search

banzaicloud / koperator

Oh no! Yet another Apache Kafka operator for Kubernetes
Apache License 2.0
789 stars 198 forks source link

Adding a new SSL listener with hostnameOverride does not regenerate certificates #1062

Open david-simon opened 1 year ago

david-simon commented 1 year ago

Description

When a new SSL listener is added where the "hostnameOverride" field contains a new value, the auto-generated certificates are not updated. As a workaround new certificates can be issued and specified in the 'serverSSLCertSecret'.

Expected Behavior

Certificates are re-issued with the new hostname added as a Subject Alternative Name

Actual Behavior

Certificates are not updated and clients connecting to the new hostname get an SSL exception.

Affected Version

0.25.1

Steps to Reproduce

  1. kubectl create -f config/samples/simplekafkacluster_ssl.yaml
  2. Add external listener to config/samples/simplekafkacluster_ssl.yaml: 
    spec:
listenersConfig:
externalListeners:
  - type: "ssl"
    name: "external"
    externalStartingPort: 19090
    containerPort: 9094
    accessMethod: LoadBalancer
    hostnameOverride: kafka.local
  3. kubectl apply config/samples/simplekafkacluster_ssl.yaml
  4. Observe that the certificates generated at step 1 are not updated with the new hostname 'kafka.local'

Checklist

david-simon commented 1 year ago

883 is similar, not sure if the root cause is the same