Add possibility to configure mTLS `validityDays` and `renewalDays` for each `KafkaUser` by im-konge · Pull Request #12658 · strimzi/strimzi-kafka-operator

im-konge · 2026-04-20T12:50:21Z

Type of change

Enhancement / new feature

Description

This PR implements proposal about Configurable validityDays and renewalDays per KafkaUser. As described in the proposal, it adds validityDays and renewalDays to the KafkaUser CRD, when the type of authn is tls - which is covered by CEL validation, together with values of both fields to be higher than 0, both has to be set if one or the other is set, and that validityDays is always higher than renewalDays.

As part of this PR I'm adding ST for both new validityDays and renewalDays, but also to check the force-renew feature added in a different PR - which is useful in this case when we want to have the certificate with new validity policy immediately.

Fixes #12336

Checklist

Write tests
Make sure all tests pass
Update documentation
Try your changes from Pod inside your Kubernetes and OpenShift cluster, not just locally
Reference relevant issue(s) and close them after merging
Update CHANGELOG.md

codecov · 2026-04-20T14:39:35Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.16%. Comparing base (1e0bbfd) to head (d9543d8).
⚠️ Report is 12 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #12658      +/-   ##
============================================
+ Coverage     75.01%   75.16%   +0.14%     
- Complexity     6397     6459      +62     
============================================
  Files           345      346       +1     
  Lines         24155    24332     +177     
  Branches       3095     3122      +27     
============================================
+ Hits          18120    18289     +169     
- Misses         4800     4808       +8     
  Partials       1235     1235

Files with missing lines	Coverage Δ
...io/strimzi/operator/user/model/KafkaUserModel.java	`84.11% <100.00%> (+0.22%)`	⬆️

... and 18 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

im-konge · 2026-04-20T14:55:52Z

/gha run pipeline=regression,upgrade

github-actions · 2026-04-20T14:57:22Z

⏳ System test verification started: link

The following 10 job(s) will be executed:

regression-brokers-and-security-amd64 (oracle-vm-8cpu-32gb-x86-64)
regression-operators-amd64 (oracle-vm-8cpu-32gb-x86-64)
regression-operands-amd64 (oracle-vm-8cpu-32gb-x86-64)
regression-brokers-and-security-arm64 (oracle-vm-8cpu-32gb-arm64)
regression-operators-arm64 (oracle-vm-8cpu-32gb-arm64)
regression-operands-arm64 (oracle-vm-8cpu-32gb-arm64)
upgrade-azp_kraft_upgrade-amd64 (oracle-vm-4cpu-16gb-x86-64)
upgrade-azp_kafka_upgrade-amd64 (oracle-vm-4cpu-16gb-x86-64)
upgrade-azp_kraft_upgrade-arm64 (oracle-vm-4cpu-16gb-arm64)
upgrade-azp_kafka_upgrade-arm64 (oracle-vm-4cpu-16gb-arm64)

Tests will start after successful build completion.

github-actions · 2026-04-20T19:22:59Z

🎉 System test verification passed: link

im-konge · 2026-04-21T13:41:29Z

/gha run pipeline=regression,upgrade

github-actions · 2026-04-21T13:42:00Z

⏳ System test verification started: link

The following 10 job(s) will be executed:

regression-brokers-and-security-amd64 (oracle-vm-8cpu-32gb-x86-64)
regression-operators-amd64 (oracle-vm-8cpu-32gb-x86-64)
regression-operands-amd64 (oracle-vm-8cpu-32gb-x86-64)
regression-brokers-and-security-arm64 (oracle-vm-8cpu-32gb-arm64)
regression-operators-arm64 (oracle-vm-8cpu-32gb-arm64)
regression-operands-arm64 (oracle-vm-8cpu-32gb-arm64)
upgrade-azp_kraft_upgrade-amd64 (oracle-vm-4cpu-16gb-x86-64)
upgrade-azp_kafka_upgrade-amd64 (oracle-vm-4cpu-16gb-x86-64)
upgrade-azp_kraft_upgrade-arm64 (oracle-vm-4cpu-16gb-arm64)
upgrade-azp_kafka_upgrade-arm64 (oracle-vm-4cpu-16gb-arm64)

Tests will start after successful build completion.

github-actions · 2026-04-21T18:05:30Z

🎉 System test verification passed: link

Signed-off-by: Lukas Kral <lukywill16@gmail.com> finish implementation Signed-off-by: Lukas Kral <lukywill16@gmail.com> fix tests Signed-off-by: Lukas Kral <lukywill16@gmail.com> add changelog Signed-off-by: Lukas Kral <lukywill16@gmail.com> same value of validityDays and renewalDays in KafkaUserModelCertificateHandlingTest Signed-off-by: Lukas Kral <lukywill16@gmail.com> crds 🤦 Signed-off-by: Lukas Kral <lukywill16@gmail.com> update API docs and add ST for this change Signed-off-by: Lukas Kral <lukywill16@gmail.com> Signed-off-by: Lukas Kral <lukywill16@gmail.com> fix spotbugs Signed-off-by: Lukas Kral <lukywill16@gmail.com> Jakub's comments Signed-off-by: Lukas Kral <lukywill16@gmail.com> use minimum instead of CEL Signed-off-by: Lukas Kral <lukywill16@gmail.com> renewalDays description Signed-off-by: Lukas Kral <lukywill16@gmail.com>

Signed-off-by: Lukas Kral <lukywill16@gmail.com>

im-konge · 2026-05-23T09:26:14Z

/gha run pipeline=regression,upgrade

github-actions · 2026-05-23T09:26:36Z

⏳ System test verification started: link

The following 10 job(s) will be executed:

regression-brokers-and-security-amd64 (cncf-ubuntu-8-32-x86)
regression-operators-amd64 (cncf-ubuntu-8-32-x86)
regression-operands-amd64 (cncf-ubuntu-8-32-x86)
regression-brokers-and-security-arm64 (cncf-ubuntu-8-32-arm)
regression-operators-arm64 (cncf-ubuntu-8-32-arm)
regression-operands-arm64 (cncf-ubuntu-8-32-arm)
upgrade-azp_kraft_upgrade-amd64 (cncf-ubuntu-4-16-x86)
upgrade-azp_kafka_upgrade-amd64 (cncf-ubuntu-4-16-x86)
upgrade-azp_kraft_upgrade-arm64 (cncf-ubuntu-4-16-arm)
upgrade-azp_kafka_upgrade-arm64 (cncf-ubuntu-4-16-arm)

Tests will start after successful build completion.

snyk-io · 2026-05-26T10:58:13Z

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

scholzj

LGTM. Thanks.

im-konge · 2026-05-26T14:57:57Z

/gha run pipeline=regression,upgrade

github-actions · 2026-05-26T14:58:31Z

⏳ System test verification started: link
Waiting for build to finish...

tinaselenge

LGTM. Thanks @im-konge

im-konge · 2026-05-26T18:10:06Z

/gha run pipeline=regression,upgrade

github-actions · 2026-05-26T18:10:31Z

⏳ System test verification started: link
Waiting for build to finish...

Signed-off-by: Lukas Kral <lukywill16@gmail.com>

im-konge · 2026-05-26T20:31:38Z

/gha run pipeline=regression,upgrade

github-actions · 2026-05-26T20:32:01Z

⏳ System test verification started: link

The following 10 job(s) will be executed:

regression-brokers-and-security-amd64 (cncf-ubuntu-8-32-x86)
regression-operators-amd64 (cncf-ubuntu-8-32-x86)
regression-operands-amd64 (cncf-ubuntu-8-32-x86)
regression-brokers-and-security-arm64 (cncf-ubuntu-8-32-arm)
regression-operators-arm64 (cncf-ubuntu-8-32-arm)
regression-operands-arm64 (cncf-ubuntu-8-32-arm)
upgrade-azp_kraft_upgrade-amd64 (cncf-ubuntu-4-16-x86)
upgrade-azp_kafka_upgrade-amd64 (cncf-ubuntu-4-16-x86)
upgrade-azp_kraft_upgrade-arm64 (cncf-ubuntu-4-16-arm)
upgrade-azp_kafka_upgrade-arm64 (cncf-ubuntu-4-16-arm)

Tests will start after successful build completion.

github-actions · 2026-05-27T00:54:27Z

🎉 System test verification passed: link

im-konge · 2026-05-27T12:59:01Z

@katheris @ppatierno do you want to review this? Or should I continue with merging?

ppatierno · 2026-05-28T06:35:54Z

@im-konge should we have some addition to the documentation about these new fields?

im-konge · 2026-05-28T06:42:17Z

@im-konge should we have some addition to the documentation about these new fields?

I'm not sure, like.. there is the API documentation and that should explain everything.

ppatierno · 2026-05-28T06:49:42Z

Quite often we have examples in the documentation for example here:

https://strimzi.io/docs/operators/latest/deploying#mtls_authentication

Maybe it would be useful to add this two fields in the example but as optional as we do for other several examples.

im-konge · 2026-05-28T08:49:20Z

Quite often we have examples in the documentation for example here:

https://strimzi.io/docs/operators/latest/deploying#mtls_authentication

Maybe it would be useful to add this two fields in the example but as optional as we do for other several examples.

Okay let me have a look. Thanks

Signed-off-by: Lukas Kral <lukywill16@gmail.com>

im-konge · 2026-05-29T13:07:27Z

@ppatierno I added few lines about it. Please have a look. Also, @PaulRMellor could you please have a look? Thanks!

ppatierno

LGTM. Thanks!

im-konge added this to the 1.1.0 milestone Apr 20, 2026

im-konge self-assigned this Apr 20, 2026

im-konge force-pushed the kafka-user-validity-and-renewal-days branch 3 times, most recently from 4b32af4 to 7d3f1cd Compare April 21, 2026 11:15

im-konge requested review from ppatierno and scholzj April 21, 2026 11:15

im-konge marked this pull request as ready for review April 21, 2026 11:15

scholzj reviewed Apr 24, 2026

View reviewed changes

im-konge force-pushed the kafka-user-validity-and-renewal-days branch 6 times, most recently from 48a5f94 to 74d9f79 Compare May 7, 2026 14:06

scholzj reviewed May 8, 2026

View reviewed changes

tinaselenge reviewed May 14, 2026

View reviewed changes

Comment thread documentation/modules/appendix_crds.adoc Outdated

Comment thread systemtest/src/test/java/io/strimzi/systemtest/operators/user/UserST.java

Comment thread user-operator/src/main/java/io/strimzi/operator/user/model/KafkaUserModel.java Outdated

im-konge force-pushed the kafka-user-validity-and-renewal-days branch from 9ca9dc1 to cbb1d22 Compare May 21, 2026 10:35

im-konge force-pushed the kafka-user-validity-and-renewal-days branch from cbb1d22 to 71620c2 Compare May 21, 2026 10:37

fix tests

663020c

Signed-off-by: Lukas Kral <lukywill16@gmail.com>

scholzj reviewed May 23, 2026

View reviewed changes

im-konge force-pushed the kafka-user-validity-and-renewal-days branch from e618e67 to 76392cd Compare May 26, 2026 11:21

scholzj approved these changes May 26, 2026

View reviewed changes

Comment thread systemtest/src/test/java/io/strimzi/systemtest/operators/user/UserST.java

im-konge mentioned this pull request May 26, 2026

Refactor Ca class to handle certificate-level validity #12765

Open

im-konge requested review from katheris and tinaselenge May 26, 2026 15:03

tinaselenge approved these changes May 26, 2026

View reviewed changes

address Jakub's comments

8275a14

Signed-off-by: Lukas Kral <lukywill16@gmail.com>

im-konge force-pushed the kafka-user-validity-and-renewal-days branch from 76392cd to 8275a14 Compare May 26, 2026 18:18

add mention about the validity/renewal in docs

d9543d8

Signed-off-by: Lukas Kral <lukywill16@gmail.com>

im-konge requested a review from PaulRMellor May 29, 2026 13:07

ppatierno approved these changes May 29, 2026

View reviewed changes

Conversation

im-konge commented Apr 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Type of change

Description

Checklist

Uh oh!

codecov Bot commented Apr 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

im-konge commented Apr 20, 2026

Uh oh!

github-actions Bot commented Apr 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented Apr 20, 2026

Uh oh!

im-konge commented Apr 21, 2026

Uh oh!

github-actions Bot commented Apr 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented Apr 21, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

im-konge commented May 23, 2026

Uh oh!

github-actions Bot commented May 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

snyk-io Bot commented May 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Snyk checks have passed. No issues have been found so far.

Uh oh!

scholzj left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

im-konge commented May 26, 2026

Uh oh!

github-actions Bot commented May 26, 2026

Uh oh!

tinaselenge left a comment

Choose a reason for hiding this comment

Uh oh!

im-konge commented May 26, 2026

Uh oh!

github-actions Bot commented May 26, 2026

Uh oh!

im-konge commented May 26, 2026

Uh oh!

github-actions Bot commented May 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented May 27, 2026

Uh oh!

im-konge commented May 27, 2026

Uh oh!

ppatierno commented May 28, 2026

Uh oh!

im-konge commented May 28, 2026

Uh oh!

ppatierno commented May 28, 2026

im-konge commented Apr 20, 2026 •

edited

Loading

codecov Bot commented Apr 20, 2026 •

edited

Loading

github-actions Bot commented Apr 20, 2026 •

edited

Loading

github-actions Bot commented Apr 21, 2026 •

edited

Loading

github-actions Bot commented May 23, 2026 •

edited

Loading

snyk-io Bot commented May 26, 2026 •

edited

Loading

github-actions Bot commented May 26, 2026 •

edited

Loading