificate renewal normally happens some time before the expiration. By default 30 days. If that was not your case, it was probably some bug.

What version of Strimzi and Kubernetes are you using? Does the command you are using to copy the secret remove the owner reference? You should make sure the original owner references are removed - this was causing the certificate to be deleted in the past which in result triggered the renewal basically.

Is Istio support in the roadmap?

Not at this point.

[ananthk01]

It wasn't 30 days. Only course of action there would be to recopy the certificate. Yes?

Operator version: 0.20.0
K8S version: 1.19.

AFA the reference goes, looks like that is what was happening. When we remove this reference, we will still have to recopy the certificate in the kafka ns to the default ns because of the difference right?

[scholzj]

The copying of the certificate is ok, but you need to pass it through some filter to remove the owner reference.