use of io.strimzi.api.kafka.model.CertificateAuthority in project strimzi by strimzi.
the class EntityUserOperatorTest method testFromCrdCaValidityAndRenewal.
@ParallelTest
public void testFromCrdCaValidityAndRenewal() {
EntityUserOperatorSpec entityUserOperatorSpec = new EntityUserOperatorSpecBuilder().build();
EntityOperatorSpec entityOperatorSpec = new EntityOperatorSpecBuilder().withUserOperator(entityUserOperatorSpec).build();
CertificateAuthority ca = new CertificateAuthority();
ca.setValidityDays(42);
ca.setRenewalDays(69);
Kafka customValues = new KafkaBuilder(ResourceUtils.createKafka(namespace, cluster, replicas, image, healthDelay, healthTimeout)).editSpec().withEntityOperator(entityOperatorSpec).withClientsCa(ca).endSpec().build();
EntityUserOperator entityUserOperator = EntityUserOperator.fromCrd(new Reconciliation("test", resource.getKind(), resource.getMetadata().getNamespace(), resource.getMetadata().getName()), customValues);
Kafka defaultValues = new KafkaBuilder(ResourceUtils.createKafka(namespace, cluster, replicas, image, healthDelay, healthTimeout)).editSpec().withEntityOperator(entityOperatorSpec).endSpec().build();
EntityUserOperator entityUserOperator2 = EntityUserOperator.fromCrd(new Reconciliation("test", resource.getKind(), resource.getMetadata().getNamespace(), resource.getMetadata().getName()), defaultValues);
assertThat(entityUserOperator.getClientsCaValidityDays(), is(42L));
assertThat(entityUserOperator.getClientsCaRenewalDays(), is(69L));
assertThat(entityUserOperator2.getClientsCaValidityDays(), is(Long.valueOf(CertificateAuthority.DEFAULT_CERTS_VALIDITY_DAYS)));
assertThat(entityUserOperator2.getClientsCaRenewalDays(), is(Long.valueOf(CertificateAuthority.DEFAULT_CERTS_RENEWAL_DAYS)));
}
use of io.strimzi.api.kafka.model.CertificateAuthority in project strimzi by strimzi.
the class CertificateRenewalTest method testNewKeyGeneratedWhenInRenewalPeriodAutoOutsideOfTimeWindow.
@Test
public void testNewKeyGeneratedWhenInRenewalPeriodAutoOutsideOfTimeWindow(Vertx vertx, VertxTestContext context) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(2).withRenewalDays(3).withGenerateCertificateAuthority(true).withCertificateExpirationPolicy(CertificateExpirationPolicy.REPLACE_KEY).build();
Kafka kafka = new KafkaBuilder().editOrNewMetadata().withName(NAME).withNamespace(NAMESPACE).endMetadata().withNewSpec().withClusterCa(certificateAuthority).withClientsCa(certificateAuthority).withMaintenanceTimeWindows("* 10-14 * * * ? *").endSpec().build();
List<Secret> clusterCaSecrets = initialClusterCaSecrets(certificateAuthority);
Secret initialClusterCaKeySecret = clusterCaSecrets.get(0);
Secret initialClusterCaCertSecret = clusterCaSecrets.get(1);
assertThat(initialClusterCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClusterCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClusterCaCertSecret.getData()), is(true));
assertThat(initialClusterCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClusterCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
List<Secret> clientsCaSecrets = initialClientsCaSecrets(certificateAuthority);
Secret initialClientsCaKeySecret = clientsCaSecrets.get(0);
Secret initialClientsCaCertSecret = clientsCaSecrets.get(1);
assertThat(initialClientsCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClientsCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClientsCaCertSecret.getData()), is(true));
assertThat(initialClientsCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClientsCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
secrets.add(initialClusterCaCertSecret);
secrets.add(initialClusterCaKeySecret);
secrets.add(initialClientsCaCertSecret);
secrets.add(initialClientsCaKeySecret);
Checkpoint async = context.checkpoint();
reconcileCa(vertx, kafka, () -> Date.from(Instant.parse("2018-11-26T09:00:00Z"))).onComplete(context.succeeding(c -> context.verify(() -> {
assertThat(c.getAllValues(), hasSize(4));
Map<String, String> clusterCaCertData = c.getAllValues().get(0).getData();
assertThat(c.getAllValues().get(0).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION, "0"));
assertThat(clusterCaCertData, aMapWithSize(3));
X509Certificate newX509ClusterCaCertStore = getCertificateFromTrustStore(CA_CRT, clusterCaCertData);
String newClusterCaCert = clusterCaCertData.remove(CA_CRT);
String newClusterCaCertStore = clusterCaCertData.remove(CA_STORE);
String newClusterCaCertStorePassword = clusterCaCertData.remove(CA_STORE_PASSWORD);
assertThat(newClusterCaCert, is(initialClusterCaCertSecret.getData().get(CA_CRT)));
assertThat(newClusterCaCertStore, is(initialClusterCaCertSecret.getData().get(CA_STORE)));
assertThat(newClusterCaCertStorePassword, is(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD)));
assertThat(newX509ClusterCaCertStore, is(x509Certificate(newClusterCaCert)));
assertThat(x509Certificate(newClusterCaCert).getSubjectDN().getName(), is("CN=cluster-ca, O=io.strimzi"));
Secret clusterCaKeySecret = c.getAllValues().get(1);
assertThat(clusterCaKeySecret.getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION, "0"));
Map<String, String> clusterCaKeyData = clusterCaKeySecret.getData();
assertThat(clusterCaKeyData.keySet(), is(singleton(CA_KEY)));
String newClusterCaKey = clusterCaKeyData.remove(CA_KEY);
assertThat(newClusterCaKey, is(notNullValue()));
assertThat(newClusterCaKey, is(initialClusterCaKeySecret.getData().get(CA_KEY)));
Map<String, String> clientsCaCertData = c.getAllValues().get(2).getData();
assertThat(c.getAllValues().get(2).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION, "0"));
assertThat(clientsCaCertData, aMapWithSize(3));
X509Certificate newX509ClientsCaCertStore = getCertificateFromTrustStore(CA_CRT, clientsCaCertData);
String newClientsCaCert = clientsCaCertData.remove(CA_CRT);
String newClientsCaCertStore = clientsCaCertData.remove(CA_STORE);
String newClientsCaCertStorePassword = clientsCaCertData.remove(CA_STORE_PASSWORD);
assertThat(newClientsCaCert, is(initialClientsCaCertSecret.getData().get(CA_CRT)));
assertThat(newClientsCaCertStore, is(initialClientsCaCertSecret.getData().get(CA_STORE)));
assertThat(newClientsCaCertStorePassword, is(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD)));
assertThat(newX509ClientsCaCertStore, is(x509Certificate(newClientsCaCert)));
assertThat(x509Certificate(newClientsCaCert).getSubjectDN().getName(), is("CN=clients-ca, O=io.strimzi"));
Secret clientsCaKeySecret = c.getAllValues().get(3);
assertThat(clientsCaKeySecret.getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION, "0"));
Map<String, String> clientsCaKeyData = clientsCaKeySecret.getData();
assertThat(clientsCaKeyData.keySet(), is(singleton(CA_KEY)));
String newClientsCaKey = clientsCaKeyData.remove(CA_KEY);
assertThat(newClientsCaKey, is(notNullValue()));
assertThat(newClientsCaKey, is(initialClientsCaKeySecret.getData().get(CA_KEY)));
async.flag();
})));
}
use of io.strimzi.api.kafka.model.CertificateAuthority in project strimzi by strimzi.
the class CertificateRenewalTest method testCustomCertsNotReconciled.
@Test
public void testCustomCertsNotReconciled(Vertx vertx, VertxTestContext context) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(2).withRenewalDays(3).withGenerateCertificateAuthority(false).build();
List<Secret> clusterCaSecrets = initialClusterCaSecrets(certificateAuthority);
Secret initialClusterCaKeySecret = clusterCaSecrets.get(0);
Secret initialClusterCaCertSecret = clusterCaSecrets.get(1);
assertThat(initialClusterCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClusterCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClusterCaCertSecret.getData()), is(true));
assertThat(initialClusterCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClusterCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
List<Secret> clientsCaSecrets = initialClientsCaSecrets(certificateAuthority);
Secret initialClientsCaKeySecret = clientsCaSecrets.get(0);
Secret initialClientsCaCertSecret = clientsCaSecrets.get(1);
assertThat(initialClientsCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClientsCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClientsCaCertSecret.getData()), is(true));
assertThat(initialClientsCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClientsCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
secrets.add(initialClusterCaCertSecret);
secrets.add(initialClusterCaKeySecret);
secrets.add(initialClientsCaCertSecret);
secrets.add(initialClientsCaKeySecret);
Checkpoint async = context.checkpoint();
reconcileCa(vertx, certificateAuthority, certificateAuthority).onComplete(context.succeeding(c -> context.verify(() -> {
assertThat(c.getAllValues(), hasSize(0));
async.flag();
})));
}
use of io.strimzi.api.kafka.model.CertificateAuthority in project strimzi by strimzi.
the class CertificateRenewalTest method assertNoCertsGetGeneratedOutsideRenewalPeriod.
private void assertNoCertsGetGeneratedOutsideRenewalPeriod(Vertx vertx, VertxTestContext context) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(100).withRenewalDays(10).withGenerateCertificateAuthority(true).build();
List<Secret> clusterCaSecrets = initialClusterCaSecrets(certificateAuthority);
Secret initialClusterCaKeySecret = clusterCaSecrets.get(0);
Secret initialClusterCaCertSecret = clusterCaSecrets.get(1);
Map<String, String> clusterCaCertData = initialClusterCaCertSecret.getData();
assertThat(clusterCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(clusterCaCertData.get(CA_CRT), is(notNullValue()));
assertThat(clusterCaCertData.get(CA_STORE), is(notNullValue()));
assertThat(clusterCaCertData.get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClusterCaCertSecret.getData()), is(true));
Map<String, String> clusterCaKeyData = initialClusterCaKeySecret.getData();
assertThat(clusterCaKeyData.keySet(), is(singleton(CA_KEY)));
assertThat(clusterCaKeyData.get(CA_KEY), is(notNullValue()));
List<Secret> clientsCaSecrets = initialClientsCaSecrets(certificateAuthority);
Secret initialClientsCaKeySecret = clientsCaSecrets.get(0);
Secret initialClientsCaCertSecret = clientsCaSecrets.get(1);
Map<String, String> clientsCaCertData = initialClientsCaCertSecret.getData();
assertThat(clientsCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(clientsCaCertData.get(CA_CRT), is(notNullValue()));
assertThat(clientsCaCertData.get(CA_STORE), is(notNullValue()));
assertThat(clientsCaCertData.get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClientsCaCertSecret.getData()), is(true));
Map<String, String> clientsCaKeyData = initialClientsCaKeySecret.getData();
assertThat(clientsCaKeyData.keySet(), is(singleton(CA_KEY)));
assertThat(clientsCaKeyData.get(CA_KEY), is(notNullValue()));
secrets.add(initialClusterCaCertSecret);
secrets.add(initialClusterCaKeySecret);
secrets.add(initialClientsCaCertSecret);
secrets.add(initialClientsCaKeySecret);
Checkpoint async = context.checkpoint();
reconcileCa(vertx, certificateAuthority, certificateAuthority).onComplete(context.succeeding(c -> context.verify(() -> {
assertThat(c.getAllValues().get(0).getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(c.getAllValues().get(0).getData().get(CA_CRT), is(initialClusterCaCertSecret.getData().get(CA_CRT)));
assertThat(x509Certificate(initialClusterCaCertSecret.getData().get(CA_CRT)), is(getCertificateFromTrustStore(CA_CRT, c.getAllValues().get(0).getData())));
assertThat(c.getAllValues().get(1).getData().keySet(), is(set(CA_KEY)));
assertThat(c.getAllValues().get(1).getData().get(CA_KEY), is(initialClusterCaKeySecret.getData().get(CA_KEY)));
assertThat(c.getAllValues().get(2).getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(c.getAllValues().get(2).getData().get(CA_CRT), is(initialClientsCaCertSecret.getData().get(CA_CRT)));
assertThat(x509Certificate(initialClientsCaCertSecret.getData().get(CA_CRT)), is(getCertificateFromTrustStore(CA_CRT, c.getAllValues().get(2).getData())));
assertThat(c.getAllValues().get(3).getData().keySet(), is(set(CA_KEY)));
assertThat(c.getAllValues().get(3).getData().get(CA_KEY), is(initialClientsCaKeySecret.getData().get(CA_KEY)));
async.flag();
})));
}
use of io.strimzi.api.kafka.model.CertificateAuthority in project strimzi by strimzi.
the class CertificateRenewalTest method testReconcileCasWhenCustomCertsAreMissingThrows.
@Test
public void testReconcileCasWhenCustomCertsAreMissingThrows(Vertx vertx, VertxTestContext context) {
CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(100).withRenewalDays(10).withGenerateCertificateAuthority(false).build();
Checkpoint async = context.checkpoint();
reconcileCa(vertx, certificateAuthority, certificateAuthority).onComplete(context.failing(e -> context.verify(() -> {
assertThat(e, instanceOf(InvalidConfigurationException.class));
assertThat(e.getMessage(), is("Cluster CA should not be generated, but the secrets were not found."));
async.flag();
})));
}
Aggregations