When a Kafka broker reloads a changed SSL certificate it performs some safety checks on it. For example that the Subject Alternative Names haven't changed. These checks prevent dynamically reloading certificates in Strimzi in most circumstances. Instead the operator has to restart brokers when certificates change. Restarting broker is generally undesirable because of the impact on clients (increased latency due to leader changes), time to JIT steady sate etc.

This issue is to evaluate which of these checks really make sense in a dynamic Kubernetes environment and propose a KIP to make the other checks optional.

If/when that KIP is approved we can open a followup issue to opt out of these checks in Strimzi and so avoid broker rolls in some cases.