Kafka Controller SSL reloading fails in Kraft mode for inactive controllers

[Krishna Sai Veera Reddy]

Hey All,

I am trying to implement a cron job that automatically reloads the SSL key
and trust stores for both brokers and controllers that are running as
separate processes in Kraft mode. For brokers the SSL reload script works
just fine but for the controller I am seeing an issue where SSL reloading
doesn't work on non-active controllers.

Here's the kafka CLI command that I am executing:
```bash
bin/kafka-configs.sh --command-config
/tmp/kafka/config/kraft/client.properties --bootstrap-controller
localhost:21504 --entity-type brokers --entity-name 5 --alter --add-config
listener.name.controller.ssl.truststore.location=./java/cacerts
```

And here's the error:
```bash
Reloading SSL trust store for listener 'controller'
Error while executing config command with args '--command-config
/tmp/kafka/config/kraft/client.properties --bootstrap-controller
localhost:21504 --entity-type brokers --entity-name 5 --alter --add-config
listener.name.controller.ssl.truststore.location=/etc/pki/java/cacerts'
java.util.concurrent.ExecutionException:
org.apache.kafka.common.errors.NotControllerException: The active
controller appears to be node 3.
at
java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:396)
at
java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2096)
at
org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:180)
at kafka.admin.ConfigCommand$.alterConfig(ConfigCommand.scala:393)
at kafka.admin.ConfigCommand$.processCommand(ConfigCommand.scala:341)
at kafka.admin.ConfigCommand$.main(ConfigCommand.scala:97)
at kafka.admin.ConfigCommand.main(ConfigCommand.scala)
Caused by: org.apache.kafka.common.errors.NotControllerException: The
active controller appears to be node 3.
```

Any idea why only active controllers are allowed to reload SSL trust and
key stores? SSL reloading is local to individual nodes so it seems like an
unnecessary restriction to prevent SSL reloading for inactive controllers
unless SSL reload on an active controller somehow propagates to other
controllers? Is that what's happening here? Please advise on how to
dynamically reload SSL trust and key stores for inactive controllers and I
apologize if this is a silly question. Thanks!

Regards,
Krishna V