Add warning about ConfigMap naming constraint for trustedClientCaCert

jlian · jlian · commit 9dde87f14068 · 2026-03-25T12:38:54.000-07:00
The broker operator uses the trustedClientCaCert ConfigMap name as a
Kubernetes volume name. Volume names must follow RFC 1123 label rules
(no dots). If the name contains dots, reconciliation fails silently
and listeners don't provision. Add an IMPORTANT callout to the X.509
authentication docs.
diff --git a/articles/iot-operations/manage-mqtt-broker/howto-configure-authentication.md b/articles/iot-operations/manage-mqtt-broker/howto-configure-authentication.md
@@ -6,7 +6,7 @@ ms.author: sethm
 ms.service: azure-iot-operations
 ms.subservice: azure-mqtt-broker
 ms.topic: how-to
-ms.date: 04/10/2025
+ms.date: 03/25/2026
 ms.custom:
   - ignite-2023
   - sfi-image-nochange
@@ -458,6 +458,9 @@ To get started with X.509 authentication, import the trusted CA certificate into
 kubectl create configmap client-ca --from-file=ca.pem -n azure-iot-operations
 ```
 
+> [!IMPORTANT]
+> The ConfigMap name is used as a Kubernetes volume name internally by the broker operator. Volume names must conform to [RFC 1123 label rules](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-label-names), which means they can only contain lowercase alphanumeric characters and hyphens. For example, `client-ca` and `my-root-ca` are valid names, but `my-root-ca.crt` is not. If the ConfigMap name contains dots or other invalid characters, the broker's reconciliation fails silently and listeners don't provision correctly.
+
 In this example, the CA certificate is imported under the key `ca.pem`. The MQTT broker trusts all CA certificates in the ConfigMap, so you can use anything for the name of the key.
 
 To check that the root CA certificate is properly imported, run `kubectl describe configmap`. The result shows the same Base64 encoding of the PEM certificate file.
