[Bug]: CertificateExpiredException for certificate (.crt) on strimzi kafka component #12629

Ryanrek007 · 2026-04-13T09:08:57Z

Ryanrek007
Apr 13, 2026

Bug Description

Hi,

We have EXISITING Kafka Cluster within EKS Cluster (AWS, using version: 1.33), installing by using strimzi-kafka-operator Helm Chart (version: 0.45.2) on namespace cdc and cluster name cdc-cluster.

The following are some of the components installed within EKS cluster:

kafka (kind: Kafka)

kafka broker (strimzipodset) 3 replicas
zookeeper (strimzipodset) 3 replicas
entity Operator (deployment), including;
a) topic operator
b) user operator
cruise control (deployment)
kafka-exporter (deployment)

kafka connect (kind: KafkaConnect) (strimzipodset) 3 replicas
kafka topic (kind: KafkaTopic)
kafka connector (kind: KafkaConnector)

for those component, we deploy by applying custom kafka-persistent.yaml.

Chronology

USING Helm chart 0.45.0 Version

First of all, currently, I'm new user for Strimzi-Kafka-operator. Since, I handle it, the legacy strimzi-kafka-operator (called PRD environment later) using version (0.45.0) already got an error and most of the pods are got CrashLoopBackOff (CLBO) error as below:

NAME                                           READY   STATUS             RESTARTS            AGE
alertmanager-alertmanager-0                    2/2     Running            0                   25d
cdc-cluster-cruise-control-cb86cbb77-9nmz2     0/1     CrashLoopBackOff   11248 (40s ago)     25d
cdc-cluster-entity-operator-59d8bd86f6-75tht   1/2     CrashLoopBackOff   7025 (3m49s ago)    25d
cdc-cluster-kafka-0                            1/1     Running            4 (218d ago)        265d
cdc-cluster-kafka-1                            1/1     Running            0                   265d
cdc-cluster-kafka-2                            1/1     Running            0                   265d
cdc-cluster-kafka-exporter-8b6c7d64f-rq6tm     0/1     CrashLoopBackOff   7062 (2m11s ago)    25d
cdc-cluster-zookeeper-1                        1/1     Running            0                   55d
cdc-cluster-zookeeper-2                        1/1     Running            0                   55d
cdc-kafka-connect-cluster-connect-0            0/1     CrashLoopBackOff   30487 (2m37s ago)   111d
cdc-kafka-connect-cluster-connect-1            1/1     Running            0                   115d
cdc-kafka-connect-cluster-connect-2            0/1     CrashLoopBackOff   30490 (48s ago)     111d
grafana-59d46f59fc-rn7pc                       1/1     Running            0                   25d
prometheus-prometheus-0                        2/2     Running            0                   25d
prometheus-prometheus-1                        2/2     Running            0                   25d
strimzi-cluster-operator-76b947897f-bgh99    0/1     CrashLoopBackOff   7561 (4m49s ago)    26d

and then I check the strimzi-cluster-operator logs, it said as below:

2026-04-06 09:47:48 WARN  BlockedThreadChecker: - Thread Thread[vert.x-eventloop-thread-1,5,main] has been blocked for 9560 ms, time limit is 2000 ms                                                                                      io.vertx.core.VertxException: Thread blocked                                                                                                                                                                                                   at java.lang.Object.wait(Native Method) ~[?:?]                                                                                                                                                                                             at java.lang.Thread.join(Thread.java:1313) ~[?:?]                                                                                                                                                                                          at java.lang.Thread.join(Thread.java:1381) ~[?:?]                                                                                                                                                                                          at java.lang.ApplicationShutdownHooks.runHooks(ApplicationShutdownHooks.java:107) ~[?:?]                                                                                                                                                   io.vertx.core.impl.future.FailedFuture.addListener(FailedFuture.java:98) ~[io.vertx.vertx-core-4.5.11.jar:4.5.11]                                                                                                                       at io.vertx.core.impl.future.Composition.onFailure(Composition.java:55) ~[io.vertx.vertx-core-4.5.11.jar:4.5.11]                                                                                                                           at io.vertx.core.impl.future.FutureBase.emitFailure(FutureBase.java:81) ~[io.vertx.vertx-core-4.5.11.jar:4.5.11]                                                                                                                           at io.vertx.core.impl.future.FutureImpl.tryFail(FutureImpl.java:278) ~[io.vertx.vertx-core-4.5.11.jar:4.5.11]                                                                                                                              at io.vertx.core.impl.future.Composition$1.onFailure(Composition.java:66) ~[io.vertx.vertx-core-4.5.11.jar:4.5.11]                                                                                                                         at io.vertx.core.impl.future.FutureBase.emitFailure(FutureBase.java:81) ~[io.vertx.vertx-core-4.5.11.jar:4.5.11]                                                                                                                           at io.vertx.core.impl.future.FailedFuture.addListener(FailedFuture.java:98) ~[io.vertx.vertx-core-4.5.11.jar:4.5.11]                                                                                                                       at io.vertx.core.impl.future.Composition.onFailure(Composition.java:55) ~[io.vertx.vertx-core-4.5.11.jar:4.5.11]                                                                                                                           at io.vertx.core.impl.future.FutureBase.emitFailure(FutureBase.java:81) ~[io.vertx.vertx-core-4.5.11.jar:4.5.11]                                                                                                                           at io.vertx.core.impl.future.FutureImpl.tryFail(FutureImpl.java:278) ~[io.vertx.vertx-core-4.5.11.jar:4.5.11]                                                                                                                         
    at io.vertx.core.impl.future.Composition$1.onFailure(Composition.java:66) ~[io.vertx.vertx-core-4.5.11.jar:4.5.11]                                                                                                                    
    at io.vertx.core.impl.future.FutureBase.emitFailure(FutureBase.java:81) ~[io.vertx.vertx-core-4.5.11.jar:4.5.11]                                                                                                                      
    at io.vertx.core.impl.future.FailedFuture.addListener(FailedFuture.java:98) ~[io.vertx.vertx-core-4.5.11.jar:4.5.11]                                                                                                                  
    at io.vertx.core.impl.future.Composition.onFailure(Composition.java:55) ~[io.vertx.vertx-core-4.5.11.jar:4.5.11]                                                                                                                      
    at io.vertx.core.impl.future.FutureBase.lambda$emitFailure$1(FutureBase.java:75) ~[io.vertx.vertx-core-4.5.11.jar:4.5.11]                                                                                                             
    at io.vertx.core.impl.future.FutureBase$$Lambda$604/0x00007f9b544821f0.run(Unknown Source) ~[?:?]                                                                                                                                     
    at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173) ~[io.netty.netty-common-4.1.115.Final.jar:4.1.115.Final]                                                                                    
    at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166) ~[io.netty.netty-common-4.1.115.Final.jar:4.1.115.Final]                                                                                
    at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472) ~[io.netty.netty-common-4.1.115.Final.jar:4.1.115.Final]                                                                        
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:569) ~[io.netty.netty-transport-4.1.115.Final.jar:4.1.115.Final]                                                                                                           
    at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) ~[io.netty.netty-common-4.1.115.Final.jar:4.1.115.Final]                                                                              
    at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[io.netty.netty-common-4.1.115.Final.jar:4.1.115.Final]                                                                                                 
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[io.netty.netty-common-4.1.115.Final.jar:4.1.115.Final]                                                                                     
    at java.lang.Thread.run(Thread.java:840) ~[?:?]                                                                                                                                                                                       
2026-04-06 09:47:49 ERROR ShutdownHook:73 - Timed out while waiting for Vert.x close                                                                                                                                                      
2026-04-06 09:47:49 INFO  ShutdownHook:79 - Shutdown of Vert.x is complete                                                                                                                                                                
2026-04-06 09:47:49 INFO  ShutdownHook:41 - Shutdown hook completed                                                                                                                                                                       
Stream closed EOF for cdc/strimzi-cluster-operator-76b947897f-bgh99 (strimzi-cluster-operator)

We tried to reproduce it in other environment by using helm chart version (0.45.0) (called STG environment later) for strimzi-kafka-operator, and the error is quietly similar as PRD environment as a above.

STEP 1: Upgrading Helm chart 0.45.2 Version

Thus we tried to upgrade from helm chart version from 0.45.0 -> 0.45.2 that already released 1 month ago (Mar 13, 2026). by using command:

helm upgrade --install --wait --debug --namespace=cdc strimzi-kafka-cluster-operator --version 0.45.2 oci://quay.io/strimzi-helm/strimzi-kafka-operator

we notice that previous team that managed strimzi kafka-operator, created it by using version 0.45.0 since 2024. as a below:

helm history strimzi-kafka-cluster-operator -n cdc
REVISION        UPDATED                         STATUS          CHART                           APP VERSION     DESCRIPTION
1               Tue Dec 17 23:22:59 2024        superseded      strimzi-kafka-operator-0.45.0   0.45.0          Install complete
2               Fri Apr 10 06:53:02 2026        deployed        strimzi-kafka-operator-0.45.2   0.45.2          Upgrade complete

after we upgrade it into version 0.45.2, Both in STG and PRD environment, those error not shown anymore, but for PRD environment, we still face the new error related to Certificate expiration that not automatically renew (I thought due to Strimzi-kafka-operator was got CLBO, since I handled it) then certificate not properly distributed into other kafka component (kafka-broker, zookeeper, etc).

please see selected log for strimzi-kafka-operator (Since 24h) as below:

2026-04-13 06:45:13 INFO  AbstractOperator:401 - Reconciliation #5196(timer) KafkaConnect(cdc/cdc-kafka-connect-cluster): Reconciliation is in progress
2026-04-13 06:45:14 ERROR VertxUtil:134 - Reconciliation #5196(timer) KafkaConnect(cdc/cdc-kafka-connect-cluster): Exceeded timeout of 300000ms while waiting for Pods resource cdc-kafka-connect-cluster-connect-2 in namespace cdc to be ready
2026-04-13 06:45:14 ERROR AbstractOperator:285 - Reconciliation #5196(timer) KafkaConnect(cdc/cdc-kafka-connect-cluster): createOrUpdate failed
io.strimzi.operator.common.TimeoutException: Exceeded timeout of 300000ms while waiting for Pods resource cdc-kafka-connect-cluster-connect-2 in namespace cdc to be ready
	at io.strimzi.operator.cluster.operator.VertxUtil$1.lambda$handle$1(VertxUtil.java:135)
	at io.vertx.core.impl.future.FutureImpl$4.onFailure(FutureImpl.java:188)
	at io.vertx.core.impl.future.FutureBase.lambda$emitFailure$1(FutureBase.java:75)
	at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173)
	at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166)
	at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:569)
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:840)
2026-04-13 06:45:14 WARN  AbstractOperator:566 - Reconciliation #5196(timer) KafkaConnect(cdc/cdc-kafka-connect-cluster): Failed to reconcile
io.strimzi.operator.common.TimeoutException: Exceeded timeout of 300000ms while waiting for Pods resource cdc-kafka-connect-cluster-connect-2 in namespace cdc to be ready
	at io.strimzi.operator.cluster.operator.VertxUtil$1.lambda$handle$1(VertxUtil.java:135)
	at io.vertx.core.impl.future.FutureImpl$4.onFailure(FutureImpl.java:188)
	at io.vertx.core.impl.future.FutureBase.lambda$emitFailure$1(FutureBase.java:75)
	at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173)
	at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166)
	at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:569)
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:840)
2026-04-13 06:45:28 INFO  StrimziPodSetController:349 - Reconciliation #5215(watch) StrimziPodSet(cdc/cdc-kafka-connect-cluster-connect): StrimziPodSet will be reconciled
2026-04-13 06:45:28 INFO  StrimziPodSetController:385 - Reconciliation #5215(watch) StrimziPodSet(cdc/cdc-kafka-connect-cluster-connect): reconciled
2026-04-13 06:45:36 INFO  StrimziPodSetController:349 - Reconciliation #5216(watch) StrimziPodSet(cdc/cdc-kafka-connect-cluster-connect): StrimziPodSet will be reconciled
2026-04-13 06:45:36 INFO  StrimziPodSetController:385 - Reconciliation #5216(watch) StrimziPodSet(cdc/cdc-kafka-connect-cluster-connect): reconciled
2026-04-13 06:45:37 INFO  StrimziPodSetController:349 - Reconciliation #5217(watch) StrimziPodSet(cdc/cdc-kafka-connect-cluster-connect): StrimziPodSet will be reconciled
2026-04-13 06:45:37 INFO  StrimziPodSetController:385 - Reconciliation #5217(watch) StrimziPodSet(cdc/cdc-kafka-connect-cluster-connect): reconciled
2026-04-13 06:46:10 INFO  StrimziPodSetController:349 - Reconciliation #5218(watch) StrimziPodSet(cdc/cdc-kafka-connect-cluster-connect): StrimziPodSet will be reconciled
2026-04-13 06:46:10 INFO  StrimziPodSetController:385 - Reconciliation #5218(watch) StrimziPodSet(cdc/cdc-kafka-connect-cluster-connect): reconciled
2026-04-13 06:46:13 INFO  ClusterOperator:140 - Triggering periodic reconciliation for namespace cdc
2026-04-13 06:46:13 INFO  AbstractOperator:266 - Reconciliation #5219(timer) Kafka(cdc/cdc-cluster): Kafka cdc-cluster will be checked for creation or modification
2026-04-13 06:46:13 WARN  KafkaAssemblyOperator:259 - Reconciliation #5219(timer) Kafka(cdc/cdc-cluster): Support for ZooKeeper-based Apache Kafka clusters will be removed in the next Strimzi release (0.46.0). Please migrate to KRaft.
2026-04-13 06:46:14 INFO  AbstractOperator:266 - Reconciliation #5220(timer) KafkaConnect(cdc/cdc-kafka-connect-cluster): KafkaConnect cdc-kafka-connect-cluster will be checked for creation or modification
2026-04-13 06:46:15 INFO  PvcReconciler:137 - Reconciliation #5219(timer) Kafka(cdc/cdc-cluster): Resizing PVC data-0-cdc-cluster-kafka-0 from 400 to 300Gi.
2026-04-13 06:46:16 INFO  PvcReconciler:137 - Reconciliation #5219(timer) Kafka(cdc/cdc-cluster): Resizing PVC data-0-cdc-cluster-kafka-1 from 400 to 300Gi.
2026-04-13 06:46:16 INFO  PvcReconciler:137 - Reconciliation #5219(timer) Kafka(cdc/cdc-cluster): Resizing PVC data-0-cdc-cluster-kafka-2 from 400 to 300Gi.
2026-04-13 06:46:16 ERROR AbstractOperator:285 - Reconciliation #5219(timer) Kafka(cdc/cdc-cluster): createOrUpdate failed
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: PATCH at: https://172.20.0.1:443/api/v1/namespaces/cdc/persistentvolumeclaims/data-0-cdc-cluster-kafka-0. Message: PersistentVolumeClaim "data-0-cdc-cluster-kafka-0" is invalid: spec.resources.requests.storage: Forbidden: field can not be less than status.capacity. Received status: Status(apiVersion=v1, code=422, details=StatusDetails(causes=[StatusCause(field=spec.resources.requests.storage, message=Forbidden: field can not be less than status.capacity, reason=FieldValueForbidden, additionalProperties={})], group=null, kind=PersistentVolumeClaim, name=data-0-cdc-cluster-kafka-0, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=PersistentVolumeClaim "data-0-cdc-cluster-kafka-0" is invalid: spec.resources.requests.storage: Forbidden: field can not be less than status.capacity, metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Invalid, status=Failure, additionalProperties={}).
	at io.fabric8.kubernetes.client.KubernetesClientException.copyAsCause(KubernetesClientException.java:205)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.waitForResult(OperationSupport.java:507)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.handleResponse(OperationSupport.java:524)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.handlePatch(OperationSupport.java:419)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.handlePatch(OperationSupport.java:397)
	at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.handlePatch(BaseOperation.java:764)
	at io.fabric8.kubernetes.client.dsl.internal.HasMetadataOperation.lambda$patch$2(HasMetadataOperation.java:231)
	at io.fabric8.kubernetes.client.dsl.internal.HasMetadataOperation.patch(HasMetadataOperation.java:236)
	at io.fabric8.kubernetes.client.dsl.internal.HasMetadataOperation.patch(HasMetadataOperation.java:261)
	at io.fabric8.kubernetes.client.dsl.internal.HasMetadataOperation.patch(HasMetadataOperation.java:44)
	at io.strimzi.operator.cluster.operator.resource.kubernetes.AbstractNamespacedResourceOperator.patchOrReplace(AbstractNamespacedResourceOperator.java:259)
	at io.strimzi.operator.cluster.operator.resource.kubernetes.AbstractNamespacedResourceOperator.internalUpdate(AbstractNamespacedResourceOperator.java:235)
	at io.strimzi.operator.cluster.operator.resource.kubernetes.PvcOperator.internalUpdate(PvcOperator.java:83)
	at io.strimzi.operator.cluster.operator.resource.kubernetes.PvcOperator.internalUpdate(PvcOperator.java:23)
	at io.strimzi.operator.cluster.operator.resource.kubernetes.AbstractNamespacedResourceOperator.lambda$reconcile$0(AbstractNamespacedResourceOperator.java:105)
	at io.vertx.core.impl.future.Composition.onSuccess(Composition.java:38)
	at io.vertx.core.impl.future.FutureBase.lambda$emitSuccess$0(FutureBase.java:60)
	at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173)
	at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166)
	at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:569)
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: PATCH at: https://172.20.0.1:443/api/v1/namespaces/cdc/persistentvolumeclaims/data-0-cdc-cluster-kafka-0. Message: PersistentVolumeClaim "data-0-cdc-cluster-kafka-0" is invalid: spec.resources.requests.storage: Forbidden: field can not be less than status.capacity. Received status: Status(apiVersion=v1, code=422, details=StatusDetails(causes=[StatusCause(field=spec.resources.requests.storage, message=Forbidden: field can not be less than status.capacity, reason=FieldValueForbidden, additionalProperties={})], group=null, kind=PersistentVolumeClaim, name=data-0-cdc-cluster-kafka-0, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=PersistentVolumeClaim "data-0-cdc-cluster-kafka-0" is invalid: spec.resources.requests.storage: Forbidden: field can not be less than status.capacity, metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Invalid, status=Failure, additionalProperties={}).
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.requestFailure(OperationSupport.java:642)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.requestFailure(OperationSupport.java:622)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.assertResponseCode(OperationSupport.java:582)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.lambda$handleResponse$0(OperationSupport.java:549)
	at java.base/java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:646)
	at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:510)
	at java.base/java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:2147)
	at io.fabric8.kubernetes.client.http.StandardHttpClient.lambda$completeOrCancel$10(StandardHttpClient.java:141)
	at java.base/java.util.concurrent.CompletableFuture.uniWhenComplete(CompletableFuture.java:863)
	at java.base/java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:841)
	at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:510)
	at java.base/java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:2147)
	at io.fabric8.kubernetes.client.utils.AsyncUtils.lambda$retryWithExponentialBackoff$3(AsyncUtils.java:91)
	at java.base/java.util.concurrent.CompletableFuture.uniWhenComplete(CompletableFuture.java:863)
	at java.base/java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:841)
	at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:510)
	at java.base/java.util.concurrent.CompletableFuture.postFire(CompletableFuture.java:614)
	at java.base/java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:844)
	at java.base/java.util.concurrent.CompletableFuture$Completion.run(CompletableFuture.java:482)
	... 1 more
2026-04-13 06:46:16 WARN  AbstractOperator:566 - Reconciliation #5219(timer) Kafka(cdc/cdc-cluster): Failed to reconcile
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: PATCH at: https://172.20.0.1:443/api/v1/namespaces/cdc/persistentvolumeclaims/data-0-cdc-cluster-kafka-0. Message: PersistentVolumeClaim "data-0-cdc-cluster-kafka-0" is invalid: spec.resources.requests.storage: Forbidden: field can not be less than status.capacity. Received status: Status(apiVersion=v1, code=422, details=StatusDetails(causes=[StatusCause(field=spec.resources.requests.storage, message=Forbidden: field can not be less than status.capacity, reason=FieldValueForbidden, additionalProperties={})], group=null, kind=PersistentVolumeClaim, name=data-0-cdc-cluster-kafka-0, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=PersistentVolumeClaim "data-0-cdc-cluster-kafka-0" is invalid: spec.resources.requests.storage: Forbidden: field can not be less than status.capacity, metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Invalid, status=Failure, additionalProperties={}).
	at io.fabric8.kubernetes.client.KubernetesClientException.copyAsCause(KubernetesClientException.java:205)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.waitForResult(OperationSupport.java:507)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.handleResponse(OperationSupport.java:524)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.handlePatch(OperationSupport.java:419)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.handlePatch(OperationSupport.java:397)
	at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.handlePatch(BaseOperation.java:764)
	at io.fabric8.kubernetes.client.dsl.internal.HasMetadataOperation.lambda$patch$2(HasMetadataOperation.java:231)
	at io.fabric8.kubernetes.client.dsl.internal.HasMetadataOperation.patch(HasMetadataOperation.java:236)
	at io.fabric8.kubernetes.client.dsl.internal.HasMetadataOperation.patch(HasMetadataOperation.java:261)
	at io.fabric8.kubernetes.client.dsl.internal.HasMetadataOperation.patch(HasMetadataOperation.java:44)
	at io.strimzi.operator.cluster.operator.resource.kubernetes.AbstractNamespacedResourceOperator.patchOrReplace(AbstractNamespacedResourceOperator.java:259)
	at io.strimzi.operator.cluster.operator.resource.kubernetes.AbstractNamespacedResourceOperator.internalUpdate(AbstractNamespacedResourceOperator.java:235)
	at io.strimzi.operator.cluster.operator.resource.kubernetes.PvcOperator.internalUpdate(PvcOperator.java:83)
	at io.strimzi.operator.cluster.operator.resource.kubernetes.PvcOperator.internalUpdate(PvcOperator.java:23)
	at io.strimzi.operator.cluster.operator.resource.kubernetes.AbstractNamespacedResourceOperator.lambda$reconcile$0(AbstractNamespacedResourceOperator.java:105)
	at io.vertx.core.impl.future.Composition.onSuccess(Composition.java:38)
	at io.vertx.core.impl.future.FutureBase.lambda$emitSuccess$0(FutureBase.java:60)
	at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173)
	at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166)
	at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:569)
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:840)
2026-04-13 06:46:20 INFO  StrimziPodSetController:349 - Reconciliation #5221(watch) StrimziPodSet(cdc/cdc-kafka-connect-cluster-connect): StrimziPodSet will be reconciled
2026-04-13 06:46:20 INFO  StrimziPodSetController:385 - Reconciliation #5221(watch) StrimziPodSet(cdc/cdc-kafka-connect-cluster-connect): reconciled
2026-04-13 06:46:23 INFO  StrimziPodSetController:349 - Reconciliation #5222(watch) StrimziPodSet(cdc/cdc-cluster-kafka): StrimziPodSet will be reconciled
2026-04-13 06:46:23 INFO  StrimziPodSetController:385 - Reconciliation #5222(watch) StrimziPodSet(cdc/cdc-cluster-kafka): reconciled
2026-04-13 06:46:26 INFO  StrimziPodSetController:349 - Reconciliation #5223(watch) StrimziPodSet(cdc/cdc-cluster-kafka): StrimziPodSet will be reconciled
2026-04-13 06:46:26 INFO  StrimziPodSetController:385 - Reconciliation #5223(watch) StrimziPodSet(cdc/cdc-cluster-kafka): reconciled
2026-04-13 06:46:26 INFO  StrimziPodSetController:349 - Reconciliation #5224(watch) StrimziPodSet(cdc/cdc-kafka-connect-cluster-connect): StrimziPodSet will be reconciled
2026-04-13 06:46:26 INFO  StrimziPodSetController:385 - Reconciliation #5224(watch) StrimziPodSet(cdc/cdc-kafka-connect-cluster-connect): reconciled
2026-04-13 06:47:06 INFO  StrimziPodSetController:349 - Reconciliation #5225(watch) StrimziPodSet(cdc/cdc-cluster-kafka): StrimziPodSet will be reconciled
2026-04-13 06:47:06 INFO  StrimziPodSetController:385 - Reconciliation #5225(watch) StrimziPodSet(cdc/cdc-cluster-kafka): reconciled
2026-04-13 06:47:06 INFO  StrimziPodSetController:349 - Reconciliation #5226(watch) StrimziPodSet(cdc/cdc-kafka-connect-cluster-connect): StrimziPodSet will be reconciled
2026-04-13 06:47:06 INFO  StrimziPodSetController:385 - Reconciliation #5226(watch) StrimziPodSet(cdc/cdc-kafka-connect-cluster-connect): reconciled
2026-04-13 06:47:06 INFO  StrimziPodSetController:349 - Reconciliation #5227(watch) StrimziPodSet(cdc/cdc-cluster-zookeeper): StrimziPodSet will be reconciled
2026-04-13 06:47:06 INFO  StrimziPodSetController:385 - Reconciliation #5227(watch) StrimziPodSet(cdc/cdc-cluster-zookeeper): reconciled
2026-04-13 06:47:07 INFO  StrimziPodSetController:349 - Reconciliation #5228(watch) StrimziPodSet(cdc/cdc-kafka-connect-cluster-connect): StrimziPodSet will be reconciled
2026-04-13 06:47:07 INFO  StrimziPodSetController:385 - Reconciliation #5228(watch) StrimziPodSet(cdc/cdc-kafka-connect-cluster-connect): reconciled
2026-04-13 06:47:07 INFO  StrimziPodSetController:349 - Reconciliation #5229(watch) StrimziPodSet(cdc/cdc-kafka-connect-cluster-connect): StrimziPodSet will be reconciled
2026-04-13 06:47:07 INFO  StrimziPodSetController:385 - Reconciliation #5229(watch) StrimziPodSet(cdc/cdc-kafka-connect-cluster-connect): reconciled
2026-04-13 06:47:07 INFO  StrimziPodSetController:349 - Reconciliation #5230(watch) StrimziPodSet(cdc/cdc-cluster-kafka): StrimziPodSet will be reconciled
2026-04-13 06:47:07 INFO  StrimziPodSetController:385 - Reconciliation #5230(watch) StrimziPodSet(cdc/cdc-cluster-kafka): reconciled
2026-04-13 06:47:07 INFO  StrimziPodSetController:349 - Reconciliation #5231(watch) StrimziPodSet(cdc/cdc-cluster-zookeeper): StrimziPodSet will be reconciled
2026-04-13 06:47:07 INFO  StrimziPodSetController:385 - Reconciliation #5231(watch) StrimziPodSet(cdc/cdc-cluster-zookeeper): reconciled
2026-04-13 06:47:13 INFO  AbstractOperator:401 - Reconciliation #5220(timer) KafkaConnect(cdc/cdc-kafka-connect-cluster): Reconciliation is in progress
2026-04-13 06:48:13 INFO  ClusterOperator:140 - Triggering periodic reconciliation for namespace cdc
2026-04-13 06:48:13 INFO  AbstractOperator:401 - Reconciliation #5220(timer) KafkaConnect(cdc/cdc-kafka-connect-cluster): Reconciliation is in progress
2026-04-13 06:48:14 INFO  AbstractOperator:266 - Reconciliation #5232(timer) Kafka(cdc/cdc-cluster): Kafka cdc-cluster will be checked for creation or modification
2026-04-13 06:48:14 WARN  KafkaAssemblyOperator:259 - Reconciliation #5232(timer) Kafka(cdc/cdc-cluster): Support for ZooKeeper-based Apache Kafka clusters will be removed in the next Strimzi release (0.46.0). Please migrate to KRaft.
2026-04-13 06:48:15 INFO  PvcReconciler:137 - Reconciliation #5232(timer) Kafka(cdc/cdc-cluster): Resizing PVC data-0-cdc-cluster-kafka-0 from 400 to 300Gi.
2026-04-13 06:48:15 INFO  PvcReconciler:137 - Reconciliation #5232(timer) Kafka(cdc/cdc-cluster): Resizing PVC data-0-cdc-cluster-kafka-1 from 400 to 300Gi.
2026-04-13 06:48:15 INFO  PvcReconciler:137 - Reconciliation #5232(timer) Kafka(cdc/cdc-cluster): Resizing PVC data-0-cdc-cluster-kafka-2 from 400 to 300Gi.
2026-04-13 06:48:15 ERROR AbstractOperator:285 - Reconciliation #5232(timer) Kafka(cdc/cdc-cluster): createOrUpdate failed
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: PATCH at: https://172.20.0.1:443/api/v1/namespaces/cdc/persistentvolumeclaims/data-0-cdc-cluster-kafka-0. Message: PersistentVolumeClaim "data-0-cdc-cluster-kafka-0" is invalid: spec.resources.requests.storage: Forbidden: field can not be less than status.capacity. Received status: Status(apiVersion=v1, code=422, details=StatusDetails(causes=[StatusCause(field=spec.resources.requests.storage, message=Forbidden: field can not be less than status.capacity, reason=FieldValueForbidden, additionalProperties={})], group=null, kind=PersistentVolumeClaim, name=data-0-cdc-cluster-kafka-0, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=PersistentVolumeClaim "data-0-cdc-cluster-kafka-0" is invalid: spec.resources.requests.storage: Forbidden: field can not be less than status.capacity, metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Invalid, status=Failure, additionalProperties={}).
	at io.fabric8.kubernetes.client.KubernetesClientException.copyAsCause(KubernetesClientException.java:205)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.waitForResult(OperationSupport.java:507)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.handleResponse(OperationSupport.java:524)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.handlePatch(OperationSupport.java:419)
	at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.handlePatch(OperationSupport.java:397)
	at io.fabric8.kubernetes.client.dsl.internal.BaseOperation.handlePatch(BaseOperation.java:764)
	at io.fabric8.kubernetes.client.dsl.internal.HasMetadataOperation.lambda$patch$2(HasMetadataOperation.java:231)
	at io.fabric8.kubernetes.client.dsl.internal.HasMetadataOperation.patch(HasMetadataOperation.java:236)
	at io.fabric8.kubernetes.client.dsl.internal.HasMetadataOperation.patch(HasMetadataOperation.java:261)
	at io.fabric8.kubernetes.client.dsl.internal.HasMetadataOperation.patch(HasMetadataOperation.java:44)
	at io.strimzi.operator.cluster.operator.resource.kubernetes.AbstractNamespacedResourceOperator.patchOrReplace(AbstractNamespacedResourceOperator.java:259)
	at io.strimzi.operator.cluster.operator.resource.kubernetes.AbstractNamespacedResourceOperator.internalUpdate(AbstractNamespacedResourceOperator.java:235)
	at io.strimzi.operator.cluster.operator.resource.kubernetes.PvcOperator.internalUpdate(PvcOperator.java:83)
	at io.strimzi.operator.cluster.operator.resource.kubernetes.PvcOperator.internalUpdate(PvcOperator.java:23)
	at io.strimzi.operator.cluster.operator.resource.kubernetes.AbstractNamespacedResourceOperator.lambda$reconcile$0(AbstractNamespacedResourceOperator.java:105)
	at io.vertx.core.impl.future.Composition.onSuccess(Composition.java:38)
	at io.vertx.core.impl.future.FutureBase.lambda$emitSuccess$0(FutureBase.java:60)
	at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173)
	at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166)
	at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:569)
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:840)

based on error above, we notice that:
1. KafkaConnect(cdc/cdc-kafka-connect-cluster): Failed to reconcile --> it might be the kafka-connect are on CLBO error ?
2. Operator detected that current PVC tried to resizing from 400 into 300GB for kafka-broker
even though, we have upgraded strimzi-cluster-operator into 0.45.2, the rest of pods component still has error pod log as below:

ubuntu@da-dataops-prd-bastion:~$ kubectl get pod  -n cdc
NAME                                           READY   STATUS             RESTARTS         AGE
alertmanager-alertmanager-0                    2/2     Running            0                4h51m
cdc-cluster-cruise-control-cb86cbb77-b6m5z     0/1     CrashLoopBackOff   93 (3m2s ago)    4h51m
cdc-cluster-entity-operator-59d8bd86f6-m6c7m   1/2     CrashLoopBackOff   60 (4m24s ago)   4h51m
cdc-cluster-kafka-0                            1/1     Running            0                270d
cdc-cluster-kafka-1                            1/1     Running            0                270d
cdc-cluster-kafka-2                            1/1     Running            0                270d
cdc-cluster-kafka-exporter-8b6c7d64f-dxld4     0/1     CrashLoopBackOff   61 (47s ago)     4h51m
cdc-cluster-zookeeper-0                        1/1     Running            0                3h54m
cdc-cluster-zookeeper-1                        1/1     Running            0                3h53m
cdc-cluster-zookeeper-2                        1/1     Running            0                3h54m
cdc-kafka-connect-cluster-connect-0            0/1     CrashLoopBackOff   46 (60s ago)     3h37m
cdc-kafka-connect-cluster-connect-1            1/1     Running            0                120d
cdc-kafka-connect-cluster-connect-2            0/1     CrashLoopBackOff   49 (2m11s ago)   3h54m
grafana-59d46f59fc-sk62h                       1/1     Running            0                4h51m
prometheus-prometheus-0                        2/2     Running            0                4h51m
prometheus-prometheus-1                        2/2     Running            0                4h51m
strimzi-cluster-operator-74c4684778-9kcn7      1/1     Running            0                26h

STEP 2: Trying to ANNOTATE force-renew Cluster Operator-managed CA certificates

in current, zookeeper pod, we notice that we still got an error as below:

2026-04-09 10:14:11,699 INFO Processing ruok command from /127.0.0.1:57752 (org.apache.zookeeper.server.NettyServerCnxn) [nioEventLoopGroup-4-3]                                          
2026-04-09 10:14:12,991 ERROR Unsuccessful handshake with session 0x0 (org.apache.zookeeper.server.NettyServerCnxnFactory) [nioEventLoopGroup-7-9]                                        
2026-04-09 10:14:12,991 WARN Exception caught (org.apache.zookeeper.server.NettyServerCnxnFactory) [nioEventLoopGroup-7-9]                                                                
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed           
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:500)                                                                                              
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)                                                                                             
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)                                                                           
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)                                                                           
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)                                                                             
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1407)                                                                                  
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)                                                                           
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)                                                                           
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:918)                                                                                           
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)                                                                                    
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)                                                                                                        
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)                                                                                              
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)                                                                                                       
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)                                                                                                                       
    at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:994)                                                                                       
    at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)                                                                                                          
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)                                                                                              
    at java.base/java.lang.Thread.run(Thread.java:840)                                                                                                                                    
                                                                                                                                                                         
Caused by: java.security.cert.CertPathValidatorException: validity check failed                                                                                                           
    at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)                                                                
    at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224)                                                                            
    at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144)                                                                            
    at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83)                                                                       
    at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)                                                                                                
    at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:364)                                                                                                  
    ... 37 more                                                                                                                                                                           
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Wed Dec 17 23:30:03 GMT 2025                                                                                         
    at java.base/sun.security.x509.CertificateValidity.valid(CertificateValidity.java:277)                                                                                                
    at java.base/sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:621)                                                                                                      
    at java.base/sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)                                                                                        
    at java.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)                                                                                                 
    at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)                                                                
    ... 42 more

seems, one of certificate strimzi was expired since Dec 17 23:30:03 GMT 2025 and not created automatically due to strimzi operator CLBO error before.
then, based on official docs (0.45.2): https://strimzi.io/docs/operators/0.45.2/deploying.html#proc-recovering-expired-ca-certs-str, we tried to renew the ca-certificate for cluster operator, by using kubectl annotate command as below:

kubectl annotate secret cdc-cluster-cluster-ca-cert -n cdc strimzi.io/force-renew="true"
kubectl annotate secret cdc-cluster-clients-ca-cert -n cdc strimzi.io/force-renew="true"

in this state, both on cdc-cluster-clients-ca-cert and cdc-cluster-cluster-ca-cert already renewed. As below:

kubectl get secret cdc-cluster-cluster-ca-cert -n cdc -o=jsonpath='{.data.ca\.crt}' | base64 -d | openssl x509 -noout -dates
notBefore=Apr 13 03:40:14 2026 GMT
notAfter=Apr 13 03:40:14 2027 GMT

kubectl get secret cdc-cluster-clients-ca-cert -n cdc -o=jsonpath='{.data.ca\.crt}' | base64 -d | openssl x509 -noout -dates
notBefore=Apr 13 03:40:14 2026 GMT
notAfter=Apr 13 03:40:14 2027 GMT

Only zookeeper pod already recreated. But the others, not created
and also, the errors for zookeeper are STILL similar as before:

...
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Wed Dec 17 23:30:03 GMT 2025                                                                                         
    at java.base/sun.security.x509.CertificateValidity.valid(CertificateValidity.java:277)                                                                                                
    at java.base/sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:621)                                                                                                      
    at java.base/sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)                                                                                        
    at java.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)                                                                                                 
    at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)        
...

then, we suspect to know what the exact certificate was expired. then we tried to see expired date for each secret that automatically created by strimzi-cluster-operator. and here are the OUTPUT for expired date as below:
cluster name: cdc-cluster

===
ALREADY RENEWED
===
--- cdc-cluster-cluster-ca-cert ---
$ kubectl get secret cdc-cluster-cluster-ca-cert -n cdc -o=jsonpath='{.data.ca\.crt}' | base64 -d | openssl x509 -noout -dates
notBefore=Apr 13 03:40:14 2026 GMT
notAfter=Apr 13 03:40:14 2027 GMT

--- cdc-cluster-clients-ca-cert ---
$ kubectl get secret cdc-cluster-clients-ca-cert -n cdc -o=jsonpath='{.data.ca\.crt}' | base64 -d | openssl x509 -noout -dates
notBefore=Apr 13 03:40:14 2026 GMT
notAfter=Apr 13 03:40:14 2027 GMT

--- cdc-cluster-cluster-operator-certs ---
$ kubectl get secret cdc-cluster-cluster-operator-certs -n cdc -o=jsonpath='{.data.cluster-operator\.crt}' | base64 -d | openssl x509 -noout -dates
notBefore=Apr 13 03:40:14 2026 GMT
notAfter=Apr 13 03:40:14 2027 GMT

--- zookeeper nodes 0 ---
$ kubectl get secret cdc-cluster-zookeeper-nodes -n cdc -o=jsonpath='{.data.cdc-cluster-zookeeper-0\.crt}' | base64 -d | openssl x509 -noout -dates
notBefore=Apr 13 03:40:15 2026 GMT
notAfter=Apr 13 03:40:15 2027 GMT

--- zookeeper nodes 1 ---
$ kubectl get secret cdc-cluster-zookeeper-nodes -n cdc -o=jsonpath='{.data.cdc-cluster-zookeeper-1\.crt}' | base64 -d | openssl x509 -noout -dates
notBefore=Apr 13 03:40:15 2026 GMT
notAfter=Apr 13 03:40:15 2027 GMT

--- zookeeper nodes 2 ---
$ kubectl get secret cdc-cluster-zookeeper-nodes -n cdc -o=jsonpath='{.data.cdc-cluster-zookeeper-2\.crt}' | base64 -d | openssl x509 -noout -dates
notBefore=Apr 13 03:40:15 2026 GMT
notAfter=Apr 13 03:40:15 2027 GMT

----------------------------------------
===
NOT RENEWED
===
--- cdc-cluster-kafka-0 ---
$ kubectl get secret cdc-cluster-kafka-brokers -n cdc -o=jsonpath='{.data.cdc-cluster-kafka-0\.crt}' | base64 -d | openssl x509 -noout -dates
notBefore=Dec 17 23:30:02 2024 GMT
notAfter=Dec 17 23:30:02 2025 GMT

--- cdc-cluster-kafka-1 ---
$ kubectl get secret cdc-cluster-kafka-brokers -n cdc -o=jsonpath='{.data.cdc-cluster-kafka-1\.crt}' | base64 -d | openssl x509 -noout -dates
notBefore=Dec 17 23:30:03 2024 GMT
notAfter=Dec 17 23:30:03 2025 GMT

--- cdc-cluster-kafka-2 ---
$ kubectl get secret cdc-cluster-kafka-brokers -n cdc -o=jsonpath='{.data.cdc-cluster-kafka-2\.crt}' | base64 -d | openssl x509 -noout -dates
notBefore=Dec 17 23:30:03 2024 GMT
notAfter=Dec 17 23:30:03 2025 GMT

--- cdc-cluster-entity-topic-operator-certs ---
$ kubectl get secret cdc-cluster-entity-topic-operator-certs -n cdc -o=jsonpath='{.data.entity-operator\.crt}' | base64 -d | openssl x509 -noout -dates
notBefore=Dec 17 23:30:48 2024 GMT
notAfter=Dec 17 23:30:48 2025 GMT

--- cdc-cluster-entity-user-operator-certs ---
$ kubectl get secret cdc-cluster-entity-user-operator-certs -n cdc -o=jsonpath='{.data.entity-operator\.crt}' | base64 -d | openssl x509 -noout -dates
notBefore=Dec 17 23:30:48 2024 GMT
notAfter=Dec 17 23:30:48 2025 GMT

--- cdc-cluster-cruise-control-certs --- 
$ kubectl get secret cdc-cluster-cruise-control-certs -n cdc -o=jsonpath='{.data.cruise-control\.crt}' | base64 -d | openssl x509 -noout -dates
notBefore=Dec 17 23:31:10 2024 GMT
notAfter=Dec 17 23:31:10 2025 GMT

--- cdc-cluster-kafka-exporter-certs ---
$ kubectl get secret cdc-cluster-kafka-exporter-certs -n cdc -o=jsonpath='{.data.kafka-exporter\.crt}' | base64 -d | openssl x509 -noout -dates
notBefore=Dec 17 23:31:32 2024 GMT
notAfter=Dec 17 23:31:32 2025 GMT

seems, for error from zookeeper originated from secret cdc-cluster-kafka-brokers that already expired. And we're confirmed that current kafka-broker certificate not renewed, by tried to exec through the pod. as below:
for example cdc-cluster-kafka-0.crt

[kafka@cdc-cluster-kafka-1 broker-certs]$ cd /opt/kafka/broker-certs
[kafka@cdc-cluster-kafka-1 broker-certs]$ pwd
/opt/kafka/broker-certs
[kafka@cdc-cluster-kafka-1 broker-certs]$ ls
cdc-cluster-kafka-0.crt  cdc-cluster-kafka-0.key  cdc-cluster-kafka-1.crt  cdc-cluster-kafka-1.key  cdc-cluster-kafka-2.crt  cdc-cluster-kafka-2.key
[kafka@cdc-cluster-kafka-1 broker-certs]$ openssl x509 -noout -dates -in cdc-cluster-kafka-0.crt
notBefore=Dec 17 23:30:02 2024 GMT
notAfter=Dec 17 23:30:02 2025 GMT

STEP 3: Trying to Kubectl restart for selected pod (kafka-broker)

Then we tried to kubectl restart / kill for kafka-broker-0 POD, to tried, will cdc-cluster-kafka-brokers secret be renewed into new kafka-broker pod., but we got CLBO error and cdc-cluster-kafka-broker not renewed, here is the error log for kafka-broker-0 pod as below:

 removed directory '/tmp/hsperfdata_kafka'                                                                                                                                                                                                 
 removed '/tmp/kafka/cluster.truststore.p12'                                                                                                                                                                                               
 removed directory '/tmp/kafka'                                                                                                                                                                                                            
 STRIMZI_BROKER_ID=0                                                                                                                                                                                                                       
 Preparing truststore for replication listener                                                                                                                                                                                             
 Adding /opt/kafka/cluster-ca-certs/ca.crt to truststore /tmp/kafka/cluster.truststore.p12 with alias ca                                                                                                                                   
 Certificate was added to keystore                                                                                                                                                                                                         
 Preparing truststore for replication listener is complete                                                                                                                                                                                 
 Looking for the CA matching the server certificate                                                                                                                                                                                        
 No CA matching the server certificate found. This process will exit with failure.

I tried to execute as comment mentioned on PKIX errors due to certs not renewing #6136 (comment) to delete the pod. seems the error quite similar.

and now, here are pod condition in our cluster

kubectl get pod  -n cdc
NAME                                           READY   STATUS             RESTARTS         AGE
alertmanager-alertmanager-0                    2/2     Running            0                5h33m
cdc-cluster-cruise-control-cb86cbb77-b6m5z     0/1     CrashLoopBackOff   107 (11s ago)    5h33m
cdc-cluster-entity-operator-59d8bd86f6-m6c7m   1/2     CrashLoopBackOff   69 (29s ago)     5h33m
cdc-cluster-kafka-0                            0/1     CrashLoopBackOff   36 (3m55s ago)   163m
cdc-cluster-kafka-1                            1/1     Running            0                270d
cdc-cluster-kafka-2                            1/1     Running            0                270d
cdc-cluster-kafka-exporter-8b6c7d64f-dxld4     0/1     CrashLoopBackOff   69 (2m12s ago)   5h33m
cdc-cluster-zookeeper-0                        1/1     Running            0                4h36m
cdc-cluster-zookeeper-1                        1/1     Running            0                4h35m
cdc-cluster-zookeeper-2                        1/1     Running            0                4h36m
cdc-kafka-connect-cluster-connect-0            0/1     CrashLoopBackOff   54 (63s ago)     4h20m
cdc-kafka-connect-cluster-connect-1            1/1     Running            0                120d
cdc-kafka-connect-cluster-connect-2            0/1     CrashLoopBackOff   57 (2m39s ago)   4h36m
grafana-59d46f59fc-sk62h                       1/1     Running            0                5h33m
prometheus-prometheus-0                        2/2     Running            0                5h33m
prometheus-prometheus-1                        2/2     Running            0                5h33m
strimzi-cluster-operator-74c4684778-9kcn7      1/1     Running            0                27h

Any kind of help is greatly appreciated. let me know if there are some logs missing.

Thankyou.

Steps to reproduce

install by using helm chart 0.45.0 (Error /expired certificate must be applied)
then helm upgrade into 0.45.2
helm upgrade --install --wait --debug --namespace=cdc strimzi-kafka-cluster-operator --version 0.45.2 oci://quay.io/strimzi-helm/strimzi-kafka-operator
Trying to annotate ca cert -> at this point, it should all pod strimzi kafka recreating, but in current use case, ONLY zookeeper strimzipodset recreated.

kubectl annotate secret cdc-cluster-cluster-ca-cert -n cdc strimzi.io/force-renew="true"
kubectl annotate secret cdc-cluster-clients-ca-cert -n cdc strimzi.io/force-renew="true"

trying to kill pod kafka-cluster-0, then we get CLBO error

Expected behavior

All of strimzi kafka operator component are running with renewed all certificates.

kafka (kind: Kafka)

kafka broker (strimzipodset) 3 replicas
zookeeper (strimzipodset) 3 replicas
entity Operator (deployment), including;
a) topic operator
b) user operator
cruise control (deployment)
kafka-exporter (deployment)

kafka connect (kind: kafkaconnect) (strimzipodset) 3 replicas
certificate secret renewed

cdc-cluster-kafka-brokers
cdc-cluster-entity-topic-operator-certs
cdc-cluster-entity-user-operator-certs
cdc-cluster-cruise-control-certs
cdc-cluster-kafka-exporter-certs

Strimzi version

0.45.2

Kubernetes version

Kubernetes 1.33

Installation method

Helm Chart

Infrastructure

AWS EKS 1.33

Configuration files and logs

kafka-persistent.yaml (modified)

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  labels:
    app: strimzi
  name: cdc-cluster
  namespace: cdc
spec:
  kafka:
    version: 3.9.0
    config:
      default.replication.factor: 3
      delete.topic.enable: true
      inter.broker.protocol.version: "3.9"
      min.insync.replicas: 2
      offsets.topic.replication.factor: 3
      transaction.state.log.min.isr: 2
      transaction.state.log.replication.factor: 3
    jvmOptions:
      -Xms: 1024m
      -Xmx: 1024m
    listeners:
    - name: plain
      port: 9092
      tls: false
      type: internal
    - name: tls
      port: 9093
      tls: true
      type: internal
    metricsConfig:
      type: jmxPrometheusExporter
      valueFrom:
        configMapKeyRef:
          key: kafka-metrics-config.yaml
          name: kafka-metrics
    replicas: 3
    resources:
      limits:
        memory: 2048Mi
      requests:
        cpu: 300m
        memory: 2048Mi
    storage:
      type: jbod
      volumes:
      - deleteClaim: false
        id: 0
        size: 30Gi
        type: persistent-claim
    template:
      pod:
        affinity:
          nodeAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
              nodeSelectorTerms:
              - matchExpressions:
                - key: apptype
                  operator: In
                  values:
                  - cdc
        tolerations:
        - effect: NoSchedule
          key: nodegroup
          operator: Equal
          value: cdc

  zookeeper:
    jvmOptions:
      -Xms: 256m
      -Xmx: 256m
    metricsConfig:
      type: jmxPrometheusExporter
      valueFrom:
        configMapKeyRef:
          key: zookeeper-metrics-config.yaml
          name: kafka-metrics
    replicas: 3
    resources:
      limits:
        memory: 512Mi
    storage:
      deleteClaim: false
      size: 20Gi
      type: persistent-claim
    template:
      pod:
        affinity:
          nodeAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
              nodeSelectorTerms:
              - matchExpressions:
                - key: apptype
                  operator: In
                  values:
                  - cdc
        tolerations:
        - effect: NoSchedule
          key: nodegroup
          operator: Equal
          value: cdc

  entityOperator:
    template:
      pod:
        affinity:
          nodeAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
              nodeSelectorTerms:
              - matchExpressions:
                - key: apptype
                  operator: In
                  values:
                  - cdc
        tolerations:
        - effect: NoSchedule
          key: nodegroup
          operator: Equal
          value: cdc
    topicOperator:
      jvmOptions:
        -Xms: 256m
        -Xmx: 256m
      resources:
        limits:
          memory: 512Mi
    userOperator:
      jvmOptions:
        -Xms: 256m
        -Xmx: 256m
      resources:
        limits:
          memory: 512Mi

  cruiseControl:
    jvmOptions:
      -Xms: 512m
      -Xmx: 512m
    metricsConfig:
      type: jmxPrometheusExporter
      valueFrom:
        configMapKeyRef:
          key: metrics-config.yaml
          name: cruise-control-metrics
    resources:
      limits:
        memory: 1024Mi
    template:
      pod:
        affinity:
          nodeAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
              nodeSelectorTerms:
              - matchExpressions:
                - key: apptype
                  operator: In
                  values:
                  - cdc
        tolerations:
        - effect: NoSchedule
          key: nodegroup
          operator: Equal
          value: cdc

  kafkaExporter:
    groupRegex: .*
    resources:
      limits:
        memory: 128Mi
    template:
      pod:
        affinity:
          nodeAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
              nodeSelectorTerms:
              - matchExpressions:
                - key: apptype
                  operator: In
                  values:
                  - cdc
        tolerations:
        - effect: NoSchedule
          key: nodegroup
          operator: Equal
          value: cdc
    topicRegex: .*

kafka-connect.yaml (modified)

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaConnect
metadata:
  annotations:
    strimzi.io/use-connector-resources: "true"
  labels:
    app: strimzi
  name: cdc-kafka-connect-cluster
  namespace: cdc
spec:
  version: 3.7.1
  replicas: 3
  bootstrapServers: cdc-cluster-kafka-bootstrap:9093
  config:
    config.providers: env
    config.providers.env.class: org.apache.kafka.common.config.provider.EnvVarConfigProvider
    config.storage.replication.factor: -1
    config.storage.topic: connect-cluster-configs
    group.id: connect-cluster
    offset.storage.replication.factor: -1
    offset.storage.topic: connect-cluster-offsets
    status.storage.replication.factor: -1
    status.storage.topic: connect-cluster-status
  image: <custom image>
  jvmOptions:
    -Xms: 2048m
    -Xmx: 2048m
    javaSystemProperties:
    - name: javax.net.ssl.trustStore
      value: /mnt/aws-truststore/rds-truststore.jks
    - name: javax.net.ssl.trustStorePassword
      value: <password>
  metricsConfig:
    type: jmxPrometheusExporter
    valueFrom:
      configMapKeyRef:
        key: metrics-config.yaml
        name: connect-metrics
  resources:
    limits:
      memory: 4096Mi
    requests:
      memory: 4096Mi
  template:
    connectContainer:
      env:
      - name: MONGODB_USER
        valueFrom:
          secretKeyRef:
            key: user
            name: mongodb-creds
      - name: MONGODB_PASSWORD
        valueFrom:
          secretKeyRef:
            key: password
            name: mongodb-creds
      volumeMounts:
      - mountPath: /mnt/aws-truststore/
        name: aws-truststore
    pod:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: apptype
                operator: In
                values:
                - cdc
      tolerations:
      - effect: NoSchedule
        key: nodegroup
        operator: Equal
        value: cdc
      volumes:
      - name: aws-truststore
        secret:
          secretName: aws-truststore
  tls:
    trustedCertificates:
    - pattern: '*.crt'
      secretName: cdc-cluster-cluster-ca-cert

Additional context

No response

scholzj · 2026-04-13T09:15:54Z

scholzj
Apr 13, 2026
Maintainer

If the operator does not work, there is nobody to renew the certificates. So you have to fix that first. Second, if the certifciates already expired, the operator won't be able to fix it on its own. You would need to help it - typically by manually deleting the ZooKeeper / Kafka Pods depending on the situation. But first, you need to get the operator into the working state. So you should focus on it. From the logs, I have no idea why it is crash looping as none of the logs you shared is really complete or explain it. So you should probably start there and provide more information, full logs, full configuration, etc.

4 replies

Ryanrek007 Apr 13, 2026
Author

Hi @scholzj
Thanks for fast response.

As i mentioned in my issue, after trying to annotate certificate ca, as below

kubectl annotate secret cdc-cluster-cluster-ca-cert -n cdc strimzi.io/force-renew="true"
kubectl annotate secret cdc-cluster-clients-ca-cert -n cdc strimzi.io/force-renew="true"

Typically, it will trigger by recreating all strimzi kafka pod components, right ? But it doesn't renew other ca certificate and then make strimzi other pods (kafka broker, cruise control, etc.) Not recreated *cmiiw

And here are some full log for strimzi-kafka-operator log (24h). As below:
full-strimzi-cluster-operator.og.log

And current strimzi-cluster-operator POD is on running state with log as attachment above.

So, Do we need to ensure there are no error in strimzi-cluster-operator log pod even though the pod is successfully on running state, then we can proceed to remediate the rest of CLBO error on other strimzi kafka pod ?

scholzj Apr 13, 2026
Maintainer

That does not help if the CAs are already expired. But in any case, as I said, if the operator is not running properly and is crash-looping, you need to fix that first.

The log you shared does not correspond to you saying that the Cluster Operator pod is crash-looping, so not sore what it really does. But the error you have there would block the certificate renewal. So you need to address it in any case. The error suggests some forbidden maniapulation with the storage configuration. So you would need to find out by looking into what your storage configuration is and what your PVs / PVCs say and you would need to somehow reconcile it manually. Probably by increasing your stroage capacity in the Kafka/KafkaNodePool CRs.

Ryanrek007 Apr 13, 2026
Author

Hi @scholzj .

Absolutely, you're right !🔥

Since strimzi-cluster-operator pod is running but somehow, there are still some error related to PVC on kafka strimzipodset, as below:

2026-04-13 06:46:15 INFO  PvcReconciler:137 - Reconciliation #5219(timer) Kafka(cdc/cdc-cluster): Resizing PVC data-0-cdc-cluster-kafka-0 from 400 to 300Gi.
2026-04-13 06:46:16 INFO  PvcReconciler:137 - Reconciliation #5219(timer) Kafka(cdc/cdc-cluster): Resizing PVC data-0-cdc-cluster-kafka-1 from 400 to 300Gi.
2026-04-13 06:46:16 INFO  PvcReconciler:137 - Reconciliation #5219(timer) Kafka(cdc/cdc-cluster): Resizing PVC data-0-cdc-cluster-kafka-2 from 400 to 300Gi.
2026-04-13 06:46:16 ERROR AbstractOperator:285 - Reconciliation #5219(timer) Kafka(cdc/cdc-cluster): createOrUpdate failed

Seems, the previous developer retrying to kubectl edit / kubectl patch on each pvc for strimzi kafka-broker, without retry to execute kubectl apply for k8s manifest for kafka-broker then it will make strimzi-cluster-operator logs error as you mentioned before.
so, we need to ENSURE there are NO ERROR log for strimzi-cluster-operator pod itself.

SOLUTION

After updating kafka.storage.volume.size on kafka-persistent.yaml from 300Gi -> 400Gi
then execute kubectl apply -f kafka-persistent.yaml
Wait until strimzi-cluster-operator executing Reconciliation for all strimzi kafka component
And Now, all of Strimzi Kafka Component pod completely recreated (running state) and the all CA certificated completely Renewed as well 😁🎉

Thanks alot for your help @scholzj ✨️

scholzj Apr 13, 2026
Maintainer

Great. Glad we managed to fix it.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Strimzi

[Bug]: CertificateExpiredException for certificate (.crt) on strimzi kafka component #12629

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 4 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Strimzi

[Bug]: CertificateExpiredException for certificate (.crt) on strimzi kafka component #12629

Uh oh!

Uh oh!

Ryanrek007 Apr 13, 2026

Bug Description

Chronology

USING Helm chart 0.45.0 Version

STEP 1: Upgrading Helm chart 0.45.2 Version

STEP 2: Trying to ANNOTATE force-renew Cluster Operator-managed CA certificates

STEP 3: Trying to Kubectl restart for selected pod (kafka-broker)

Steps to reproduce

Expected behavior

Strimzi version

Kubernetes version

Installation method

Infrastructure

Configuration files and logs

kafka-persistent.yaml (modified)

kafka-connect.yaml (modified)

Additional context

Replies: 1 comment · 4 replies

Uh oh!

scholzj Apr 13, 2026 Maintainer

Uh oh!

Uh oh!

Ryanrek007 Apr 13, 2026 Author

Uh oh!

scholzj Apr 13, 2026 Maintainer

Uh oh!

Ryanrek007 Apr 13, 2026 Author

SOLUTION

Uh oh!

scholzj Apr 13, 2026 Maintainer

Ryanrek007
Apr 13, 2026

Replies: 1 comment 4 replies

scholzj
Apr 13, 2026
Maintainer

Ryanrek007 Apr 13, 2026
Author

scholzj Apr 13, 2026
Maintainer

Ryanrek007 Apr 13, 2026
Author

scholzj Apr 13, 2026
Maintainer