We have a kafka version 3 cluster using KRaft with SSL as the listener and contoller. We want to do a cert rotate on this certificate without doing a kafka restart. We have been able to update the certificate on the listener by updating the ssl listener configuration using dynamic configuration (specificly updating this config `listener.name.internal.ssl.truststore.location` ) . this forces kafka to re-read the certificate, and when we then remove the dynamic configuration, kafka would use the static configuration to re-read the certificate. hence certificate reload happen
We have been stuck on how do we refresh the certificate that broker uses to communicate to the controller listener?
so for example kafka-controller-01 have the certificate on its controller reloaded on port 9093 using `listener.name.controller.truststore.location`
how do kafka-broker-01 update its certificate to communicate to kafka-controller-01? is there no other way than a restart on the kafka? is there no dynamic configuration or any kafka command that I can use to force kafka to re-read the trustore configuration? at first I thought we can update `ssl.truststore.location`, but it tursn out that for dynamic configuration kafka can only update per listener basis, hence `listener.name.listenername.ssl.truststore.location` but I don’t see a config that points to the certificate that the broker use to communicate with the controller.