IBM Support

Method to determine whether cluster and client CA certificates are in sync across Zookeeper and Kafka pods

How To


Summary

This is a method to check whether cluster and client CA certificates are in sync across Zookeeper and Kafka pods.

Steps

(1) Execute the following command in AIOps namespace:
for POD in $(oc get po -o name | grep -E 'kafka|zookeeper|entity-operator'); do echo "$POD:"; oc describe $POD | grep 'cert-generation'; echo; done

An example of the output of the command above:
  
pod/iaf-system-entity-operator-6c4f6cbc4d-2fps7:
                  strimzi.io/cluster-ca-cert-generation: 1

pod/iaf-system-kafka-0:
                  strimzi.io/clients-ca-cert-generation: 0
                  strimzi.io/cluster-ca-cert-generation: 1

pod/iaf-system-kafka-1:
                  strimzi.io/clients-ca-cert-generation: 0
                  strimzi.io/cluster-ca-cert-generation: 1

pod/iaf-system-kafka-2:
                  strimzi.io/clients-ca-cert-generation: 0
                  strimzi.io/cluster-ca-cert-generation: 1

pod/iaf-system-zookeeper-0:
                  strimzi.io/cluster-ca-cert-generation: 1

pod/iaf-system-zookeeper-1:
                  strimzi.io/cluster-ca-cert-generation: 1

pod/iaf-system-zookeeper-2:
                  strimzi.io/cluster-ca-cert-generation: 1
For Cluster CA certificate, ensure the "cluster-ca-cert-generation" is the same across all Zookeeper and Kafka pods.
For Client CA certificate (only Kafka pods will have it), ensure the "client-ca-cert-generation" is the same across all Kafka pods.
(2) To crosscheck against the secrets, execute the following command:
for SECRET in $(oc get secret -l ibmevents.ibm.com/kind=Kafka -o name | grep -E 'cluster-ca-cert|clients-ca-cert'); do echo "$SECRET:"; oc describe $SECRET | grep 'cert-generation'; echo; done
An example of the output of the command above:
secret/iaf-system-clients-ca-cert:
Annotations:  strimzi.io/ca-cert-generation: 0

secret/iaf-system-cluster-ca-cert:
              strimzi.io/ca-cert-generation: 1
Crosscheck the generation value against the output of Step (1) above.
Eg.
secret/iaf-system-clients-ca-cert:
Annotations:  strimzi.io/ca-cert-generation: 0

[AGAINST]

pod/iaf-system-kafka-0:
                  strimzi.io/clients-ca-cert-generation: 0

pod/iaf-system-kafka-1:
                  strimzi.io/clients-ca-cert-generation: 0

pod/iaf-system-kafka-2:
                  strimzi.io/clients-ca-cert-generation: 0
If there is any mismatch, please contact IBM Support immediately.

 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSE9G0Q","label":"IBM Cloud Pak for AIOps"},"ARM Category":[{"code":"a8m3p000000PCCfAAO","label":"Watson AIOps-\u003EAI Manager-\u003EIBM-Common-Services-\u003EIAF\/Kafka"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
16 May 2024

UID

ibm17152245

Page Feedback