Search in sources :

Example 26 with Subject

use of io.fabric8.kubernetes.api.model.rbac.Subject in project strimzi-kafka-operator by strimzi.

the class SecurityST method testCustomClusterCAClientsCA.

@ParallelNamespaceTest
void testCustomClusterCAClientsCA(ExtensionContext extensionContext) {
    final String namespaceName = StUtils.getNamespaceBasedOnRbac(namespace, extensionContext);
    final String clusterName = mapWithClusterNames.get(extensionContext.getDisplayName());
    final String topicName = mapWithTestTopics.get(extensionContext.getDisplayName());
    final String userName = mapWithTestUsers.get(extensionContext.getDisplayName());
    generateAndDeployCustomStrimziCA(namespaceName, clusterName);
    checkCustomCAsCorrectness(namespaceName, clusterName);
    LOGGER.info(" Deploy kafka with new certs/secrets.");
    resourceManager.createResource(extensionContext, KafkaTemplates.kafkaEphemeral(clusterName, 3, 3).editSpec().withNewClusterCa().withGenerateCertificateAuthority(false).endClusterCa().withNewClientsCa().withGenerateCertificateAuthority(false).endClientsCa().editKafka().withListeners(new GenericKafkaListenerBuilder().withType(KafkaListenerType.INTERNAL).withName(Constants.PLAIN_LISTENER_DEFAULT_NAME).withPort(9092).withTls(false).build(), new GenericKafkaListenerBuilder().withType(KafkaListenerType.INTERNAL).withName(Constants.TLS_LISTENER_DEFAULT_NAME).withPort(9093).withTls(true).withNewKafkaListenerAuthenticationTlsAuth().endKafkaListenerAuthenticationTlsAuth().build()).endKafka().endSpec().build());
    LOGGER.info("Check Kafka(s) and Zookeeper(s) certificates.");
    X509Certificate kafkaCert = SecretUtils.getCertificateFromSecret(kubeClient(namespaceName).getSecret(namespaceName, clusterName + "-kafka-brokers"), clusterName + "-kafka-0.crt");
    assertThat("KafkaCert does not have expected test Issuer: " + kafkaCert.getIssuerDN(), SystemTestCertManager.containsAllDN(kafkaCert.getIssuerX500Principal().getName(), STRIMZI_TEST_CLUSTER_CA));
    X509Certificate zookeeperCert = SecretUtils.getCertificateFromSecret(kubeClient(namespaceName).getSecret(namespaceName, clusterName + "-zookeeper-nodes"), clusterName + "-zookeeper-0.crt");
    assertThat("ZookeeperCert does not have expected test Subject: " + zookeeperCert.getIssuerDN(), SystemTestCertManager.containsAllDN(zookeeperCert.getIssuerX500Principal().getName(), STRIMZI_TEST_CLUSTER_CA));
    resourceManager.createResource(extensionContext, KafkaTopicTemplates.topic(clusterName, topicName).build());
    LOGGER.info("Check KafkaUser certificate.");
    KafkaUser user = KafkaUserTemplates.tlsUser(clusterName, userName).build();
    resourceManager.createResource(extensionContext, user);
    X509Certificate userCert = SecretUtils.getCertificateFromSecret(kubeClient(namespaceName).getSecret(namespaceName, userName), "user.crt");
    assertThat("Generated ClientsCA does not have expected test Subject: " + userCert.getIssuerDN(), SystemTestCertManager.containsAllDN(userCert.getIssuerX500Principal().getName(), STRIMZI_TEST_CLIENTS_CA));
    LOGGER.info("Send and receive messages over TLS.");
    resourceManager.createResource(extensionContext, KafkaClientsTemplates.kafkaClients(true, clusterName + "-" + Constants.KAFKA_CLIENTS, user).build());
    final String kafkaClientsPodName = kubeClient(namespaceName).listPodsByPrefixInName(namespaceName, clusterName + "-" + Constants.KAFKA_CLIENTS).get(0).getMetadata().getName();
    InternalKafkaClient internalKafkaClient = new InternalKafkaClient.Builder().withUsingPodName(kafkaClientsPodName).withTopicName(topicName).withNamespaceName(namespaceName).withClusterName(clusterName).withKafkaUsername(userName).withMessageCount(MESSAGE_COUNT).withListenerName(Constants.TLS_LISTENER_DEFAULT_NAME).build();
    LOGGER.info("Check for certificates used within kafka pod internal clients (producer/consumer)");
    List<VolumeMount> volumeMounts = kubeClient(namespaceName).listPodsByPrefixInName(namespaceName, clusterName + "-" + Constants.KAFKA_CLIENTS).get(0).getSpec().getContainers().get(0).getVolumeMounts();
    for (VolumeMount vm : volumeMounts) {
        if (vm.getMountPath().contains("user-secret-" + internalKafkaClient.getKafkaUsername())) {
            assertThat("UserCert Issuer DN in clients pod is incorrect!", checkMountVolumeSecret(namespaceName, kafkaClientsPodName, vm, "issuer", STRIMZI_INTERMEDIATE_CA));
            assertThat("UserCert Subject DN in clients pod is incorrect!", checkMountVolumeSecret(namespaceName, kafkaClientsPodName, vm, "subject", STRIMZI_TEST_CLIENTS_CA));
        } else if (vm.getMountPath().contains("cluster-ca-" + internalKafkaClient.getKafkaUsername())) {
            assertThat("ClusterCA Issuer DN in clients pod is incorrect!", checkMountVolumeSecret(namespaceName, kafkaClientsPodName, vm, "issuer", STRIMZI_INTERMEDIATE_CA));
            assertThat("ClusterCA Subject DN in clients pod is incorrect!", checkMountVolumeSecret(namespaceName, kafkaClientsPodName, vm, "subject", STRIMZI_TEST_CLUSTER_CA));
        }
    }
    LOGGER.info("Checking produced and consumed messages via TLS to pod:{}", kafkaClientsPodName);
    internalKafkaClient.checkProducedAndConsumedMessages(internalKafkaClient.sendMessagesTls(), internalKafkaClient.receiveMessagesTls());
}
Also used : GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder) GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder) ResourceRequirementsBuilder(io.fabric8.kubernetes.api.model.ResourceRequirementsBuilder) SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) InternalKafkaClient(io.strimzi.systemtest.kafkaclients.clients.InternalKafkaClient) VolumeMount(io.fabric8.kubernetes.api.model.VolumeMount) Matchers.containsString(org.hamcrest.Matchers.containsString) X509Certificate(java.security.cert.X509Certificate) KafkaUser(io.strimzi.api.kafka.model.KafkaUser) ParallelNamespaceTest(io.strimzi.systemtest.annotations.ParallelNamespaceTest)

Example 27 with Subject

use of io.fabric8.kubernetes.api.model.rbac.Subject in project strimzi-kafka-operator by strimzi.

the class EntityUserOperator method generateRoleBindingForRole.

public RoleBinding generateRoleBindingForRole(String namespace, String watchedNamespace) {
    Subject ks = new SubjectBuilder().withKind("ServiceAccount").withName(EntityOperator.entityOperatorServiceAccountName(cluster)).withNamespace(namespace).build();
    RoleRef roleRef = new RoleRefBuilder().withName(getRoleName()).withApiGroup("rbac.authorization.k8s.io").withKind("Role").build();
    RoleBinding rb = generateRoleBinding(roleBindingForRoleName(cluster), watchedNamespace, roleRef, singletonList(ks));
    // We set OwnerReference only within the same namespace since it does not work cross-namespace
    if (!namespace.equals(watchedNamespace)) {
        rb.getMetadata().setOwnerReferences(Collections.emptyList());
    }
    return rb;
}
Also used : RoleRef(io.fabric8.kubernetes.api.model.rbac.RoleRef) RoleBinding(io.fabric8.kubernetes.api.model.rbac.RoleBinding) SubjectBuilder(io.fabric8.kubernetes.api.model.rbac.SubjectBuilder) Subject(io.fabric8.kubernetes.api.model.rbac.Subject) RoleRefBuilder(io.fabric8.kubernetes.api.model.rbac.RoleRefBuilder)

Example 28 with Subject

use of io.fabric8.kubernetes.api.model.rbac.Subject in project strimzi by strimzi.

the class CaRenewalTest method renewalOfStatefulSetCertificatesWithCaRenewal.

@ParallelTest
public void renewalOfStatefulSetCertificatesWithCaRenewal() throws IOException {
    MockedCa mockedCa = new MockedCa(Reconciliation.DUMMY_RECONCILIATION, null, null, null, null, null, null, null, 2, 1, true, null);
    mockedCa.setCertRenewed(true);
    Secret initialSecret = new SecretBuilder().withNewMetadata().withName("test-secret").endMetadata().addToData("pod0.crt", Base64.getEncoder().encodeToString("old-cert".getBytes())).addToData("pod0.key", Base64.getEncoder().encodeToString("old-key".getBytes())).addToData("pod0.p12", Base64.getEncoder().encodeToString("old-keystore".getBytes())).addToData("pod0.password", Base64.getEncoder().encodeToString("old-password".getBytes())).addToData("pod1.crt", Base64.getEncoder().encodeToString("old-cert".getBytes())).addToData("pod1.key", Base64.getEncoder().encodeToString("old-key".getBytes())).addToData("pod1.p12", Base64.getEncoder().encodeToString("old-keystore".getBytes())).addToData("pod1.password", Base64.getEncoder().encodeToString("old-password".getBytes())).addToData("pod2.crt", Base64.getEncoder().encodeToString("old-cert".getBytes())).addToData("pod2.key", Base64.getEncoder().encodeToString("old-key".getBytes())).addToData("pod2.p12", Base64.getEncoder().encodeToString("old-keystore".getBytes())).addToData("pod2.password", Base64.getEncoder().encodeToString("old-password".getBytes())).build();
    int replicas = 3;
    Function<Integer, Subject> subjectFn = i -> new Subject.Builder().build();
    Function<Integer, String> podNameFn = i -> "pod" + i;
    boolean isMaintenanceTimeWindowsSatisfied = true;
    Map<String, CertAndKey> newCerts = mockedCa.maybeCopyOrGenerateCerts(Reconciliation.DUMMY_RECONCILIATION, replicas, subjectFn, initialSecret, podNameFn, isMaintenanceTimeWindowsSatisfied);
    assertThat(new String(newCerts.get("pod0").cert()), is("new-cert0"));
    assertThat(new String(newCerts.get("pod0").key()), is("new-key0"));
    assertThat(new String(newCerts.get("pod0").keyStore()), is("new-keystore0"));
    assertThat(newCerts.get("pod0").storePassword(), is("new-password0"));
    assertThat(new String(newCerts.get("pod1").cert()), is("new-cert1"));
    assertThat(new String(newCerts.get("pod1").key()), is("new-key1"));
    assertThat(new String(newCerts.get("pod1").keyStore()), is("new-keystore1"));
    assertThat(newCerts.get("pod1").storePassword(), is("new-password1"));
    assertThat(new String(newCerts.get("pod2").cert()), is("new-cert2"));
    assertThat(new String(newCerts.get("pod2").key()), is("new-key2"));
    assertThat(new String(newCerts.get("pod2").keyStore()), is("new-keystore2"));
    assertThat(newCerts.get("pod2").storePassword(), is("new-password2"));
}
Also used : X509Certificate(java.security.cert.X509Certificate) CoreMatchers.is(org.hamcrest.CoreMatchers.is) ParallelSuite(io.strimzi.test.annotations.ParallelSuite) ParallelTest(io.strimzi.test.annotations.ParallelTest) CertManager(io.strimzi.certs.CertManager) IOException(java.io.IOException) VertxExtension(io.vertx.junit5.VertxExtension) CertAndKey(io.strimzi.certs.CertAndKey) Function(java.util.function.Function) File(java.io.File) Subject(io.strimzi.certs.Subject) Reconciliation(io.strimzi.operator.common.Reconciliation) Base64(java.util.Base64) ExtendWith(org.junit.jupiter.api.extension.ExtendWith) AtomicInteger(java.util.concurrent.atomic.AtomicInteger) PasswordGenerator(io.strimzi.operator.common.PasswordGenerator) Map(java.util.Map) Secret(io.fabric8.kubernetes.api.model.Secret) SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy) Subject(io.strimzi.certs.Subject) Secret(io.fabric8.kubernetes.api.model.Secret) SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder) AtomicInteger(java.util.concurrent.atomic.AtomicInteger) CertAndKey(io.strimzi.certs.CertAndKey) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Example 29 with Subject

use of io.fabric8.kubernetes.api.model.rbac.Subject in project strimzi by strimzi.

the class CaRenewalTest method renewalOfStatefulSetCertificatesDelayedRenewalInWindow.

@ParallelTest
public void renewalOfStatefulSetCertificatesDelayedRenewalInWindow() throws IOException {
    MockedCa mockedCa = new MockedCa(Reconciliation.DUMMY_RECONCILIATION, null, null, null, null, null, null, null, 2, 1, true, null);
    mockedCa.setCertExpiring(true);
    Secret initialSecret = new SecretBuilder().withNewMetadata().withName("test-secret").endMetadata().addToData("pod0.crt", Base64.getEncoder().encodeToString("old-cert".getBytes())).addToData("pod0.key", Base64.getEncoder().encodeToString("old-key".getBytes())).addToData("pod0.p12", Base64.getEncoder().encodeToString("old-keystore".getBytes())).addToData("pod0.password", Base64.getEncoder().encodeToString("old-password".getBytes())).addToData("pod1.crt", Base64.getEncoder().encodeToString("old-cert".getBytes())).addToData("pod1.key", Base64.getEncoder().encodeToString("old-key".getBytes())).addToData("pod1.p12", Base64.getEncoder().encodeToString("old-keystore".getBytes())).addToData("pod1.password", Base64.getEncoder().encodeToString("old-password".getBytes())).addToData("pod2.crt", Base64.getEncoder().encodeToString("old-cert".getBytes())).addToData("pod2.key", Base64.getEncoder().encodeToString("old-key".getBytes())).addToData("pod2.p12", Base64.getEncoder().encodeToString("old-keystore".getBytes())).addToData("pod2.password", Base64.getEncoder().encodeToString("old-password".getBytes())).build();
    int replicas = 3;
    Function<Integer, Subject> subjectFn = i -> new Subject.Builder().build();
    Function<Integer, String> podNameFn = i -> "pod" + i;
    boolean isMaintenanceTimeWindowsSatisfied = true;
    Map<String, CertAndKey> newCerts = mockedCa.maybeCopyOrGenerateCerts(Reconciliation.DUMMY_RECONCILIATION, replicas, subjectFn, initialSecret, podNameFn, isMaintenanceTimeWindowsSatisfied);
    assertThat(new String(newCerts.get("pod0").cert()), is("new-cert0"));
    assertThat(new String(newCerts.get("pod0").key()), is("new-key0"));
    assertThat(new String(newCerts.get("pod0").keyStore()), is("new-keystore0"));
    assertThat(newCerts.get("pod0").storePassword(), is("new-password0"));
    assertThat(new String(newCerts.get("pod1").cert()), is("new-cert1"));
    assertThat(new String(newCerts.get("pod1").key()), is("new-key1"));
    assertThat(new String(newCerts.get("pod1").keyStore()), is("new-keystore1"));
    assertThat(newCerts.get("pod1").storePassword(), is("new-password1"));
    assertThat(new String(newCerts.get("pod2").cert()), is("new-cert2"));
    assertThat(new String(newCerts.get("pod2").key()), is("new-key2"));
    assertThat(new String(newCerts.get("pod2").keyStore()), is("new-keystore2"));
    assertThat(newCerts.get("pod2").storePassword(), is("new-password2"));
}
Also used : X509Certificate(java.security.cert.X509Certificate) CoreMatchers.is(org.hamcrest.CoreMatchers.is) ParallelSuite(io.strimzi.test.annotations.ParallelSuite) ParallelTest(io.strimzi.test.annotations.ParallelTest) CertManager(io.strimzi.certs.CertManager) IOException(java.io.IOException) VertxExtension(io.vertx.junit5.VertxExtension) CertAndKey(io.strimzi.certs.CertAndKey) Function(java.util.function.Function) File(java.io.File) Subject(io.strimzi.certs.Subject) Reconciliation(io.strimzi.operator.common.Reconciliation) Base64(java.util.Base64) ExtendWith(org.junit.jupiter.api.extension.ExtendWith) AtomicInteger(java.util.concurrent.atomic.AtomicInteger) PasswordGenerator(io.strimzi.operator.common.PasswordGenerator) Map(java.util.Map) Secret(io.fabric8.kubernetes.api.model.Secret) SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy) Subject(io.strimzi.certs.Subject) Secret(io.fabric8.kubernetes.api.model.Secret) SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder) AtomicInteger(java.util.concurrent.atomic.AtomicInteger) CertAndKey(io.strimzi.certs.CertAndKey) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Example 30 with Subject

use of io.fabric8.kubernetes.api.model.rbac.Subject in project strimzi by strimzi.

the class Ca method maybeCopyOrGenerateCerts.

/**
 * Copy already existing certificates from provided Secret based on number of effective replicas
 * and maybe generate new ones for new replicas (i.e. scale-up).
 */
protected Map<String, CertAndKey> maybeCopyOrGenerateCerts(Reconciliation reconciliation, int replicas, Function<Integer, Subject> subjectFn, Secret secret, Function<Integer, String> podNameFn, boolean isMaintenanceTimeWindowsSatisfied) throws IOException {
    int replicasInSecret;
    if (secret == null || secret.getData() == null || this.certRenewed()) {
        replicasInSecret = 0;
    } else {
        replicasInSecret = (int) secret.getData().keySet().stream().filter(k -> k.contains(".crt")).count();
    }
    File brokerCsrFile = File.createTempFile("tls", "broker-csr");
    File brokerKeyFile = File.createTempFile("tls", "broker-key");
    File brokerCertFile = File.createTempFile("tls", "broker-cert");
    File brokerKeyStoreFile = File.createTempFile("tls", "broker-p12");
    int replicasInNewSecret = Math.min(replicasInSecret, replicas);
    Map<String, CertAndKey> certs = new HashMap<>(replicasInNewSecret);
    // scale down -> it will copy just the requested number of replicas
    for (int i = 0; i < replicasInNewSecret; i++) {
        String podName = podNameFn.apply(i);
        LOGGER.debugCr(reconciliation, "Certificate for {} already exists", podName);
        Subject subject = subjectFn.apply(i);
        CertAndKey certAndKey;
        if (secret.getData().get(podName + ".p12") != null && !secret.getData().get(podName + ".p12").isEmpty() && secret.getData().get(podName + ".password") != null && !secret.getData().get(podName + ".password").isEmpty()) {
            certAndKey = asCertAndKey(secret, podName + ".key", podName + ".crt", podName + ".p12", podName + ".password");
        } else {
            // coming from an older operator version, the secret exists but without keystore and password
            certAndKey = addKeyAndCertToKeyStore(subject.commonName(), Base64.getDecoder().decode(secret.getData().get(podName + ".key")), Base64.getDecoder().decode(secret.getData().get(podName + ".crt")));
        }
        List<String> reasons = new ArrayList<>(2);
        if (certSubjectChanged(certAndKey, subject, podName)) {
            reasons.add("DNS names changed");
        }
        if (isExpiring(secret, podName + ".crt") && isMaintenanceTimeWindowsSatisfied) {
            reasons.add("certificate is expiring");
        }
        if (renewalType.equals(RenewalType.CREATE)) {
            reasons.add("certificate added");
        }
        if (!reasons.isEmpty()) {
            LOGGER.debugCr(reconciliation, "Certificate for pod {} need to be regenerated because: {}", podName, String.join(", ", reasons));
            CertAndKey newCertAndKey = generateSignedCert(subject, brokerCsrFile, brokerKeyFile, brokerCertFile, brokerKeyStoreFile);
            certs.put(podName, newCertAndKey);
        } else {
            certs.put(podName, certAndKey);
        }
    }
    // scale down -> does nothing
    for (int i = replicasInSecret; i < replicas; i++) {
        String podName = podNameFn.apply(i);
        LOGGER.debugCr(reconciliation, "Certificate for pod {} to generate", podName);
        CertAndKey k = generateSignedCert(subjectFn.apply(i), brokerCsrFile, brokerKeyFile, brokerCertFile, brokerKeyStoreFile);
        certs.put(podName, k);
    }
    delete(reconciliation, brokerCsrFile);
    delete(reconciliation, brokerKeyFile);
    delete(reconciliation, brokerCertFile);
    delete(reconciliation, brokerKeyStoreFile);
    return certs;
}
Also used : X509Certificate(java.security.cert.X509Certificate) HOUR_OF_DAY(java.time.temporal.ChronoField.HOUR_OF_DAY) SECOND_OF_MINUTE(java.time.temporal.ChronoField.SECOND_OF_MINUTE) CertificateFactory(java.security.cert.CertificateFactory) Date(java.util.Date) Annotations(io.strimzi.operator.common.Annotations) KeyStoreException(java.security.KeyStoreException) SignStyle(java.time.format.SignStyle) ByteArrayInputStream(java.io.ByteArrayInputStream) IsoChronology(java.time.chrono.IsoChronology) Map(java.util.Map) Collection(java.util.Collection) Set(java.util.Set) Instant(java.time.Instant) Collectors(java.util.stream.Collectors) StandardCharsets(java.nio.charset.StandardCharsets) ZoneId(java.time.ZoneId) Subject(io.strimzi.certs.Subject) Base64(java.util.Base64) List(java.util.List) Certificate(java.security.cert.Certificate) NANO_OF_SECOND(java.time.temporal.ChronoField.NANO_OF_SECOND) PasswordGenerator(io.strimzi.operator.common.PasswordGenerator) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) Secret(io.fabric8.kubernetes.api.model.Secret) Optional(java.util.Optional) DateTimeFormatterBuilder(java.time.format.DateTimeFormatterBuilder) CertManager(io.strimzi.certs.CertManager) HashMap(java.util.HashMap) OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference) CertAndKey(io.strimzi.certs.CertAndKey) Function(java.util.function.Function) ArrayList(java.util.ArrayList) YEAR(java.time.temporal.ChronoField.YEAR) Collections.singletonMap(java.util.Collections.singletonMap) CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy) SecretCertProvider(io.strimzi.certs.SecretCertProvider) ReconciliationLogger(io.strimzi.operator.common.ReconciliationLogger) MONTH_OF_YEAR(java.time.temporal.ChronoField.MONTH_OF_YEAR) Collections.emptyMap(java.util.Collections.emptyMap) Iterator(java.util.Iterator) Files(java.nio.file.Files) MINUTE_OF_HOUR(java.time.temporal.ChronoField.MINUTE_OF_HOUR) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) DAY_OF_MONTH(java.time.temporal.ChronoField.DAY_OF_MONTH) File(java.io.File) Reconciliation(io.strimzi.operator.common.Reconciliation) Util(io.strimzi.operator.common.Util) DateTimeFormatter(java.time.format.DateTimeFormatter) SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder) CertAndKey(io.strimzi.certs.CertAndKey) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) File(java.io.File) Subject(io.strimzi.certs.Subject)

Aggregations

Subject (io.fabric8.kubernetes.api.model.rbac.Subject)23 RoleRef (io.fabric8.kubernetes.api.model.rbac.RoleRef)18 RoleRefBuilder (io.fabric8.kubernetes.api.model.rbac.RoleRefBuilder)18 SubjectBuilder (io.fabric8.kubernetes.api.model.rbac.SubjectBuilder)18 File (java.io.File)15 SecretBuilder (io.fabric8.kubernetes.api.model.SecretBuilder)14 Secret (io.fabric8.kubernetes.api.model.Secret)12 CertAndKey (io.strimzi.certs.CertAndKey)12 Subject (io.strimzi.certs.Subject)12 X509Certificate (java.security.cert.X509Certificate)12 Map (java.util.Map)12 IOException (java.io.IOException)11 RoleBindingBuilder (io.fabric8.kubernetes.api.model.rbac.RoleBindingBuilder)10 CertificateExpirationPolicy (io.strimzi.api.kafka.model.CertificateExpirationPolicy)10 CertManager (io.strimzi.certs.CertManager)10 PasswordGenerator (io.strimzi.operator.common.PasswordGenerator)10 Reconciliation (io.strimzi.operator.common.Reconciliation)10 Base64 (java.util.Base64)10 Function (java.util.function.Function)10 Test (org.testng.annotations.Test)8