Example 66 with CertSecretSourceBuilder
use of io.strimzi.api.kafka.model.CertSecretSourceBuilder in project strimzi by strimzi.
the class KafkaBridgeClusterTest method testGenerateDeploymentWithTlsAuth.
@ParallelTest
public void testGenerateDeploymentWithTlsAuth() {
KafkaBridge resource = new KafkaBridgeBuilder(this.resource).editSpec().editOrNewTls().addToTrustedCertificates(new CertSecretSourceBuilder().withSecretName("my-secret").withCertificate("cert.crt").build()).endTls().withAuthentication(new KafkaClientAuthenticationTlsBuilder().withNewCertificateAndKey().withSecretName("user-secret").withCertificate("user.crt").withKey("user.key").endCertificateAndKey().build()).endSpec().build();
KafkaBridgeCluster kbc = KafkaBridgeCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, resource, VERSIONS);
Deployment dep = kbc.generateDeployment(emptyMap(), true, null, null);
assertThat(dep.getSpec().getTemplate().getSpec().getVolumes().get(3).getName(), is("user-secret"));
List<Container> containers = dep.getSpec().getTemplate().getSpec().getContainers();
assertThat(containers.get(0).getVolumeMounts().get(3).getMountPath(), is(KafkaBridgeCluster.TLS_CERTS_BASE_VOLUME_MOUNT + "user-secret"));
assertThat(AbstractModel.containerEnvVars(containers.get(0)).get(KafkaBridgeCluster.ENV_VAR_KAFKA_BRIDGE_TLS_AUTH_CERT), is("user-secret/user.crt"));
assertThat(AbstractModel.containerEnvVars(containers.get(0)).get(KafkaBridgeCluster.ENV_VAR_KAFKA_BRIDGE_TLS_AUTH_KEY), is("user-secret/user.key"));
assertThat(AbstractModel.containerEnvVars(containers.get(0)).get(KafkaBridgeCluster.ENV_VAR_KAFKA_BRIDGE_TLS), is("true"));
}
Also used :
Container(io.fabric8.kubernetes.api.model.Container)
CertSecretSourceBuilder(io.strimzi.api.kafka.model.CertSecretSourceBuilder)
KafkaBridge(io.strimzi.api.kafka.model.KafkaBridge)
KafkaBridgeBuilder(io.strimzi.api.kafka.model.KafkaBridgeBuilder)
KafkaClientAuthenticationTlsBuilder(io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationTlsBuilder)
Deployment(io.fabric8.kubernetes.api.model.apps.Deployment)
ParallelTest(io.strimzi.test.annotations.ParallelTest)
Example 67 with CertSecretSourceBuilder
use of io.strimzi.api.kafka.model.CertSecretSourceBuilder in project strimzi by strimzi.
the class KafkaBridgeClusterTest method testGenerateDeploymentWithOAuthWithTls.
@ParallelTest
public void testGenerateDeploymentWithOAuthWithTls() {
CertSecretSource cert1 = new CertSecretSourceBuilder().withSecretName("first-certificate").withCertificate("ca.crt").build();
CertSecretSource cert2 = new CertSecretSourceBuilder().withSecretName("second-certificate").withCertificate("tls.crt").build();
CertSecretSource cert3 = new CertSecretSourceBuilder().withSecretName("first-certificate").withCertificate("ca2.crt").build();
KafkaBridge resource = new KafkaBridgeBuilder(this.resource).editSpec().withAuthentication(new KafkaClientAuthenticationOAuthBuilder().withClientId("my-client-id").withTokenEndpointUri("http://my-oauth-server").withNewClientSecret().withSecretName("my-secret-secret").withKey("my-secret-key").endClientSecret().withDisableTlsHostnameVerification(true).withTlsTrustedCertificates(cert1, cert2, cert3).build()).endSpec().build();
KafkaBridgeCluster kb = KafkaBridgeCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, resource, VERSIONS);
Deployment dep = kb.generateDeployment(emptyMap(), true, null, null);
Container cont = dep.getSpec().getTemplate().getSpec().getContainers().get(0);
assertThat(cont.getEnv().stream().filter(var -> KafkaBridgeCluster.ENV_VAR_KAFKA_BRIDGE_SASL_MECHANISM.equals(var.getName())).findFirst().orElseThrow().getValue(), is("oauth"));
assertThat(cont.getEnv().stream().filter(var -> KafkaBridgeCluster.ENV_VAR_KAFKA_BRIDGE_OAUTH_CLIENT_SECRET.equals(var.getName())).findFirst().orElseThrow().getValueFrom().getSecretKeyRef().getName(), is("my-secret-secret"));
assertThat(cont.getEnv().stream().filter(var -> KafkaBridgeCluster.ENV_VAR_KAFKA_BRIDGE_OAUTH_CLIENT_SECRET.equals(var.getName())).findFirst().orElseThrow().getValueFrom().getSecretKeyRef().getKey(), is("my-secret-key"));
assertThat(cont.getEnv().stream().filter(var -> KafkaBridgeCluster.ENV_VAR_KAFKA_BRIDGE_OAUTH_CONFIG.equals(var.getName())).findFirst().orElseThrow().getValue().trim(), is(String.format("%s=\"%s\" %s=\"%s\" %s=\"%s\"", ClientConfig.OAUTH_CLIENT_ID, "my-client-id", ClientConfig.OAUTH_TOKEN_ENDPOINT_URI, "http://my-oauth-server", ServerConfig.OAUTH_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM, "")));
// Volume mounts
assertThat(cont.getVolumeMounts().stream().filter(mount -> "oauth-certs-0".equals(mount.getName())).findFirst().orElseThrow().getMountPath(), is(KafkaBridgeCluster.OAUTH_TLS_CERTS_BASE_VOLUME_MOUNT + "/first-certificate-0"));
assertThat(cont.getVolumeMounts().stream().filter(mount -> "oauth-certs-1".equals(mount.getName())).findFirst().orElseThrow().getMountPath(), is(KafkaBridgeCluster.OAUTH_TLS_CERTS_BASE_VOLUME_MOUNT + "/second-certificate-1"));
assertThat(cont.getVolumeMounts().stream().filter(mount -> "oauth-certs-2".equals(mount.getName())).findFirst().orElseThrow().getMountPath(), is(KafkaBridgeCluster.OAUTH_TLS_CERTS_BASE_VOLUME_MOUNT + "/first-certificate-2"));
// Volumes
List<KeyToPath> cert1Items = dep.getSpec().getTemplate().getSpec().getVolumes().stream().filter(vol -> "oauth-certs-0".equals(vol.getName())).findFirst().orElseThrow().getSecret().getItems();
assertThat(cert1Items.size(), is(1));
assertThat(cert1Items.get(0).getKey(), is("ca.crt"));
assertThat(cert1Items.get(0).getPath(), is("tls.crt"));
List<KeyToPath> cert2Items = dep.getSpec().getTemplate().getSpec().getVolumes().stream().filter(vol -> "oauth-certs-1".equals(vol.getName())).findFirst().orElseThrow().getSecret().getItems();
assertThat(cert2Items.size(), is(1));
assertThat(cert2Items.get(0).getKey(), is("tls.crt"));
assertThat(cert2Items.get(0).getPath(), is("tls.crt"));
List<KeyToPath> cert3Items = dep.getSpec().getTemplate().getSpec().getVolumes().stream().filter(vol -> "oauth-certs-2".equals(vol.getName())).findFirst().orElseThrow().getSecret().getItems();
assertThat(cert3Items.size(), is(1));
assertThat(cert3Items.get(0).getKey(), is("ca2.crt"));
assertThat(cert3Items.get(0).getPath(), is("tls.crt"));
}
Also used :
KafkaClientAuthenticationOAuthBuilder(io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationOAuthBuilder)
Quantity(io.fabric8.kubernetes.api.model.Quantity)
CoreMatchers.is(org.hamcrest.CoreMatchers.is)
IntOrString(io.fabric8.kubernetes.api.model.IntOrString)
ParallelSuite(io.strimzi.test.annotations.ParallelSuite)
ClientConfig(io.strimzi.kafka.oauth.client.ClientConfig)
PodDisruptionBudget(io.fabric8.kubernetes.api.model.policy.v1.PodDisruptionBudget)
Collections.singletonList(java.util.Collections.singletonList)
CoreMatchers.notNullValue(org.hamcrest.CoreMatchers.notNullValue)
JvmOptionsBuilder(io.strimzi.api.kafka.model.JvmOptionsBuilder)
KafkaBridge(io.strimzi.api.kafka.model.KafkaBridge)
JaegerTracing(io.strimzi.api.kafka.model.tracing.JaegerTracing)
Map(java.util.Map)
ContainerEnvVar(io.strimzi.api.kafka.model.ContainerEnvVar)
ResourceUtils(io.strimzi.operator.cluster.ResourceUtils)
Affinity(io.fabric8.kubernetes.api.model.Affinity)
KeyToPath(io.fabric8.kubernetes.api.model.KeyToPath)
LabelSelectorBuilder(io.fabric8.kubernetes.api.model.LabelSelectorBuilder)
IpFamilyPolicy(io.strimzi.api.kafka.model.template.IpFamilyPolicy)
CoreMatchers.containsString(org.hamcrest.CoreMatchers.containsString)
CertSecretSource(io.strimzi.api.kafka.model.CertSecretSource)
ParallelTest(io.strimzi.test.annotations.ParallelTest)
Collections.emptyList(java.util.Collections.emptyList)
KafkaClientAuthenticationOAuthBuilder(io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationOAuthBuilder)
EnvVarBuilder(io.fabric8.kubernetes.api.model.EnvVarBuilder)
HasMetadata(io.fabric8.kubernetes.api.model.HasMetadata)
KafkaBridgeHttpConfig(io.strimzi.api.kafka.model.KafkaBridgeHttpConfig)
NodeSelectorTermBuilder(io.fabric8.kubernetes.api.model.NodeSelectorTermBuilder)
List(java.util.List)
CertSecretSourceBuilder(io.strimzi.api.kafka.model.CertSecretSourceBuilder)
Labels(io.strimzi.operator.common.model.Labels)
PodSecurityContextBuilder(io.fabric8.kubernetes.api.model.PodSecurityContextBuilder)
Matchers.contains(org.hamcrest.Matchers.contains)
Matchers.containsInAnyOrder(org.hamcrest.Matchers.containsInAnyOrder)
TopologySpreadConstraintBuilder(io.fabric8.kubernetes.api.model.TopologySpreadConstraintBuilder)
Assertions.assertThrows(org.junit.jupiter.api.Assertions.assertThrows)
EnvVar(io.fabric8.kubernetes.api.model.EnvVar)
ContainerTemplate(io.strimzi.api.kafka.model.template.ContainerTemplate)
Container(io.fabric8.kubernetes.api.model.Container)
ResourceRequirementsBuilder(io.fabric8.kubernetes.api.model.ResourceRequirementsBuilder)
KafkaClientAuthenticationTlsBuilder(io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationTlsBuilder)
IpFamily(io.strimzi.api.kafka.model.template.IpFamily)
HashMap(java.util.HashMap)
LocalObjectReference(io.fabric8.kubernetes.api.model.LocalObjectReference)
OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference)
ArrayList(java.util.ArrayList)
KafkaVersionTestUtils(io.strimzi.operator.cluster.KafkaVersionTestUtils)
DeploymentStrategy(io.strimzi.api.kafka.model.template.DeploymentStrategy)
TestUtils(io.strimzi.test.TestUtils)
KafkaBridgeBuilder(io.strimzi.api.kafka.model.KafkaBridgeBuilder)
Collections.singletonMap(java.util.Collections.singletonMap)
Service(io.fabric8.kubernetes.api.model.Service)
MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat)
CoreMatchers.nullValue(org.hamcrest.CoreMatchers.nullValue)
KafkaBridgeResources(io.strimzi.api.kafka.model.KafkaBridgeResources)
Collections.emptyMap(java.util.Collections.emptyMap)
TopologySpreadConstraint(io.fabric8.kubernetes.api.model.TopologySpreadConstraint)
Toleration(io.fabric8.kubernetes.api.model.Toleration)
ServerConfig(io.strimzi.kafka.oauth.server.ServerConfig)
TolerationBuilder(io.fabric8.kubernetes.api.model.TolerationBuilder)
AffinityBuilder(io.fabric8.kubernetes.api.model.AffinityBuilder)
Reconciliation(io.strimzi.operator.common.Reconciliation)
SystemPropertyBuilder(io.strimzi.api.kafka.model.SystemPropertyBuilder)
ServiceAccount(io.fabric8.kubernetes.api.model.ServiceAccount)
Deployment(io.fabric8.kubernetes.api.model.apps.Deployment)
Collections(java.util.Collections)
KeyToPath(io.fabric8.kubernetes.api.model.KeyToPath)
Container(io.fabric8.kubernetes.api.model.Container)
CertSecretSourceBuilder(io.strimzi.api.kafka.model.CertSecretSourceBuilder)
KafkaBridge(io.strimzi.api.kafka.model.KafkaBridge)
KafkaBridgeBuilder(io.strimzi.api.kafka.model.KafkaBridgeBuilder)
Deployment(io.fabric8.kubernetes.api.model.apps.Deployment)
CertSecretSource(io.strimzi.api.kafka.model.CertSecretSource)
ParallelTest(io.strimzi.test.annotations.ParallelTest)
Example 68 with CertSecretSourceBuilder
use of io.strimzi.api.kafka.model.CertSecretSourceBuilder in project strimzi by strimzi.
the class ConnectIsolatedST method testConnectScramShaAuthWithWeirdUserName.
@Tag(NODEPORT_SUPPORTED)
@Tag(EXTERNAL_CLIENTS_USED)
@Tag(CONNECTOR_OPERATOR)
@KRaftNotSupported("UserOperator is not supported by KRaft mode and is used in this test class")
@ParallelNamespaceTest
void testConnectScramShaAuthWithWeirdUserName(ExtensionContext extensionContext) {
final String clusterName = mapWithClusterNames.get(extensionContext.getDisplayName());
final String topicName = mapWithTestTopics.get(extensionContext.getDisplayName());
final String namespaceName = StUtils.getNamespaceBasedOnRbac(INFRA_NAMESPACE, extensionContext);
// Create weird named user with . and more than 64 chars -> SCRAM-SHA
final String weirdUserName = "jjglmahyijoambryleyxjjglmahy.ijoambryleyxjjglmahyijoambryleyxasdsadasdasdasdasdgasgadfasdad";
resourceManager.createResource(extensionContext, KafkaTemplates.kafkaEphemeral(clusterName, 3).editSpec().editKafka().withListeners(new GenericKafkaListenerBuilder().withName(Constants.TLS_LISTENER_DEFAULT_NAME).withPort(9093).withType(KafkaListenerType.INTERNAL).withTls(true).withAuth(new KafkaListenerAuthenticationScramSha512()).build(), new GenericKafkaListenerBuilder().withName(Constants.EXTERNAL_LISTENER_DEFAULT_NAME).withPort(9094).withType(KafkaListenerType.NODEPORT).withTls(true).withAuth(new KafkaListenerAuthenticationScramSha512()).build()).endKafka().endSpec().build());
resourceManager.createResource(extensionContext, KafkaTopicTemplates.topic(clusterName, topicName).build());
resourceManager.createResource(extensionContext, KafkaUserTemplates.scramShaUser(clusterName, weirdUserName).build());
resourceManager.createResource(extensionContext, KafkaConnectTemplates.kafkaConnectWithFilePlugin(namespaceName, clusterName, 1).editMetadata().addToAnnotations(Annotations.STRIMZI_IO_USE_CONNECTOR_RESOURCES, "true").endMetadata().editOrNewSpec().withBootstrapServers(KafkaResources.tlsBootstrapAddress(clusterName)).withNewKafkaClientAuthenticationScramSha512().withUsername(weirdUserName).withPasswordSecret(new PasswordSecretSourceBuilder().withSecretName(weirdUserName).withPassword("password").build()).endKafkaClientAuthenticationScramSha512().addToConfig("key.converter.schemas.enable", false).addToConfig("value.converter.schemas.enable", false).addToConfig("key.converter", "org.apache.kafka.connect.storage.StringConverter").addToConfig("value.converter", "org.apache.kafka.connect.storage.StringConverter").withNewTls().withTrustedCertificates(new CertSecretSourceBuilder().withCertificate("ca.crt").withSecretName(KafkaResources.clusterCaCertificateSecretName(clusterName)).build()).endTls().endSpec().build());
testConnectAuthorizationWithWeirdUserName(extensionContext, clusterName, weirdUserName, SecurityProtocol.SASL_SSL, topicName);
}
Also used :
KafkaListenerAuthenticationScramSha512(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationScramSha512)
CertSecretSourceBuilder(io.strimzi.api.kafka.model.CertSecretSourceBuilder)
GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder)
Matchers.containsString(org.hamcrest.Matchers.containsString)
PasswordSecretSourceBuilder(io.strimzi.api.kafka.model.PasswordSecretSourceBuilder)
KRaftNotSupported(io.strimzi.systemtest.annotations.KRaftNotSupported)
ParallelNamespaceTest(io.strimzi.systemtest.annotations.ParallelNamespaceTest)
Tag(org.junit.jupiter.api.Tag)
Example 69 with CertSecretSourceBuilder
use of io.strimzi.api.kafka.model.CertSecretSourceBuilder in project strimzi-kafka-operator by strimzi.
the class OauthAuthorizationIsolatedST method testSessionReAuthentication.
/**
* 1) Try to send messages to topic starting with `x-` with producer from Dev Team A
* 2) Change the Oauth listener configuration -> add the maxSecondsWithoutReauthentication set to 30s
* 3) Try to send messages with delay of 1000ms (in the meantime, the permissions configuration will be changed)
* 4) Get all configuration from the Keycloak (realms, policies) and change the policy so the Dev Team A producer should not be able to send messages to the topic
* starting with `x-` -> updating the policy through the Keycloak API
* 5) Wait for the WaitException to appear -> as the producer doesn't have permission for sending messages, the
* job will be in error state
* 6) Try to send messages to topic with `a-` -> we should still be able to sent messages, because we didn't changed the permissions
* 6) Change the permissions back and check that the messages are correctly sent
*
* The re-authentication can be seen in the log of team-a-producer pod.
*/
@IsolatedTest("Modification of shared Kafka cluster")
@Order(7)
@SuppressWarnings({ "checkstyle:MethodLength" })
void testSessionReAuthentication(ExtensionContext extensionContext) {
String topicXName = TOPIC_X + "-example-topic";
String topicAName = TOPIC_A + "-example-topic";
String clusterName = mapWithClusterNames.get(extensionContext.getDisplayName());
String teamAProducerName = TEAM_A_PRODUCER_NAME + "-" + clusterName;
String teamAConsumerName = TEAM_A_CONSUMER_NAME + "-" + clusterName;
LOGGER.info("Verifying that team A producer is able to send messages to the {} topic -> the topic starting with 'x'", topicXName);
resourceManager.createResource(extensionContext, KafkaTopicTemplates.topic(oauthClusterName, topicXName, clusterOperator.getDeploymentNamespace()).build());
resourceManager.createResource(extensionContext, KafkaTopicTemplates.topic(oauthClusterName, topicAName, clusterOperator.getDeploymentNamespace()).build());
KafkaOauthClients teamAOauthClientJob = new KafkaOauthClientsBuilder().withNamespaceName(clusterOperator.getDeploymentNamespace()).withProducerName(teamAProducerName).withConsumerName(teamAConsumerName).withBootstrapAddress(KafkaResources.tlsBootstrapAddress(oauthClusterName)).withTopicName(topicXName).withMessageCount(MESSAGE_COUNT).withConsumerGroup("a-consumer_group").withClientUserName(TEAM_A_CLIENT).withOauthClientId(TEAM_A_CLIENT).withOauthClientSecret(TEAM_A_CLIENT_SECRET).withOauthTokenEndpointUri(keycloakInstance.getOauthTokenEndpointUri()).build();
resourceManager.createResource(extensionContext, teamAOauthClientJob.producerStrimziOauthTls(oauthClusterName));
ClientUtils.waitForClientSuccess(teamAProducerName, clusterOperator.getDeploymentNamespace(), MESSAGE_COUNT);
LOGGER.info("Adding the maxSecondsWithoutReauthentication to Kafka listener with OAuth authentication");
KafkaResource.replaceKafkaResourceInSpecificNamespace(oauthClusterName, kafka -> {
kafka.getSpec().getKafka().setListeners(Arrays.asList(new GenericKafkaListenerBuilder().withName("tls").withPort(9093).withType(KafkaListenerType.INTERNAL).withTls(true).withNewKafkaListenerAuthenticationOAuth().withValidIssuerUri(keycloakInstance.getValidIssuerUri()).withJwksExpirySeconds(keycloakInstance.getJwksExpireSeconds()).withJwksRefreshSeconds(keycloakInstance.getJwksRefreshSeconds()).withJwksEndpointUri(keycloakInstance.getJwksEndpointUri()).withUserNameClaim(keycloakInstance.getUserNameClaim()).withTlsTrustedCertificates(new CertSecretSourceBuilder().withSecretName(KeycloakInstance.KEYCLOAK_SECRET_NAME).withCertificate(KeycloakInstance.KEYCLOAK_SECRET_CERT).build()).withDisableTlsHostnameVerification(true).withMaxSecondsWithoutReauthentication(30).endKafkaListenerAuthenticationOAuth().build()));
}, clusterOperator.getDeploymentNamespace());
KafkaUtils.waitForKafkaReady(clusterOperator.getDeploymentNamespace(), oauthClusterName);
String baseUri = "https://" + keycloakInstance.getHttpsUri();
LOGGER.info("Setting the master realm token's lifespan to 3600s");
// get admin token for all operation on realms
String userName = new String(Base64.getDecoder().decode(kubeClient().getSecret(clusterOperator.getDeploymentNamespace(), "credential-example-keycloak").getData().get("ADMIN_USERNAME").getBytes()));
String password = new String(Base64.getDecoder().decode(kubeClient().getSecret(clusterOperator.getDeploymentNamespace(), "credential-example-keycloak").getData().get("ADMIN_PASSWORD").getBytes()));
String token = KeycloakUtils.getToken(clusterOperator.getDeploymentNamespace(), baseUri, userName, password);
// firstly we will increase token lifespan
JsonObject masterRealm = KeycloakUtils.getKeycloakRealm(clusterOperator.getDeploymentNamespace(), baseUri, token, "master");
masterRealm.put("accessTokenLifespan", "3600");
KeycloakUtils.putConfigurationToRealm(clusterOperator.getDeploymentNamespace(), baseUri, token, masterRealm, "master");
// now we need to get the token with new lifespan
token = KeycloakUtils.getToken(clusterOperator.getDeploymentNamespace(), baseUri, userName, password);
LOGGER.info("Getting the {} kafka client for obtaining the Dev A Team policy for the x topics", TEST_REALM);
// we need to get clients for kafka-authz realm to access auth policies in kafka client
JsonArray kafkaAuthzRealm = KeycloakUtils.getKeycloakRealmClients(clusterOperator.getDeploymentNamespace(), baseUri, token, TEST_REALM);
String kafkaClientId = "";
for (Object client : kafkaAuthzRealm) {
JsonObject clientObject = new JsonObject(client.toString());
if (clientObject.getString("clientId").equals("kafka")) {
kafkaClientId = clientObject.getString("id");
}
}
JsonArray kafkaAuthzRealmPolicies = KeycloakUtils.getPoliciesFromRealmClient(clusterOperator.getDeploymentNamespace(), baseUri, token, TEST_REALM, kafkaClientId);
JsonObject devAPolicy = new JsonObject();
for (Object resource : kafkaAuthzRealmPolicies) {
JsonObject resourceObject = new JsonObject(resource.toString());
if (resourceObject.getValue("name").toString().contains("Dev Team A can write to topics that start with x- on any cluster")) {
devAPolicy = resourceObject;
}
}
JsonObject newDevAPolicy = devAPolicy;
Map<String, String> config = new HashMap<>();
config.put("resources", "[\"Topic:x-*\"]");
config.put("scopes", "[\"Describe\"]");
config.put("applyPolicies", "[\"Dev Team A\"]");
newDevAPolicy.put("config", config);
LOGGER.info("Changing the Dev Team A policy for topics starting with x- and checking that job will not be successful");
KeycloakUtils.updatePolicyOfRealmClient(clusterOperator.getDeploymentNamespace(), baseUri, token, newDevAPolicy, TEST_REALM, kafkaClientId);
assertThrows(WaitException.class, () -> ClientUtils.waitForClientSuccess(teamAProducerName, clusterOperator.getDeploymentNamespace(), MESSAGE_COUNT));
JobUtils.deleteJobWithWait(clusterOperator.getDeploymentNamespace(), teamAProducerName);
LOGGER.info("Sending messages to topic starting with a- -> the messages should be successfully sent");
teamAOauthClientJob = new KafkaOauthClientsBuilder(teamAOauthClientJob).withTopicName(topicAName).build();
resourceManager.createResource(extensionContext, teamAOauthClientJob.producerStrimziOauthTls(oauthClusterName));
ClientUtils.waitForClientSuccess(teamAProducerName, clusterOperator.getDeploymentNamespace(), MESSAGE_COUNT);
LOGGER.info("Changing back to the original settings and checking, if the producer will be successful");
config.put("scopes", "[\"Describe\",\"Write\"]");
newDevAPolicy.put("config", config);
KeycloakUtils.updatePolicyOfRealmClient(clusterOperator.getDeploymentNamespace(), baseUri, token, newDevAPolicy, TEST_REALM, kafkaClientId);
teamAOauthClientJob = new KafkaOauthClientsBuilder(teamAOauthClientJob).withTopicName(topicXName).withDelayMs(1000).build();
resourceManager.createResource(extensionContext, teamAOauthClientJob.producerStrimziOauthTls(oauthClusterName));
ClientUtils.waitForClientSuccess(teamAProducerName, clusterOperator.getDeploymentNamespace(), MESSAGE_COUNT);
LOGGER.info("Changing configuration of Kafka back to it's original form");
KafkaResource.replaceKafkaResourceInSpecificNamespace(oauthClusterName, kafka -> {
kafka.getSpec().getKafka().setListeners(Arrays.asList(OauthAbstractST.BUILD_OAUTH_TLS_LISTENER.apply(keycloakInstance)));
}, clusterOperator.getDeploymentNamespace());
KafkaUtils.waitForKafkaReady(clusterOperator.getDeploymentNamespace(), oauthClusterName);
}
Also used :
JsonArray(io.vertx.core.json.JsonArray)
KafkaOauthClientsBuilder(io.strimzi.systemtest.kafkaclients.internalClients.KafkaOauthClientsBuilder)
CertSecretSourceBuilder(io.strimzi.api.kafka.model.CertSecretSourceBuilder)
GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder)
HashMap(java.util.HashMap)
JsonObject(io.vertx.core.json.JsonObject)
JsonObject(io.vertx.core.json.JsonObject)
KafkaOauthClients(io.strimzi.systemtest.kafkaclients.internalClients.KafkaOauthClients)
Order(org.junit.jupiter.api.Order)
TestMethodOrder(org.junit.jupiter.api.TestMethodOrder)
IsolatedTest(io.strimzi.systemtest.annotations.IsolatedTest)
Example 70 with CertSecretSourceBuilder
use of io.strimzi.api.kafka.model.CertSecretSourceBuilder in project strimzi-kafka-operator by strimzi.
the class OauthTlsIsolatedST method testProducerConsumerBridge.
@Description("As a oauth bridge, i am able to send messages to bridge endpoint using encrypted communication")
@ParallelTest
@Tag(BRIDGE)
void testProducerConsumerBridge(ExtensionContext extensionContext) {
String clusterName = mapWithClusterNames.get(extensionContext.getDisplayName());
String producerName = OAUTH_PRODUCER_NAME + "-" + clusterName;
String consumerName = OAUTH_CONSUMER_NAME + "-" + clusterName;
String topicName = mapWithTestTopics.get(extensionContext.getDisplayName());
resourceManager.createResource(extensionContext, KafkaTopicTemplates.topic(oauthClusterName, topicName, clusterOperator.getDeploymentNamespace()).build());
KafkaOauthClients oauthExampleClients = new KafkaOauthClientsBuilder().withNamespaceName(clusterOperator.getDeploymentNamespace()).withProducerName(producerName).withConsumerName(consumerName).withBootstrapAddress(KafkaResources.tlsBootstrapAddress(oauthClusterName)).withTopicName(topicName).withMessageCount(MESSAGE_COUNT).withOauthClientId(OAUTH_CLIENT_NAME).withOauthClientSecret(OAUTH_CLIENT_SECRET).withOauthTokenEndpointUri(keycloakInstance.getOauthTokenEndpointUri()).build();
resourceManager.createResource(extensionContext, oauthExampleClients.producerStrimziOauthTls(oauthClusterName));
ClientUtils.waitForClientSuccess(producerName, clusterOperator.getDeploymentNamespace(), MESSAGE_COUNT);
resourceManager.createResource(extensionContext, oauthExampleClients.consumerStrimziOauthTls(oauthClusterName));
ClientUtils.waitForClientSuccess(consumerName, clusterOperator.getDeploymentNamespace(), MESSAGE_COUNT);
resourceManager.createResource(extensionContext, KafkaBridgeTemplates.kafkaBridge(oauthClusterName, KafkaResources.tlsBootstrapAddress(oauthClusterName), 1).editMetadata().withNamespace(clusterOperator.getDeploymentNamespace()).endMetadata().editSpec().withNewTls().withTrustedCertificates(new CertSecretSourceBuilder().withCertificate("ca.crt").withSecretName(KafkaResources.clusterCaCertificateSecretName(oauthClusterName)).build()).endTls().withNewKafkaClientAuthenticationOAuth().withTokenEndpointUri(keycloakInstance.getOauthTokenEndpointUri()).withClientId("kafka-bridge").withNewClientSecret().withSecretName(BRIDGE_OAUTH_SECRET).withKey(OAUTH_KEY).endClientSecret().addNewTlsTrustedCertificate().withSecretName(KeycloakInstance.KEYCLOAK_SECRET_NAME).withCertificate(KeycloakInstance.KEYCLOAK_SECRET_CERT).endTlsTrustedCertificate().withDisableTlsHostnameVerification(true).endKafkaClientAuthenticationOAuth().endSpec().build());
producerName = "bridge-producer-" + clusterName;
BridgeClients kafkaBridgeClientJob = new BridgeClientsBuilder().withProducerName(producerName).withBootstrapAddress(KafkaBridgeResources.serviceName(oauthClusterName)).withTopicName(topicName).withMessageCount(10).withPort(HTTP_BRIDGE_DEFAULT_PORT).withDelayMs(1000).withPollInterval(1000).withNamespaceName(clusterOperator.getDeploymentNamespace()).build();
resourceManager.createResource(extensionContext, kafkaBridgeClientJob.producerStrimziBridge());
ClientUtils.waitForClientSuccess(producerName, clusterOperator.getDeploymentNamespace(), MESSAGE_COUNT);
}
Also used :
KafkaOauthClientsBuilder(io.strimzi.systemtest.kafkaclients.internalClients.KafkaOauthClientsBuilder)
CertSecretSourceBuilder(io.strimzi.api.kafka.model.CertSecretSourceBuilder)
BridgeClientsBuilder(io.strimzi.systemtest.kafkaclients.internalClients.BridgeClientsBuilder)
CoreMatchers.containsString(org.hamcrest.CoreMatchers.containsString)
BridgeClients(io.strimzi.systemtest.kafkaclients.internalClients.BridgeClients)
KafkaOauthClients(io.strimzi.systemtest.kafkaclients.internalClients.KafkaOauthClients)
Description(io.vertx.core.cli.annotations.Description)
ParallelTest(io.strimzi.systemtest.annotations.ParallelTest)
Tag(org.junit.jupiter.api.Tag)
Aggregations
CertSecretSourceBuilder (io.strimzi.api.kafka.model.CertSecretSourceBuilder)86
ParallelTest (io.strimzi.test.annotations.ParallelTest)64
Deployment (io.fabric8.kubernetes.api.model.apps.Deployment)52
Container (io.fabric8.kubernetes.api.model.Container)50
CertSecretSource (io.strimzi.api.kafka.model.CertSecretSource)30
KafkaClientAuthenticationTlsBuilder (io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationTlsBuilder)28
Quantity (io.fabric8.kubernetes.api.model.Quantity)20
ResourceRequirementsBuilder (io.fabric8.kubernetes.api.model.ResourceRequirementsBuilder)20
HashMap (java.util.HashMap)20
EnvVar (io.fabric8.kubernetes.api.model.EnvVar)18
HasMetadata (io.fabric8.kubernetes.api.model.HasMetadata)18
IntOrString (io.fabric8.kubernetes.api.model.IntOrString)18
LocalObjectReference (io.fabric8.kubernetes.api.model.LocalObjectReference)18
OwnerReference (io.fabric8.kubernetes.api.model.OwnerReference)18
PodSecurityContextBuilder (io.fabric8.kubernetes.api.model.PodSecurityContextBuilder)18
ServiceAccount (io.fabric8.kubernetes.api.model.ServiceAccount)18
PodDisruptionBudget (io.fabric8.kubernetes.api.model.policy.v1.PodDisruptionBudget)18
ContainerEnvVar (io.strimzi.api.kafka.model.ContainerEnvVar)18
ContainerTemplate (io.strimzi.api.kafka.model.template.ContainerTemplate)18
KafkaVersionTestUtils (io.strimzi.operator.cluster.KafkaVersionTestUtils)18
