Add CA chains when missing in the broker Secrets #12403
Open
+81
−8
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Jakub Scholz <[email protected]>
scholzj
force-pushed
the
update-secrets-when-CA-chain-is-missing
branch
from
5e9efb8 to
aa36cee
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #12403 +/- ##
============================================
- Coverage 75.02% 75.00% -0.02%
- Complexity 6660 6663 +3
============================================
Files 373 373
Lines 25385 25390 +5
Branches 3411 3412 +1
============================================
- Hits 19044 19043 -1
- Misses 4954 4957 +3
- Partials 1387 1390 +3
🚀 New features to boost your workflow:
|
Member
Author
|
/gha run pipeline=upgrade,regression |
|
⏳ System test verification started: link The following 10 job(s) will be executed:
Tests will start after successful build completion. |
|
🎉 System test verification passed: link |
ppatierno
reviewed
Feb 11, 2026
cluster-operator/src/main/java/io/strimzi/operator/cluster/model/ClusterCa.java
Outdated
Show resolved
Hide resolved
| // For more details, see https://github.com/strimzi/strimzi-kafka-operator/issues/12364. | ||
| // | ||
| // After some time - after multiple Strimzi releases, once the CA chains are added in all clusters, we | ||
| // should be able to remove this logic again. |
Member
There was a problem hiding this comment.
should we have an issue open for this and referring to it in this comment? wdyt?
Member
Author
There was a problem hiding this comment.
I'm happy to open one if it is approved.
Signed-off-by: Jakub Scholz <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Type of change
Description
This PR continues on the work from #12390 and makes sure the CA chain is added during the upgrade of the operator. That makes sure that after the upgrade to Strimzi 0.51.0, the CA chain is added for existing clusters and not only for new ones.
Given the certificates are stored as byte arrays and the CA chain is at the end, the comparing is not completely straightforward. But hopefully I made it sufficiently simple and readable. After some time - once we are sure that everyone upgraded away from 0.48-0.50 - we should be able to remove this logic again.
(It also does minor refactoring of the
maybeCopyOrGenerateCertsmethod to avoid the negativeifnd make the code a bit more readable)This should (hopefully) resolve #12364
Checklist