Example 6 with CertificateAuthority
use of io.strimzi.api.kafka.model.CertificateAuthority in project strimzi by strimzi.
the class CertificateRenewalTest method testGenerateTruststoreFromOldSecrets.
@Test
public void testGenerateTruststoreFromOldSecrets(Vertx vertx, VertxTestContext context) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(100).withRenewalDays(10).withGenerateCertificateAuthority(true).build();
List<Secret> clusterCaSecrets = initialClusterCaSecrets(certificateAuthority);
Secret initialClusterCaKeySecret = clusterCaSecrets.get(0);
Secret initialClusterCaCertSecret = clusterCaSecrets.get(1);
// remove truststore and password to simulate Secrets coming from an older version
initialClusterCaCertSecret.getData().remove(CA_STORE);
initialClusterCaCertSecret.getData().remove(CA_STORE_PASSWORD);
List<Secret> clientsCaSecrets = initialClientsCaSecrets(certificateAuthority);
Secret initialClientsCaKeySecret = clientsCaSecrets.get(0);
Secret initialClientsCaCertSecret = clientsCaSecrets.get(1);
// remove truststore and password to simulate Secrets coming from an older version
initialClientsCaCertSecret.getData().remove(CA_STORE);
initialClientsCaCertSecret.getData().remove(CA_STORE_PASSWORD);
secrets.add(initialClusterCaCertSecret);
secrets.add(initialClusterCaKeySecret);
secrets.add(initialClientsCaCertSecret);
secrets.add(initialClientsCaKeySecret);
Checkpoint async = context.checkpoint();
reconcileCa(vertx, certificateAuthority, certificateAuthority).onComplete(context.succeeding(c -> context.verify(() -> {
assertThat(c.getAllValues(), hasSize(4));
Map<String, String> clusterCaCertData = c.getAllValues().get(0).getData();
assertThat(clusterCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
X509Certificate newX509ClusterCaCertStore = getCertificateFromTrustStore(CA_CRT, clusterCaCertData);
String newClusterCaCert = clusterCaCertData.remove(CA_CRT);
String newClusterCaCertStore = clusterCaCertData.remove(CA_STORE);
String newClusterCaCertStorePassword = clusterCaCertData.remove(CA_STORE_PASSWORD);
assertThat(newClusterCaCert, is(notNullValue()));
assertThat(newClusterCaCertStore, is(notNullValue()));
assertThat(newClusterCaCertStorePassword, is(notNullValue()));
assertThat(newClusterCaCert, is(initialClusterCaCertSecret.getData().get(CA_CRT)));
assertThat(newX509ClusterCaCertStore, is(x509Certificate(newClusterCaCert)));
Map<String, String> clusterCaKeyData = c.getAllValues().get(1).getData();
assertThat(clusterCaKeyData.keySet(), is(singleton(CA_KEY)));
String newClusterCaKey = clusterCaKeyData.remove(CA_KEY);
assertThat(newClusterCaKey, is(notNullValue()));
assertThat(newClusterCaKey, is(initialClusterCaKeySecret.getData().get(CA_KEY)));
Map<String, String> clientsCaCertData = c.getAllValues().get(2).getData();
assertThat(clientsCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
X509Certificate newX509ClientsCaCertStore = getCertificateFromTrustStore(CA_CRT, clientsCaCertData);
String newClientsCaCert = clientsCaCertData.remove(CA_CRT);
String newClientsCaCertStore = clientsCaCertData.remove(CA_STORE);
String newClientsCaCertStorePassword = clientsCaCertData.remove(CA_STORE_PASSWORD);
assertThat(newClientsCaCert, is(notNullValue()));
assertThat(newClientsCaCertStore, is(notNullValue()));
assertThat(newClientsCaCertStorePassword, is(notNullValue()));
assertThat(newClientsCaCert, is(initialClientsCaCertSecret.getData().get(CA_CRT)));
assertThat(newX509ClientsCaCertStore, is(x509Certificate(newClientsCaCert)));
Map<String, String> clientsCaKeyData = c.getAllValues().get(3).getData();
assertThat(clientsCaKeyData.keySet(), is(singleton(CA_KEY)));
String newClientsCaKey = clientsCaKeyData.remove(CA_KEY);
assertThat(newClientsCaKey, is(notNullValue()));
assertThat(newClientsCaKey, is(initialClientsCaKeySecret.getData().get(CA_KEY)));
async.flag();
})));
}
Also used :
Secret(io.fabric8.kubernetes.api.model.Secret)
X509Certificate(java.security.cert.X509Certificate)
CoreMatchers.is(org.hamcrest.CoreMatchers.is)
BeforeEach(org.junit.jupiter.api.BeforeEach)
CertificateFactory(java.security.cert.CertificateFactory)
CA_KEY(io.strimzi.operator.cluster.model.Ca.CA_KEY)
Date(java.util.Date)
ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq)
KeyStoreException(java.security.KeyStoreException)
CoreMatchers.notNullValue(org.hamcrest.CoreMatchers.notNullValue)
CoreMatchers.instanceOf(org.hamcrest.CoreMatchers.instanceOf)
ExtendWith(org.junit.jupiter.api.extension.ExtendWith)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Collections.singleton(java.util.Collections.singleton)
Ca(io.strimzi.operator.cluster.model.Ca)
Map(java.util.Map)
ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier)
ResourceUtils(io.strimzi.operator.cluster.ResourceUtils)
Path(java.nio.file.Path)
AbstractModel(io.strimzi.operator.cluster.model.AbstractModel)
ModelUtils(io.strimzi.operator.cluster.model.ModelUtils)
SecretOperator(io.strimzi.operator.common.operator.resource.SecretOperator)
KeyStore(java.security.KeyStore)
VertxExtension(io.vertx.junit5.VertxExtension)
Instant(java.time.Instant)
Future(io.vertx.core.Future)
Collectors(java.util.stream.Collectors)
StandardCharsets(java.nio.charset.StandardCharsets)
Subject(io.strimzi.certs.Subject)
Test(org.junit.jupiter.api.Test)
Objects(java.util.Objects)
Base64(java.util.Base64)
List(java.util.List)
Labels(io.strimzi.operator.common.model.Labels)
PasswordGenerator(io.strimzi.operator.common.PasswordGenerator)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
CA_STORE_PASSWORD(io.strimzi.operator.cluster.model.Ca.CA_STORE_PASSWORD)
Secret(io.fabric8.kubernetes.api.model.Secret)
CA_STORE(io.strimzi.operator.cluster.model.Ca.CA_STORE)
Checkpoint(io.vertx.junit5.Checkpoint)
ClusterCa(io.strimzi.operator.cluster.model.ClusterCa)
PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability)
Mockito.mock(org.mockito.Mockito.mock)
VertxTestContext(io.vertx.junit5.VertxTestContext)
ArgumentMatchers.any(org.mockito.ArgumentMatchers.any)
Matchers.aMapWithSize(org.hamcrest.Matchers.aMapWithSize)
CoreMatchers.not(org.hamcrest.CoreMatchers.not)
OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference)
CertAndKey(io.strimzi.certs.CertAndKey)
Supplier(java.util.function.Supplier)
KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder)
ArrayList(java.util.ArrayList)
ArgumentCaptor(org.mockito.ArgumentCaptor)
KafkaCluster(io.strimzi.operator.cluster.model.KafkaCluster)
TestUtils(io.strimzi.test.TestUtils)
Matchers.hasSize(org.hamcrest.Matchers.hasSize)
ReconcileResult(io.strimzi.operator.common.operator.resource.ReconcileResult)
MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat)
CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy)
Matchers.hasEntry(org.hamcrest.Matchers.hasEntry)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
Files(java.nio.file.Files)
Promise(io.vertx.core.Promise)
KubernetesVersion(io.strimzi.operator.KubernetesVersion)
Vertx(io.vertx.core.Vertx)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
TestUtils.set(io.strimzi.test.TestUtils.set)
Mockito.when(org.mockito.Mockito.when)
Reconciliation(io.strimzi.operator.common.Reconciliation)
InvalidConfigurationException(io.strimzi.operator.common.InvalidConfigurationException)
CA_CRT(io.strimzi.operator.cluster.model.Ca.CA_CRT)
SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder)
Kafka(io.strimzi.api.kafka.model.Kafka)
OpenSslCertManager(io.strimzi.certs.OpenSslCertManager)
CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
Checkpoint(io.vertx.junit5.Checkpoint)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder)
X509Certificate(java.security.cert.X509Certificate)
Test(org.junit.jupiter.api.Test)
Example 7 with CertificateAuthority
use of io.strimzi.api.kafka.model.CertificateAuthority in project strimzi by strimzi.
the class KafkaAssemblyOperatorNonParametrizedTest method testClientsCASecretsWithoutOwnerReference.
@Test
public void testClientsCASecretsWithoutOwnerReference(VertxTestContext context) {
OwnerReference ownerReference = new OwnerReferenceBuilder().withKind("Kafka").withName(NAME).withBlockOwnerDeletion(false).withController(false).build();
CertificateAuthority caConfig = new CertificateAuthority();
caConfig.setGenerateSecretOwnerReference(false);
Kafka kafka = new KafkaBuilder().withNewMetadata().withName(NAME).withNamespace(NAMESPACE).endMetadata().withNewSpec().withNewKafka().withReplicas(3).withNewEphemeralStorage().endEphemeralStorage().endKafka().withClientsCa(caConfig).withNewZookeeper().withReplicas(3).withNewEphemeralStorage().endEphemeralStorage().endZookeeper().endSpec().build();
ResourceOperatorSupplier supplier = ResourceUtils.supplierWithMocks(false);
SecretOperator secretOps = supplier.secretOperations;
ArgumentCaptor<Secret> clusterCaCert = ArgumentCaptor.forClass(Secret.class);
ArgumentCaptor<Secret> clusterCaKey = ArgumentCaptor.forClass(Secret.class);
ArgumentCaptor<Secret> clientsCaCert = ArgumentCaptor.forClass(Secret.class);
ArgumentCaptor<Secret> clientsCaKey = ArgumentCaptor.forClass(Secret.class);
when(secretOps.reconcile(any(), eq(NAMESPACE), eq(AbstractModel.clusterCaCertSecretName(NAME)), clusterCaCert.capture())).thenAnswer(i -> Future.succeededFuture(ReconcileResult.created(i.getArgument(0))));
when(secretOps.reconcile(any(), eq(NAMESPACE), eq(AbstractModel.clusterCaKeySecretName(NAME)), clusterCaKey.capture())).thenAnswer(i -> Future.succeededFuture(ReconcileResult.created(i.getArgument(0))));
when(secretOps.reconcile(any(), eq(NAMESPACE), eq(KafkaCluster.clientsCaCertSecretName(NAME)), clientsCaCert.capture())).thenAnswer(i -> Future.succeededFuture(ReconcileResult.created(i.getArgument(0))));
when(secretOps.reconcile(any(), eq(NAMESPACE), eq(KafkaCluster.clientsCaKeySecretName(NAME)), clientsCaKey.capture())).thenAnswer(i -> Future.succeededFuture(ReconcileResult.created(i.getArgument(0))));
KafkaAssemblyOperator op = new KafkaAssemblyOperator(vertx, new PlatformFeaturesAvailability(false, KubernetesVersion.V1_16), certManager, passwordGenerator, supplier, ResourceUtils.dummyClusterOperatorConfig(1L));
Reconciliation reconciliation = new Reconciliation("test-trigger", Kafka.RESOURCE_KIND, NAMESPACE, NAME);
Checkpoint async = context.checkpoint();
op.new ReconciliationState(reconciliation, kafka).reconcileCas(() -> new Date()).onComplete(context.succeeding(c -> context.verify(() -> {
assertThat(clusterCaCert.getAllValues(), hasSize(1));
assertThat(clusterCaKey.getAllValues(), hasSize(1));
assertThat(clientsCaCert.getAllValues(), hasSize(1));
assertThat(clientsCaKey.getAllValues(), hasSize(1));
Secret clusterCaCertSecret = clusterCaCert.getValue();
Secret clusterCaKeySecret = clusterCaKey.getValue();
Secret clientsCaCertSecret = clientsCaCert.getValue();
Secret clientsCaKeySecret = clientsCaKey.getValue();
assertThat(clusterCaCertSecret.getMetadata().getOwnerReferences(), hasSize(1));
assertThat(clusterCaKeySecret.getMetadata().getOwnerReferences(), hasSize(1));
assertThat(clientsCaCertSecret.getMetadata().getOwnerReferences(), hasSize(0));
assertThat(clientsCaKeySecret.getMetadata().getOwnerReferences(), hasSize(0));
assertThat(clusterCaCertSecret.getMetadata().getOwnerReferences().get(0), is(ownerReference));
assertThat(clusterCaKeySecret.getMetadata().getOwnerReferences().get(0), is(ownerReference));
async.flag();
})));
}
Also used :
CoreMatchers.is(org.hamcrest.CoreMatchers.is)
Date(java.util.Date)
ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq)
ClusterRoleBindingOperator(io.strimzi.operator.common.operator.resource.ClusterRoleBindingOperator)
AfterAll(org.junit.jupiter.api.AfterAll)
ExtendWith(org.junit.jupiter.api.extension.ExtendWith)
Collections.singleton(java.util.Collections.singleton)
KafkaResources(io.strimzi.api.kafka.model.KafkaResources)
BeforeAll(org.junit.jupiter.api.BeforeAll)
Map(java.util.Map)
ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier)
ResourceUtils(io.strimzi.operator.cluster.ResourceUtils)
AbstractModel(io.strimzi.operator.cluster.model.AbstractModel)
SecretOperator(io.strimzi.operator.common.operator.resource.SecretOperator)
VertxExtension(io.vertx.junit5.VertxExtension)
Future(io.vertx.core.Future)
Test(org.junit.jupiter.api.Test)
Labels(io.strimzi.operator.common.model.Labels)
PasswordGenerator(io.strimzi.operator.common.PasswordGenerator)
Secret(io.fabric8.kubernetes.api.model.Secret)
Checkpoint(io.vertx.junit5.Checkpoint)
PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability)
ClusterOperatorConfig(io.strimzi.operator.cluster.ClusterOperatorConfig)
Mockito.mock(org.mockito.Mockito.mock)
VertxTestContext(io.vertx.junit5.VertxTestContext)
ArgumentMatchers.any(org.mockito.ArgumentMatchers.any)
ClusterRoleBinding(io.fabric8.kubernetes.api.model.rbac.ClusterRoleBinding)
CoreMatchers.not(org.hamcrest.CoreMatchers.not)
HashMap(java.util.HashMap)
OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference)
KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder)
Mockito.verifyZeroInteractions(org.mockito.Mockito.verifyZeroInteractions)
ArgumentCaptor(org.mockito.ArgumentCaptor)
KafkaCluster(io.strimzi.operator.cluster.model.KafkaCluster)
KafkaVersionTestUtils(io.strimzi.operator.cluster.KafkaVersionTestUtils)
ConfigMapOperator(io.strimzi.operator.common.operator.resource.ConfigMapOperator)
CrdOperator(io.strimzi.operator.common.operator.resource.CrdOperator)
Matchers.hasSize(org.hamcrest.Matchers.hasSize)
ReconcileResult(io.strimzi.operator.common.operator.resource.ReconcileResult)
MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat)
CoreMatchers.nullValue(org.hamcrest.CoreMatchers.nullValue)
Matchers.hasEntry(org.hamcrest.Matchers.hasEntry)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
OwnerReferenceBuilder(io.fabric8.kubernetes.api.model.OwnerReferenceBuilder)
KubernetesVersion(io.strimzi.operator.KubernetesVersion)
Vertx(io.vertx.core.Vertx)
Mockito.times(org.mockito.Mockito.times)
Mockito.when(org.mockito.Mockito.when)
Field(java.lang.reflect.Field)
Reconciliation(io.strimzi.operator.common.Reconciliation)
Mockito(org.mockito.Mockito)
ConfigMapKeySelectorBuilder(io.fabric8.kubernetes.api.model.ConfigMapKeySelectorBuilder)
Kafka(io.strimzi.api.kafka.model.Kafka)
OpenSslCertManager(io.strimzi.certs.OpenSslCertManager)
OwnerReferenceBuilder(io.fabric8.kubernetes.api.model.OwnerReferenceBuilder)
Kafka(io.strimzi.api.kafka.model.Kafka)
KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder)
Date(java.util.Date)
SecretOperator(io.strimzi.operator.common.operator.resource.SecretOperator)
Secret(io.fabric8.kubernetes.api.model.Secret)
ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier)
OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference)
Checkpoint(io.vertx.junit5.Checkpoint)
PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability)
Reconciliation(io.strimzi.operator.common.Reconciliation)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
Test(org.junit.jupiter.api.Test)
Example 8 with CertificateAuthority
use of io.strimzi.api.kafka.model.CertificateAuthority in project strimzi by strimzi.
the class KafkaAssemblyOperatorNonParametrizedTest method testClusterCASecretsWithoutOwnerReference.
@Test
public void testClusterCASecretsWithoutOwnerReference(VertxTestContext context) {
OwnerReference ownerReference = new OwnerReferenceBuilder().withKind("Kafka").withName(NAME).withBlockOwnerDeletion(false).withController(false).build();
CertificateAuthority caConfig = new CertificateAuthority();
caConfig.setGenerateSecretOwnerReference(false);
Kafka kafka = new KafkaBuilder().withNewMetadata().withName(NAME).withNamespace(NAMESPACE).endMetadata().withNewSpec().withNewKafka().withReplicas(3).withNewEphemeralStorage().endEphemeralStorage().endKafka().withClusterCa(caConfig).withNewZookeeper().withReplicas(3).withNewEphemeralStorage().endEphemeralStorage().endZookeeper().endSpec().build();
ResourceOperatorSupplier supplier = ResourceUtils.supplierWithMocks(false);
SecretOperator secretOps = supplier.secretOperations;
ArgumentCaptor<Secret> clusterCaCert = ArgumentCaptor.forClass(Secret.class);
ArgumentCaptor<Secret> clusterCaKey = ArgumentCaptor.forClass(Secret.class);
ArgumentCaptor<Secret> clientsCaCert = ArgumentCaptor.forClass(Secret.class);
ArgumentCaptor<Secret> clientsCaKey = ArgumentCaptor.forClass(Secret.class);
when(secretOps.reconcile(any(), eq(NAMESPACE), eq(AbstractModel.clusterCaCertSecretName(NAME)), clusterCaCert.capture())).thenAnswer(i -> Future.succeededFuture(ReconcileResult.created(i.getArgument(0))));
when(secretOps.reconcile(any(), eq(NAMESPACE), eq(AbstractModel.clusterCaKeySecretName(NAME)), clusterCaKey.capture())).thenAnswer(i -> Future.succeededFuture(ReconcileResult.created(i.getArgument(0))));
when(secretOps.reconcile(any(), eq(NAMESPACE), eq(KafkaCluster.clientsCaCertSecretName(NAME)), clientsCaCert.capture())).thenAnswer(i -> Future.succeededFuture(ReconcileResult.created(i.getArgument(0))));
when(secretOps.reconcile(any(), eq(NAMESPACE), eq(KafkaCluster.clientsCaKeySecretName(NAME)), clientsCaKey.capture())).thenAnswer(i -> Future.succeededFuture(ReconcileResult.created(i.getArgument(0))));
KafkaAssemblyOperator op = new KafkaAssemblyOperator(vertx, new PlatformFeaturesAvailability(false, KubernetesVersion.V1_16), certManager, passwordGenerator, supplier, ResourceUtils.dummyClusterOperatorConfig(1L));
Reconciliation reconciliation = new Reconciliation("test-trigger", Kafka.RESOURCE_KIND, NAMESPACE, NAME);
Checkpoint async = context.checkpoint();
op.new ReconciliationState(reconciliation, kafka).reconcileCas(() -> new Date()).onComplete(context.succeeding(c -> context.verify(() -> {
assertThat(clusterCaCert.getAllValues(), hasSize(1));
assertThat(clusterCaKey.getAllValues(), hasSize(1));
assertThat(clientsCaCert.getAllValues(), hasSize(1));
assertThat(clientsCaKey.getAllValues(), hasSize(1));
Secret clusterCaCertSecret = clusterCaCert.getValue();
Secret clusterCaKeySecret = clusterCaKey.getValue();
Secret clientsCaCertSecret = clientsCaCert.getValue();
Secret clientsCaKeySecret = clientsCaKey.getValue();
assertThat(clusterCaCertSecret.getMetadata().getOwnerReferences(), hasSize(0));
assertThat(clusterCaKeySecret.getMetadata().getOwnerReferences(), hasSize(0));
assertThat(clientsCaCertSecret.getMetadata().getOwnerReferences(), hasSize(1));
assertThat(clientsCaKeySecret.getMetadata().getOwnerReferences(), hasSize(1));
assertThat(clientsCaCertSecret.getMetadata().getOwnerReferences().get(0), is(ownerReference));
assertThat(clientsCaKeySecret.getMetadata().getOwnerReferences().get(0), is(ownerReference));
async.flag();
})));
}
Also used :
CoreMatchers.is(org.hamcrest.CoreMatchers.is)
Date(java.util.Date)
ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq)
ClusterRoleBindingOperator(io.strimzi.operator.common.operator.resource.ClusterRoleBindingOperator)
AfterAll(org.junit.jupiter.api.AfterAll)
ExtendWith(org.junit.jupiter.api.extension.ExtendWith)
Collections.singleton(java.util.Collections.singleton)
KafkaResources(io.strimzi.api.kafka.model.KafkaResources)
BeforeAll(org.junit.jupiter.api.BeforeAll)
Map(java.util.Map)
ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier)
ResourceUtils(io.strimzi.operator.cluster.ResourceUtils)
AbstractModel(io.strimzi.operator.cluster.model.AbstractModel)
SecretOperator(io.strimzi.operator.common.operator.resource.SecretOperator)
VertxExtension(io.vertx.junit5.VertxExtension)
Future(io.vertx.core.Future)
Test(org.junit.jupiter.api.Test)
Labels(io.strimzi.operator.common.model.Labels)
PasswordGenerator(io.strimzi.operator.common.PasswordGenerator)
Secret(io.fabric8.kubernetes.api.model.Secret)
Checkpoint(io.vertx.junit5.Checkpoint)
PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability)
ClusterOperatorConfig(io.strimzi.operator.cluster.ClusterOperatorConfig)
Mockito.mock(org.mockito.Mockito.mock)
VertxTestContext(io.vertx.junit5.VertxTestContext)
ArgumentMatchers.any(org.mockito.ArgumentMatchers.any)
ClusterRoleBinding(io.fabric8.kubernetes.api.model.rbac.ClusterRoleBinding)
CoreMatchers.not(org.hamcrest.CoreMatchers.not)
HashMap(java.util.HashMap)
OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference)
KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder)
Mockito.verifyZeroInteractions(org.mockito.Mockito.verifyZeroInteractions)
ArgumentCaptor(org.mockito.ArgumentCaptor)
KafkaCluster(io.strimzi.operator.cluster.model.KafkaCluster)
KafkaVersionTestUtils(io.strimzi.operator.cluster.KafkaVersionTestUtils)
ConfigMapOperator(io.strimzi.operator.common.operator.resource.ConfigMapOperator)
CrdOperator(io.strimzi.operator.common.operator.resource.CrdOperator)
Matchers.hasSize(org.hamcrest.Matchers.hasSize)
ReconcileResult(io.strimzi.operator.common.operator.resource.ReconcileResult)
MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat)
CoreMatchers.nullValue(org.hamcrest.CoreMatchers.nullValue)
Matchers.hasEntry(org.hamcrest.Matchers.hasEntry)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
OwnerReferenceBuilder(io.fabric8.kubernetes.api.model.OwnerReferenceBuilder)
KubernetesVersion(io.strimzi.operator.KubernetesVersion)
Vertx(io.vertx.core.Vertx)
Mockito.times(org.mockito.Mockito.times)
Mockito.when(org.mockito.Mockito.when)
Field(java.lang.reflect.Field)
Reconciliation(io.strimzi.operator.common.Reconciliation)
Mockito(org.mockito.Mockito)
ConfigMapKeySelectorBuilder(io.fabric8.kubernetes.api.model.ConfigMapKeySelectorBuilder)
Kafka(io.strimzi.api.kafka.model.Kafka)
OpenSslCertManager(io.strimzi.certs.OpenSslCertManager)
OwnerReferenceBuilder(io.fabric8.kubernetes.api.model.OwnerReferenceBuilder)
Kafka(io.strimzi.api.kafka.model.Kafka)
KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder)
Date(java.util.Date)
SecretOperator(io.strimzi.operator.common.operator.resource.SecretOperator)
Secret(io.fabric8.kubernetes.api.model.Secret)
ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier)
OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference)
Checkpoint(io.vertx.junit5.Checkpoint)
PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability)
Reconciliation(io.strimzi.operator.common.Reconciliation)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
Test(org.junit.jupiter.api.Test)
Example 9 with CertificateAuthority
use of io.strimzi.api.kafka.model.CertificateAuthority in project strimzi by strimzi.
the class SecurityST method checkClientsCACertRenew.
void checkClientsCACertRenew(ExtensionContext extensionContext, boolean customCA) {
final String namespaceName = StUtils.getNamespaceBasedOnRbac(namespace, extensionContext);
final String clusterName = mapWithClusterNames.get(extensionContext.getDisplayName());
if (customCA) {
generateAndDeployCustomStrimziCA(namespaceName, clusterName);
checkCustomCAsCorrectness(namespaceName, clusterName);
resourceManager.createResource(extensionContext, KafkaTemplates.kafkaEphemeral(clusterName, 3).editOrNewSpec().withNewClientsCa().withRenewalDays(15).withValidityDays(20).withGenerateCertificateAuthority(false).endClientsCa().endSpec().build());
} else {
resourceManager.createResource(extensionContext, KafkaTemplates.kafkaEphemeral(clusterName, 3).editOrNewSpec().withNewClientsCa().withRenewalDays(15).withValidityDays(20).endClientsCa().endSpec().build());
}
String username = "strimzi-tls-user-" + new Random().nextInt(Integer.MAX_VALUE);
resourceManager.createResource(extensionContext, KafkaUserTemplates.tlsUser(clusterName, username).build());
Map<String, String> entityPods = DeploymentUtils.depSnapshot(namespaceName, KafkaResources.entityOperatorDeploymentName(clusterName));
// Check initial clientsCA validity days
Secret clientsCASecret = kubeClient(namespaceName).getSecret(namespaceName, KafkaResources.clientsCaCertificateSecretName(clusterName));
X509Certificate cacert = SecretUtils.getCertificateFromSecret(clientsCASecret, "ca.crt");
Date initialCertStartTime = cacert.getNotBefore();
Date initialCertEndTime = cacert.getNotAfter();
// Check initial kafkauser validity days
X509Certificate userCert = SecretUtils.getCertificateFromSecret(kubeClient(namespaceName).getSecret(namespaceName, username), "user.crt");
Date initialKafkaUserCertStartTime = userCert.getNotBefore();
Date initialKafkaUserCertEndTime = userCert.getNotAfter();
LOGGER.info("Change of kafka validity and renewal days - reconciliation should start.");
CertificateAuthority newClientsCA = new CertificateAuthority();
newClientsCA.setRenewalDays(150);
newClientsCA.setValidityDays(200);
if (customCA) {
newClientsCA.setGenerateCertificateAuthority(false);
}
KafkaResource.replaceKafkaResourceInSpecificNamespace(clusterName, k -> k.getSpec().setClientsCa(newClientsCA), namespaceName);
// Wait for reconciliation and verify certs have been updated
DeploymentUtils.waitTillDepHasRolled(namespaceName, KafkaResources.entityOperatorDeploymentName(clusterName), 1, entityPods);
// Read renewed secret/certs again
clientsCASecret = kubeClient(namespaceName).getSecret(namespaceName, KafkaResources.clientsCaCertificateSecretName(clusterName));
cacert = SecretUtils.getCertificateFromSecret(clientsCASecret, "ca.crt");
Date changedCertStartTime = cacert.getNotBefore();
Date changedCertEndTime = cacert.getNotAfter();
userCert = SecretUtils.getCertificateFromSecret(kubeClient(namespaceName).getSecret(namespaceName, username), "user.crt");
Date changedKafkaUserCertStartTime = userCert.getNotBefore();
Date changedKafkaUserCertEndTime = userCert.getNotAfter();
LOGGER.info("Initial ClientsCA cert dates: " + initialCertStartTime + " --> " + initialCertEndTime);
LOGGER.info("Changed ClientsCA cert dates: " + changedCertStartTime + " --> " + changedCertEndTime);
LOGGER.info("Initial userCert dates: " + initialKafkaUserCertStartTime + " --> " + initialKafkaUserCertEndTime);
LOGGER.info("Changed userCert dates: " + changedKafkaUserCertStartTime + " --> " + changedKafkaUserCertEndTime);
if (customCA) {
assertThat("ClientsCA cert should not have changed.", initialCertEndTime.compareTo(changedCertEndTime) == 0);
} else {
String msg = "Error: original cert-end date: '" + initialCertEndTime + "' ends sooner than changed (prolonged) cert date '" + changedCertEndTime + "'";
assertThat(msg, initialCertEndTime.compareTo(changedCertEndTime) < 0);
}
assertThat("UserCert start date has been renewed", initialKafkaUserCertStartTime.compareTo(changedKafkaUserCertStartTime) < 0);
assertThat("UserCert end date has been renewed", initialKafkaUserCertEndTime.compareTo(changedKafkaUserCertEndTime) < 0);
}
Also used :
Secret(io.fabric8.kubernetes.api.model.Secret)
Random(java.util.Random)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
Matchers.containsString(org.hamcrest.Matchers.containsString)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
Example 10 with CertificateAuthority
use of io.strimzi.api.kafka.model.CertificateAuthority in project strimzi-kafka-operator by strimzi.
the class CertificateRenewalTest method testCustomCertsNotReconciled.
@Test
public void testCustomCertsNotReconciled(Vertx vertx, VertxTestContext context) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(2).withRenewalDays(3).withGenerateCertificateAuthority(false).build();
List<Secret> clusterCaSecrets = initialClusterCaSecrets(certificateAuthority);
Secret initialClusterCaKeySecret = clusterCaSecrets.get(0);
Secret initialClusterCaCertSecret = clusterCaSecrets.get(1);
assertThat(initialClusterCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClusterCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClusterCaCertSecret.getData()), is(true));
assertThat(initialClusterCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClusterCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
List<Secret> clientsCaSecrets = initialClientsCaSecrets(certificateAuthority);
Secret initialClientsCaKeySecret = clientsCaSecrets.get(0);
Secret initialClientsCaCertSecret = clientsCaSecrets.get(1);
assertThat(initialClientsCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClientsCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClientsCaCertSecret.getData()), is(true));
assertThat(initialClientsCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClientsCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
secrets.add(initialClusterCaCertSecret);
secrets.add(initialClusterCaKeySecret);
secrets.add(initialClientsCaCertSecret);
secrets.add(initialClientsCaKeySecret);
Checkpoint async = context.checkpoint();
reconcileCa(vertx, certificateAuthority, certificateAuthority).onComplete(context.succeeding(c -> context.verify(() -> {
assertThat(c.getAllValues(), hasSize(0));
async.flag();
})));
}
Also used :
Secret(io.fabric8.kubernetes.api.model.Secret)
X509Certificate(java.security.cert.X509Certificate)
CoreMatchers.is(org.hamcrest.CoreMatchers.is)
BeforeEach(org.junit.jupiter.api.BeforeEach)
CertificateFactory(java.security.cert.CertificateFactory)
CA_KEY(io.strimzi.operator.cluster.model.Ca.CA_KEY)
Date(java.util.Date)
ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq)
KeyStoreException(java.security.KeyStoreException)
CoreMatchers.notNullValue(org.hamcrest.CoreMatchers.notNullValue)
CoreMatchers.instanceOf(org.hamcrest.CoreMatchers.instanceOf)
ExtendWith(org.junit.jupiter.api.extension.ExtendWith)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Collections.singleton(java.util.Collections.singleton)
Ca(io.strimzi.operator.cluster.model.Ca)
Map(java.util.Map)
ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier)
ResourceUtils(io.strimzi.operator.cluster.ResourceUtils)
Path(java.nio.file.Path)
AbstractModel(io.strimzi.operator.cluster.model.AbstractModel)
ModelUtils(io.strimzi.operator.cluster.model.ModelUtils)
SecretOperator(io.strimzi.operator.common.operator.resource.SecretOperator)
KeyStore(java.security.KeyStore)
VertxExtension(io.vertx.junit5.VertxExtension)
Instant(java.time.Instant)
Future(io.vertx.core.Future)
Collectors(java.util.stream.Collectors)
StandardCharsets(java.nio.charset.StandardCharsets)
Subject(io.strimzi.certs.Subject)
Test(org.junit.jupiter.api.Test)
Objects(java.util.Objects)
Base64(java.util.Base64)
List(java.util.List)
Labels(io.strimzi.operator.common.model.Labels)
PasswordGenerator(io.strimzi.operator.common.PasswordGenerator)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
CA_STORE_PASSWORD(io.strimzi.operator.cluster.model.Ca.CA_STORE_PASSWORD)
Secret(io.fabric8.kubernetes.api.model.Secret)
CA_STORE(io.strimzi.operator.cluster.model.Ca.CA_STORE)
Checkpoint(io.vertx.junit5.Checkpoint)
ClusterCa(io.strimzi.operator.cluster.model.ClusterCa)
PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability)
Mockito.mock(org.mockito.Mockito.mock)
VertxTestContext(io.vertx.junit5.VertxTestContext)
ArgumentMatchers.any(org.mockito.ArgumentMatchers.any)
Matchers.aMapWithSize(org.hamcrest.Matchers.aMapWithSize)
CoreMatchers.not(org.hamcrest.CoreMatchers.not)
OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference)
CertAndKey(io.strimzi.certs.CertAndKey)
Supplier(java.util.function.Supplier)
KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder)
ArrayList(java.util.ArrayList)
ArgumentCaptor(org.mockito.ArgumentCaptor)
KafkaCluster(io.strimzi.operator.cluster.model.KafkaCluster)
TestUtils(io.strimzi.test.TestUtils)
Matchers.hasSize(org.hamcrest.Matchers.hasSize)
ReconcileResult(io.strimzi.operator.common.operator.resource.ReconcileResult)
MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat)
CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy)
Matchers.hasEntry(org.hamcrest.Matchers.hasEntry)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
Files(java.nio.file.Files)
Promise(io.vertx.core.Promise)
KubernetesVersion(io.strimzi.operator.KubernetesVersion)
Vertx(io.vertx.core.Vertx)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
TestUtils.set(io.strimzi.test.TestUtils.set)
Mockito.when(org.mockito.Mockito.when)
Reconciliation(io.strimzi.operator.common.Reconciliation)
InvalidConfigurationException(io.strimzi.operator.common.InvalidConfigurationException)
CA_CRT(io.strimzi.operator.cluster.model.Ca.CA_CRT)
SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder)
Kafka(io.strimzi.api.kafka.model.Kafka)
OpenSslCertManager(io.strimzi.certs.OpenSslCertManager)
CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
Checkpoint(io.vertx.junit5.Checkpoint)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder)
Test(org.junit.jupiter.api.Test)
Aggregations
CertificateAuthority (io.strimzi.api.kafka.model.CertificateAuthority)34
Secret (io.fabric8.kubernetes.api.model.Secret)32
Date (java.util.Date)32
Kafka (io.strimzi.api.kafka.model.Kafka)30
KafkaBuilder (io.strimzi.api.kafka.model.KafkaBuilder)30
Reconciliation (io.strimzi.operator.common.Reconciliation)30
OwnerReference (io.fabric8.kubernetes.api.model.OwnerReference)28
OpenSslCertManager (io.strimzi.certs.OpenSslCertManager)28
KubernetesVersion (io.strimzi.operator.KubernetesVersion)28
PlatformFeaturesAvailability (io.strimzi.operator.PlatformFeaturesAvailability)28
ResourceUtils (io.strimzi.operator.cluster.ResourceUtils)28
AbstractModel (io.strimzi.operator.cluster.model.AbstractModel)28
KafkaCluster (io.strimzi.operator.cluster.model.KafkaCluster)28
ResourceOperatorSupplier (io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier)28
PasswordGenerator (io.strimzi.operator.common.PasswordGenerator)28
Labels (io.strimzi.operator.common.model.Labels)28
ReconcileResult (io.strimzi.operator.common.operator.resource.ReconcileResult)28
SecretOperator (io.strimzi.operator.common.operator.resource.SecretOperator)28
Future (io.vertx.core.Future)28
Vertx (io.vertx.core.Vertx)28
