Reflector does not detect changes in KafkaUser secrets after renewal

[rupasna-akamai]

Title: Reflector does not detect updates to KafkaUser secrets after renewal

Description:
When a KafkaUser secret is renewed (e.g., certificates updated), the Reflector does not detect changes in the secret’s data and fails to update the reflected secret in the target namespace automatically.

Environment:

• Kubernetes version: v1.30.2(client) / v1.31.11(server)
• Reflector version: 7.1.288
• Strimzi / Kafka version: strimzi/kafka : 0.42.0 - kafka-3.7.0

Steps to Reproduce:

1. Create a KafkaUser secret in the kafka namespace with Reflector annotations:

kind: Secret
metadata:
  name: kafka-spark
  namespace: kafka
  annotations:
    reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
    reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: main
  labels:
    app.kubernetes.io/managed-by: strimzi-user-operator
    strimzi.io/cluster: kafkacluster
type: Opaque

2. Update or renew the KafkaUser secret (e.g., certificate rotation).
3. Observe that the reflected secret in the main namespace does not update automatically.

Expected Behavior:
The reflected secret in the target namespace (main) should automatically update when the source secret changes.

Actual Behavior:
The reflected secret remains stale until the reflector pod is restarted.

Workaround:

• Delete the target secret (main/kafka-spark)
• Restart the reflector pod
• After restart, the secrets match.