A noted pain point for Streams users on OpenShift is renewal or replacement of certificates - particularly when updating user-provided CA certificates. There are several points at which the process can go wrong, including renaming of the old certificates, encoding of secrets, updating the generation or just general SSL usage errors. Once the issues occur, we often see unhelpful error messages logged that don't give much insight into which secret or resource is misconfigured or how to recover, like pods in crash loop logging errors like "No CA found. Thus exiting."

Anything we an do to ease this process, like more helpful logging, more explicit documentation or utilities to automate certificate updates would be very helpful.