ClusterOperator unable to connect to zk and broker when installing/renewing your own CA #5437
Unanswered
FrankWang1108
asked this question in
Q&A
Replies: 1 comment 3 replies
-
I'm not sure this is expected to work. Renewal is something else then replacing one CA with completely different CA. I know @tombentley is working on some improvements for CA handling, maybe he has some ideas how to do it smoothly. |
Beta Was this translation helpful? Give feedback.
3 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Describe the bug
This happens when we try to install our own CA when the strimzi is running and the strimzi ca is in use. It could also happen when updating the CA.
It happens after uploading new CA and certs into the *-cluster-ca-certs.
Following the renew own CA document, we have both ca.crt and ca-dates.crt in the cluster-ca-certs, and because the keystore and old ca-dates.crt can trust each other, there should still have connection. This is what is expected and the connection between zk and broker are stable because of this.
However the ClusterOperator only uses ca.crt to check for connection between zk and broker. Therefore after uoloading the new CA and certs. The ClusterOperator loses connection to zk and broker, it tries to connect to it multiple times until eventually it will perform a rolling update for zk and broker.
Once the zk updated, it will pickup the new keystore, then it will be able to connect to ClusterOperator again.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
I would expect when the ClusterOperator trying to connect to zk and broker, it will use all .crt files in the cluster-ca-cert to check for connection, instead of just using ca.crt.
I would expect it to stay connected and trigger a rolling update because it sees new certs updates, not because it was unable to connect.
Environment (please complete the following information):
Beta Was this translation helpful? Give feedback.
All reactions