The Kafka broker supports dynamically changing both keystores and truststores. When changing a broker's end entity certificate the broker will perform some sanity checks on the new certificate. Some of those checks prevent using the dynamic config update in a kube environment/with Strimzi. This forces us to restart brokers which is less than idea for all the usual reasons.

For example in kube DNS and IP can change dynamically, but the broker is very opinionated about the SubjectAlternativeNames in the new certificate.

It would be nice to either improve these checks, or provide a way for them to be disabled in environments like kube where they're too restrictive.