Example 11 with CertSecretSource
use of io.strimzi.api.kafka.model.CertSecretSource in project strimzi by strimzi.
the class MirrorMakerIsolatedST method testMirrorMakerTlsScramSha.
/**
* Test mirroring messages by Mirror Maker over tls transport using scram-sha auth
*/
@ParallelNamespaceTest
@SuppressWarnings("checkstyle:methodlength")
void testMirrorMakerTlsScramSha(ExtensionContext extensionContext) {
final String namespaceName = StUtils.getNamespaceBasedOnRbac(INFRA_NAMESPACE, extensionContext);
String clusterName = mapWithClusterNames.get(extensionContext.getDisplayName());
String topicName = mapWithTestTopics.get(extensionContext.getDisplayName());
String kafkaClusterSourceName = clusterName + "-source";
String kafkaClusterTargetName = clusterName + "-target";
String kafkaUserSource = clusterName + "-my-user-source";
String kafkaUserTarget = clusterName + "-my-user-target";
// Deploy source kafka with tls listener and SCRAM-SHA authentication
resourceManager.createResource(extensionContext, KafkaTemplates.kafkaEphemeral(kafkaClusterSourceName, 1, 1).editSpec().editKafka().withListeners(new GenericKafkaListenerBuilder().withName(Constants.TLS_LISTENER_DEFAULT_NAME).withPort(9093).withType(KafkaListenerType.INTERNAL).withTls(true).withAuth(new KafkaListenerAuthenticationScramSha512()).build()).endKafka().endSpec().build());
// Deploy target kafka with tls listener and SCRAM-SHA authentication
resourceManager.createResource(extensionContext, KafkaTemplates.kafkaEphemeral(kafkaClusterTargetName, 1, 1).editSpec().editKafka().withListeners(new GenericKafkaListenerBuilder().withName(Constants.TLS_LISTENER_DEFAULT_NAME).withPort(9093).withType(KafkaListenerType.INTERNAL).withTls(true).withAuth(new KafkaListenerAuthenticationScramSha512()).build()).endKafka().endSpec().build());
// Deploy topic
resourceManager.createResource(extensionContext, KafkaTopicTemplates.topic(kafkaClusterSourceName, topicName).build());
// createAndWaitForReadiness Kafka user for source cluster
KafkaUser userSource = KafkaUserTemplates.scramShaUser(kafkaClusterSourceName, kafkaUserSource).build();
// createAndWaitForReadiness Kafka user for target cluster
KafkaUser userTarget = KafkaUserTemplates.scramShaUser(kafkaClusterTargetName, kafkaUserTarget).build();
resourceManager.createResource(extensionContext, userSource);
resourceManager.createResource(extensionContext, userTarget);
// Initialize PasswordSecretSource to set this as PasswordSecret in Mirror Maker spec
PasswordSecretSource passwordSecretSource = new PasswordSecretSource();
passwordSecretSource.setSecretName(kafkaUserSource);
passwordSecretSource.setPassword("password");
// Initialize PasswordSecretSource to set this as PasswordSecret in Mirror Maker spec
PasswordSecretSource passwordSecretTarget = new PasswordSecretSource();
passwordSecretTarget.setSecretName(kafkaUserTarget);
passwordSecretTarget.setPassword("password");
// Initialize CertSecretSource with certificate and secret names for consumer
CertSecretSource certSecretSource = new CertSecretSource();
certSecretSource.setCertificate("ca.crt");
certSecretSource.setSecretName(KafkaResources.clusterCaCertificateSecretName(kafkaClusterSourceName));
// Initialize CertSecretSource with certificate and secret names for producer
CertSecretSource certSecretTarget = new CertSecretSource();
certSecretTarget.setCertificate("ca.crt");
certSecretTarget.setSecretName(KafkaResources.clusterCaCertificateSecretName(kafkaClusterTargetName));
// Deploy client
resourceManager.createResource(extensionContext, KafkaClientsTemplates.kafkaClients(namespaceName, true, clusterName + "-" + Constants.KAFKA_CLIENTS, userSource, userTarget).build());
final String kafkaClientsPodName = PodUtils.getPodsByPrefixInNameWithDynamicWait(namespaceName, clusterName + "-" + Constants.KAFKA_CLIENTS).get(0).getMetadata().getName();
String baseTopic = mapWithTestTopics.get(extensionContext.getDisplayName());
String topicTestName1 = baseTopic + "-test-1";
String topicTestName2 = baseTopic + "-test-2";
resourceManager.createResource(extensionContext, KafkaTopicTemplates.topic(kafkaClusterSourceName, topicTestName1).build());
resourceManager.createResource(extensionContext, KafkaTopicTemplates.topic(kafkaClusterSourceName, topicTestName2).build());
InternalKafkaClient internalKafkaClient = new InternalKafkaClient.Builder().withUsingPodName(kafkaClientsPodName).withTopicName(topicTestName1).withNamespaceName(namespaceName).withClusterName(kafkaClusterSourceName).withKafkaUsername(userSource.getMetadata().getName()).withMessageCount(messagesCount).withListenerName(Constants.TLS_LISTENER_DEFAULT_NAME).build();
// Check brokers availability
internalKafkaClient.produceAndConsumesTlsMessagesUntilBothOperationsAreSuccessful();
internalKafkaClient = internalKafkaClient.toBuilder().withTopicName(topicTestName2).withClusterName(kafkaClusterTargetName).withKafkaUsername(userTarget.getMetadata().getName()).build();
internalKafkaClient.produceAndConsumesTlsMessagesUntilBothOperationsAreSuccessful();
// Deploy Mirror Maker with TLS and ScramSha512
resourceManager.createResource(extensionContext, KafkaMirrorMakerTemplates.kafkaMirrorMaker(clusterName, kafkaClusterSourceName, kafkaClusterTargetName, ClientUtils.generateRandomConsumerGroup(), 1, true).editSpec().editConsumer().withNewKafkaClientAuthenticationScramSha512().withUsername(kafkaUserSource).withPasswordSecret(passwordSecretSource).endKafkaClientAuthenticationScramSha512().withNewTls().withTrustedCertificates(certSecretSource).endTls().endConsumer().editProducer().withNewKafkaClientAuthenticationScramSha512().withUsername(kafkaUserTarget).withPasswordSecret(passwordSecretTarget).endKafkaClientAuthenticationScramSha512().withNewTls().withTrustedCertificates(certSecretTarget).endTls().endProducer().endSpec().build());
internalKafkaClient = internalKafkaClient.toBuilder().withTopicName(topicName).withClusterName(kafkaClusterSourceName).withKafkaUsername(userSource.getMetadata().getName()).build();
internalKafkaClient.produceAndConsumesTlsMessagesUntilBothOperationsAreSuccessful();
InternalKafkaClient newInternalKafkaClient = internalKafkaClient.toBuilder().withClusterName(kafkaClusterTargetName).withKafkaUsername(userTarget.getMetadata().getName()).build();
newInternalKafkaClient.consumesTlsMessagesUntilOperationIsSuccessful(internalKafkaClient.getMessageCount());
}
Also used :
KafkaListenerAuthenticationScramSha512(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationScramSha512)
GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder)
GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder)
ResourceRequirementsBuilder(io.fabric8.kubernetes.api.model.ResourceRequirementsBuilder)
PasswordSecretSource(io.strimzi.api.kafka.model.PasswordSecretSource)
InternalKafkaClient(io.strimzi.systemtest.kafkaclients.clients.InternalKafkaClient)
CoreMatchers.containsString(org.hamcrest.CoreMatchers.containsString)
CertSecretSource(io.strimzi.api.kafka.model.CertSecretSource)
KafkaUser(io.strimzi.api.kafka.model.KafkaUser)
ParallelNamespaceTest(io.strimzi.systemtest.annotations.ParallelNamespaceTest)
Example 12 with CertSecretSource
use of io.strimzi.api.kafka.model.CertSecretSource in project strimzi by strimzi.
the class KafkaBridgeCluster method getEnvVars.
@Override
protected List<EnvVar> getEnvVars() {
List<EnvVar> varList = new ArrayList<>();
varList.add(buildEnvVar(ENV_VAR_KAFKA_BRIDGE_METRICS_ENABLED, String.valueOf(isMetricsEnabled)));
varList.add(buildEnvVar(ENV_VAR_STRIMZI_GC_LOG_ENABLED, String.valueOf(gcLoggingEnabled)));
ModelUtils.javaOptions(varList, getJvmOptions(), javaSystemProperties);
varList.add(buildEnvVar(ENV_VAR_KAFKA_BRIDGE_BOOTSTRAP_SERVERS, bootstrapServers));
varList.add(buildEnvVar(ENV_VAR_KAFKA_BRIDGE_ADMIN_CLIENT_CONFIG, kafkaBridgeAdminClient == null ? "" : new KafkaBridgeAdminClientConfiguration(reconciliation, kafkaBridgeAdminClient.getConfig().entrySet()).getConfiguration()));
varList.add(buildEnvVar(ENV_VAR_KAFKA_BRIDGE_CONSUMER_CONFIG, kafkaBridgeConsumer == null ? "" : new KafkaBridgeConsumerConfiguration(reconciliation, kafkaBridgeConsumer.getConfig().entrySet()).getConfiguration()));
varList.add(buildEnvVar(ENV_VAR_KAFKA_BRIDGE_PRODUCER_CONFIG, kafkaBridgeProducer == null ? "" : new KafkaBridgeProducerConfiguration(reconciliation, kafkaBridgeProducer.getConfig().entrySet()).getConfiguration()));
varList.add(buildEnvVar(ENV_VAR_KAFKA_BRIDGE_ID, cluster));
varList.add(buildEnvVar(ENV_VAR_KAFKA_BRIDGE_HTTP_ENABLED, String.valueOf(httpEnabled)));
varList.add(buildEnvVar(ENV_VAR_KAFKA_BRIDGE_HTTP_HOST, KafkaBridgeHttpConfig.HTTP_DEFAULT_HOST));
varList.add(buildEnvVar(ENV_VAR_KAFKA_BRIDGE_HTTP_PORT, String.valueOf(http != null ? http.getPort() : KafkaBridgeHttpConfig.HTTP_DEFAULT_PORT)));
if (http != null && http.getCors() != null) {
varList.add(buildEnvVar(ENV_VAR_KAFKA_BRIDGE_CORS_ENABLED, "true"));
if (http.getCors().getAllowedOrigins() != null) {
varList.add(buildEnvVar(ENV_VAR_KAFKA_BRIDGE_CORS_ALLOWED_ORIGINS, String.join(",", http.getCors().getAllowedOrigins())));
}
if (http.getCors().getAllowedMethods() != null) {
varList.add(buildEnvVar(ENV_VAR_KAFKA_BRIDGE_CORS_ALLOWED_METHODS, String.join(",", http.getCors().getAllowedMethods())));
}
} else {
varList.add(buildEnvVar(ENV_VAR_KAFKA_BRIDGE_CORS_ENABLED, "false"));
}
varList.add(buildEnvVar(ENV_VAR_KAFKA_BRIDGE_AMQP_ENABLED, String.valueOf(amqpEnabled)));
if (tls != null) {
varList.add(buildEnvVar(ENV_VAR_KAFKA_BRIDGE_TLS, "true"));
List<CertSecretSource> trustedCertificates = tls.getTrustedCertificates();
if (trustedCertificates != null && trustedCertificates.size() > 0) {
StringBuilder sb = new StringBuilder();
boolean separator = false;
for (CertSecretSource certSecretSource : trustedCertificates) {
if (separator) {
sb.append(";");
}
sb.append(certSecretSource.getSecretName() + "/" + certSecretSource.getCertificate());
separator = true;
}
varList.add(buildEnvVar(ENV_VAR_KAFKA_BRIDGE_TRUSTED_CERTS, sb.toString()));
}
}
AuthenticationUtils.configureClientAuthenticationEnvVars(authentication, varList, name -> ENV_VAR_PREFIX + name);
if (tracing != null) {
varList.add(buildEnvVar(ENV_VAR_STRIMZI_TRACING, tracing.getType()));
}
// Add shared environment variables used for all containers
varList.addAll(getRequiredEnvVars());
addContainerEnvsToExistingEnvs(varList, templateContainerEnvVars);
return varList;
}
Also used :
ArrayList(java.util.ArrayList)
EnvVar(io.fabric8.kubernetes.api.model.EnvVar)
ContainerEnvVar(io.strimzi.api.kafka.model.ContainerEnvVar)
CertSecretSource(io.strimzi.api.kafka.model.CertSecretSource)
Example 13 with CertSecretSource
use of io.strimzi.api.kafka.model.CertSecretSource in project strimzi by strimzi.
the class AuthenticationUtils method configureOauthCertificateVolumeMounts.
/**
* Generates volume mounts needed for certificates needed to connect to OAuth server.
* This is used in both OAuth servers and clients.
*
* @param volumeNamePrefix Prefix which was used to name the secret volumes
* @param trustedCertificates List of certificates which should be mounted
* @param baseVolumeMount The Base volume into which the certificates should be mounted
*
* @return List of new VolumeMounts
*/
public static List<VolumeMount> configureOauthCertificateVolumeMounts(String volumeNamePrefix, List<CertSecretSource> trustedCertificates, String baseVolumeMount) {
List<VolumeMount> newVolumeMounts = new ArrayList<>();
if (trustedCertificates != null && trustedCertificates.size() > 0) {
int i = 0;
for (CertSecretSource certSecretSource : trustedCertificates) {
String volumeName = String.format("%s-%d", volumeNamePrefix, i);
newVolumeMounts.add(VolumeUtils.createVolumeMount(volumeName, String.format("%s/%s-%d", baseVolumeMount, certSecretSource.getSecretName(), i)));
i++;
}
}
return newVolumeMounts;
}
Also used :
ArrayList(java.util.ArrayList)
VolumeMount(io.fabric8.kubernetes.api.model.VolumeMount)
CertSecretSource(io.strimzi.api.kafka.model.CertSecretSource)
Example 14 with CertSecretSource
use of io.strimzi.api.kafka.model.CertSecretSource in project strimzi by strimzi.
the class AuthenticationUtils method configureOauthCertificateVolumes.
/**
* Generates volumes needed for certificates needed to connect to OAuth server.
* This is used in both OAuth servers and clients.
*
* @param volumeNamePrefix Prefix for naming the secret volumes
* @param trustedCertificates List of certificates which should be mounted
* @param isOpenShift Flag whether we are on OpenShift or not
*
* @return List of new Volumes
*/
public static List<Volume> configureOauthCertificateVolumes(String volumeNamePrefix, List<CertSecretSource> trustedCertificates, boolean isOpenShift) {
List<Volume> newVolumes = new ArrayList<>();
if (trustedCertificates != null && trustedCertificates.size() > 0) {
int i = 0;
for (CertSecretSource certSecretSource : trustedCertificates) {
Map<String, String> items = Collections.singletonMap(certSecretSource.getCertificate(), "tls.crt");
String volumeName = String.format("%s-%d", volumeNamePrefix, i);
Volume vol = VolumeUtils.createSecretVolume(volumeName, certSecretSource.getSecretName(), items, isOpenShift);
newVolumes.add(vol);
i++;
}
}
return newVolumes;
}
Also used :
Volume(io.fabric8.kubernetes.api.model.Volume)
ArrayList(java.util.ArrayList)
CertSecretSource(io.strimzi.api.kafka.model.CertSecretSource)
Example 15 with CertSecretSource
use of io.strimzi.api.kafka.model.CertSecretSource in project strimzi by strimzi.
the class KafkaMirrorMaker2Cluster method getClusterTrustedCerts.
private void getClusterTrustedCerts(final StringBuilder clustersTrustedCerts, KafkaMirrorMaker2ClusterSpec mirrorMaker2Cluster, String clusterAlias) {
ClientTls tls = mirrorMaker2Cluster.getTls();
if (tls != null) {
List<CertSecretSource> trustedCertificates = tls.getTrustedCertificates();
if (trustedCertificates != null && trustedCertificates.size() > 0) {
if (clustersTrustedCerts.length() > 0) {
clustersTrustedCerts.append("\n");
}
clustersTrustedCerts.append(clusterAlias);
clustersTrustedCerts.append("=");
boolean separator = false;
for (CertSecretSource certSecretSource : trustedCertificates) {
if (separator) {
clustersTrustedCerts.append(";");
}
clustersTrustedCerts.append(certSecretSource.getSecretName());
clustersTrustedCerts.append("/");
clustersTrustedCerts.append(certSecretSource.getCertificate());
separator = true;
}
}
}
}
Also used :
ClientTls(io.strimzi.api.kafka.model.ClientTls)
CertSecretSource(io.strimzi.api.kafka.model.CertSecretSource)
Aggregations
CertSecretSource (io.strimzi.api.kafka.model.CertSecretSource)70
CertSecretSourceBuilder (io.strimzi.api.kafka.model.CertSecretSourceBuilder)30
GenericKafkaListenerBuilder (io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder)26
ParallelTest (io.strimzi.test.annotations.ParallelTest)24
ArrayList (java.util.ArrayList)24
ResourceRequirementsBuilder (io.fabric8.kubernetes.api.model.ResourceRequirementsBuilder)22
ServiceAccount (io.fabric8.kubernetes.api.model.ServiceAccount)22
Reconciliation (io.strimzi.operator.common.Reconciliation)22
Collections (java.util.Collections)22
List (java.util.List)22
ConfigMap (io.fabric8.kubernetes.api.model.ConfigMap)20
EnvVar (io.fabric8.kubernetes.api.model.EnvVar)20
ContainerEnvVar (io.strimzi.api.kafka.model.ContainerEnvVar)20
HashMap (java.util.HashMap)20
Map (java.util.Map)20
Container (io.fabric8.kubernetes.api.model.Container)18
HasMetadata (io.fabric8.kubernetes.api.model.HasMetadata)18
IntOrString (io.fabric8.kubernetes.api.model.IntOrString)18
LocalObjectReference (io.fabric8.kubernetes.api.model.LocalObjectReference)18
OwnerReference (io.fabric8.kubernetes.api.model.OwnerReference)18
