use of io.strimzi.api.kafka.model.CertificateAuthorityBuilder in project strimzi-kafka-operator by strimzi.
the class CertificateRenewalTest method testReconcileCasWhenCustomCertsAreMissingThrows.
@Test
public void testReconcileCasWhenCustomCertsAreMissingThrows(Vertx vertx, VertxTestContext context) {
CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(100).withRenewalDays(10).withGenerateCertificateAuthority(false).build();
Checkpoint async = context.checkpoint();
reconcileCa(vertx, certificateAuthority, certificateAuthority).onComplete(context.failing(e -> context.verify(() -> {
assertThat(e, instanceOf(InvalidConfigurationException.class));
assertThat(e.getMessage(), is("Cluster CA should not be generated, but the secrets were not found."));
async.flag();
})));
}
use of io.strimzi.api.kafka.model.CertificateAuthorityBuilder in project strimzi-kafka-operator by strimzi.
the class CertificateRenewalTest method testReconcileCasGeneratesCertsInitially.
@Test
public void testReconcileCasGeneratesCertsInitially(Vertx vertx, VertxTestContext context) {
CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(100).withRenewalDays(10).withGenerateCertificateAuthority(true).build();
// Delete secrets to emulate secrets not pre-existing
secrets.clear();
Checkpoint async = context.checkpoint();
reconcileCa(vertx, certificateAuthority, certificateAuthority).onComplete(context.succeeding(c -> context.verify(() -> {
assertThat(c.getAllValues(), hasSize(4));
assertThat(c.getAllValues().get(0).getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(isCertInTrustStore(CA_CRT, c.getAllValues().get(0).getData()), is(true));
assertThat(c.getAllValues().get(1).getData().keySet(), is(singleton(CA_KEY)));
assertThat(c.getAllValues().get(2).getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(isCertInTrustStore(CA_CRT, c.getAllValues().get(2).getData()), is(true));
assertThat(c.getAllValues().get(3).getData().keySet(), is(singleton(CA_KEY)));
async.flag();
})));
}
use of io.strimzi.api.kafka.model.CertificateAuthorityBuilder in project strimzi-kafka-operator by strimzi.
the class CertificateRenewalTest method testNewCertsGetGeneratedWhenInRenewalPeriodAutoOutsideOfMaintenanceWindow.
@Test
public void testNewCertsGetGeneratedWhenInRenewalPeriodAutoOutsideOfMaintenanceWindow(Vertx vertx, VertxTestContext context) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(2).withRenewalDays(3).withGenerateCertificateAuthority(true).build();
Kafka kafka = new KafkaBuilder().editOrNewMetadata().withName(NAME).withNamespace(NAMESPACE).endMetadata().withNewSpec().withClusterCa(certificateAuthority).withClientsCa(certificateAuthority).withMaintenanceTimeWindows("* 10-14 * * * ? *").endSpec().build();
List<Secret> clusterCaSecrets = initialClusterCaSecrets(certificateAuthority);
Secret initialClusterCaKeySecret = clusterCaSecrets.get(0);
Secret initialClusterCaCertSecret = clusterCaSecrets.get(1);
assertThat(initialClusterCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClusterCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClusterCaCertSecret.getData()), is(true));
assertThat(initialClusterCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClusterCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
List<Secret> clientsCaSecrets = initialClientsCaSecrets(certificateAuthority);
Secret initialClientsCaKeySecret = clientsCaSecrets.get(0);
Secret initialClientsCaCertSecret = clientsCaSecrets.get(1);
assertThat(initialClientsCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClientsCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClientsCaCertSecret.getData()), is(true));
assertThat(initialClientsCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClientsCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
secrets.add(initialClusterCaCertSecret);
secrets.add(initialClusterCaKeySecret);
secrets.add(initialClientsCaCertSecret);
secrets.add(initialClientsCaKeySecret);
Checkpoint async = context.checkpoint();
reconcileCa(vertx, kafka, () -> Date.from(Instant.parse("2018-11-26T09:00:00Z"))).onComplete(context.succeeding(c -> context.verify(() -> {
assertThat(c.getAllValues(), hasSize(4));
Map<String, String> clusterCaCertData = c.getAllValues().get(0).getData();
assertThat(clusterCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
X509Certificate newX509ClusterCaCertStore = getCertificateFromTrustStore(CA_CRT, clusterCaCertData);
assertThat(c.getAllValues().get(0).getMetadata().getAnnotations().get(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION), is("0"));
String newClusterCaCert = clusterCaCertData.remove(CA_CRT);
String newClusterCaCertStore = clusterCaCertData.remove(CA_STORE);
String newClusterCaCertStorePassword = clusterCaCertData.remove(CA_STORE_PASSWORD);
assertThat(newClusterCaCert, is(notNullValue()));
assertThat(newClusterCaCertStore, is(notNullValue()));
assertThat(newClusterCaCertStorePassword, is(notNullValue()));
assertThat(newClusterCaCert, is(initialClusterCaCertSecret.getData().get(CA_CRT)));
assertThat(newClusterCaCertStore, is(initialClusterCaCertSecret.getData().get(CA_STORE)));
assertThat(newClusterCaCertStorePassword, is(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD)));
assertThat(newX509ClusterCaCertStore, is(x509Certificate(newClusterCaCert)));
Map<String, String> clusterCaKeyData = c.getAllValues().get(1).getData();
assertThat(clusterCaKeyData.keySet(), is(singleton(CA_KEY)));
assertThat(c.getAllValues().get(1).getMetadata().getAnnotations().get(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION), is("0"));
String newClusterCaKey = clusterCaKeyData.remove(CA_KEY);
assertThat(newClusterCaKey, is(notNullValue()));
assertThat(newClusterCaKey, is(initialClusterCaKeySecret.getData().get(CA_KEY)));
Map<String, String> clientsCaCertData = c.getAllValues().get(2).getData();
assertThat(clientsCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
X509Certificate newX509ClientsCaCertStore = getCertificateFromTrustStore(CA_CRT, clientsCaCertData);
assertThat(c.getAllValues().get(2).getMetadata().getAnnotations().get(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION), is("0"));
String newClientsCaCert = clientsCaCertData.remove(CA_CRT);
String newClientsCaCertStore = clientsCaCertData.remove(CA_STORE);
String newClientsCaCertStorePassword = clientsCaCertData.remove(CA_STORE_PASSWORD);
assertThat(newClientsCaCert, is(notNullValue()));
assertThat(newClientsCaCertStore, is(notNullValue()));
assertThat(newClientsCaCertStorePassword, is(notNullValue()));
assertThat(newClientsCaCert, is(initialClientsCaCertSecret.getData().get(CA_CRT)));
assertThat(newClientsCaCertStore, is(initialClientsCaCertSecret.getData().get(CA_STORE)));
assertThat(newClientsCaCertStorePassword, is(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD)));
assertThat(newX509ClientsCaCertStore, is(x509Certificate(newClientsCaCert)));
Map<String, String> clientsCaKeyData = c.getAllValues().get(3).getData();
assertThat(clientsCaKeyData.keySet(), is(singleton(CA_KEY)));
assertThat(c.getAllValues().get(3).getMetadata().getAnnotations().get(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION), is("0"));
String newClientsCaKey = clientsCaKeyData.remove(CA_KEY);
assertThat(newClientsCaKey, is(notNullValue()));
assertThat(newClientsCaKey, is(initialClientsCaKeySecret.getData().get(CA_KEY)));
async.flag();
})));
}
use of io.strimzi.api.kafka.model.CertificateAuthorityBuilder in project strimzi-kafka-operator by strimzi.
the class SecurityST method testCaRenewalBreakInMiddle.
@ParallelNamespaceTest
@Tag(INTERNAL_CLIENTS_USED)
void testCaRenewalBreakInMiddle(ExtensionContext extensionContext) {
final String namespaceName = StUtils.getNamespaceBasedOnRbac(namespace, extensionContext);
final String clusterName = mapWithClusterNames.get(extensionContext.getDisplayName());
String topicName = mapWithTestTopics.get(extensionContext.getDisplayName());
final String userName = mapWithTestUsers.get(extensionContext.getDisplayName());
final LabelSelector kafkaSelector = KafkaResource.getLabelSelector(clusterName, KafkaResources.kafkaStatefulSetName(clusterName));
final LabelSelector zkSelector = KafkaResource.getLabelSelector(clusterName, KafkaResources.zookeeperStatefulSetName(clusterName));
resourceManager.createResource(extensionContext, KafkaTemplates.kafkaPersistent(clusterName, 3, 3).editSpec().withNewClusterCa().withRenewalDays(1).withValidityDays(3).endClusterCa().endSpec().build());
KafkaUser user = KafkaUserTemplates.tlsUser(clusterName, userName).build();
resourceManager.createResource(extensionContext, user);
resourceManager.createResource(extensionContext, KafkaTopicTemplates.topic(clusterName, topicName).build());
resourceManager.createResource(extensionContext, KafkaClientsTemplates.kafkaClients(true, clusterName + "-" + Constants.KAFKA_CLIENTS, user).build());
String defaultKafkaClientsPodName = kubeClient(namespaceName).listPodsByPrefixInName(namespaceName, clusterName + "-" + Constants.KAFKA_CLIENTS).get(0).getMetadata().getName();
InternalKafkaClient internalKafkaClient = new InternalKafkaClient.Builder().withUsingPodName(defaultKafkaClientsPodName).withTopicName(topicName).withNamespaceName(namespaceName).withClusterName(clusterName).withKafkaUsername(userName).withMessageCount(MESSAGE_COUNT).withListenerName(Constants.TLS_LISTENER_DEFAULT_NAME).build();
internalKafkaClient = internalKafkaClient.toBuilder().withUsingPodName(defaultKafkaClientsPodName).build();
internalKafkaClient.checkProducedAndConsumedMessages(internalKafkaClient.sendMessagesTls(), internalKafkaClient.receiveMessagesTls());
Map<String, String> zkPods = PodUtils.podSnapshot(namespaceName, zkSelector);
Map<String, String> kafkaPods = PodUtils.podSnapshot(namespaceName, kafkaSelector);
Map<String, String> eoPods = DeploymentUtils.depSnapshot(namespaceName, KafkaResources.entityOperatorDeploymentName(clusterName));
InputStream secretInputStream = getClass().getClassLoader().getResourceAsStream("security-st-certs/expired-cluster-ca.crt");
String clusterCaCert = TestUtils.readResource(secretInputStream);
SecretUtils.createSecret(namespaceName, clusterCaCertificateSecretName(clusterName), "ca.crt", clusterCaCert);
KafkaResource.replaceKafkaResourceInSpecificNamespace(clusterName, k -> {
k.getSpec().getZookeeper().setResources(new ResourceRequirementsBuilder().addToRequests("cpu", new Quantity("100000m")).build());
k.getSpec().setClusterCa(new CertificateAuthorityBuilder().withRenewalDays(4).withValidityDays(7).build());
}, namespaceName);
TestUtils.waitFor("Waiting for some kafka pod to be in the pending phase because of selected high cpu resource", Constants.GLOBAL_POLL_INTERVAL, Constants.GLOBAL_TIMEOUT, () -> {
List<Pod> pendingPods = kubeClient(namespaceName).listPodsByPrefixInName(namespaceName, KafkaResources.zookeeperStatefulSetName(clusterName)).stream().filter(pod -> pod.getStatus().getPhase().equals("Pending")).collect(Collectors.toList());
if (pendingPods.isEmpty()) {
LOGGER.info("No pods of {} are in desired state", KafkaResources.zookeeperStatefulSetName(clusterName));
return false;
} else {
LOGGER.info("Pod in 'Pending' state: {}", pendingPods.get(0).getMetadata().getName());
return true;
}
});
internalKafkaClient = internalKafkaClient.toBuilder().withConsumerGroupName(ClientUtils.generateRandomConsumerGroup()).build();
int received = internalKafkaClient.receiveMessagesTls();
assertThat(received, is(MESSAGE_COUNT));
KafkaResource.replaceKafkaResourceInSpecificNamespace(clusterName, k -> {
k.getSpec().getZookeeper().setResources(new ResourceRequirementsBuilder().addToRequests("cpu", new Quantity("200m")).build());
}, namespaceName);
// Wait until the certificates have been replaced
SecretUtils.waitForCertToChange(namespaceName, clusterCaCert, KafkaResources.clusterCaCertificateSecretName(clusterName));
RollingUpdateUtils.waitTillComponentHasRolledAndPodsReady(namespaceName, zkSelector, 3, zkPods);
RollingUpdateUtils.waitTillComponentHasRolledAndPodsReady(namespaceName, kafkaSelector, 3, kafkaPods);
DeploymentUtils.waitTillDepHasRolled(namespaceName, KafkaResources.entityOperatorDeploymentName(clusterName), 1, eoPods);
internalKafkaClient = internalKafkaClient.toBuilder().withConsumerGroupName(ClientUtils.generateRandomConsumerGroup()).build();
LOGGER.info("Checking produced and consumed messages to pod:{}", internalKafkaClient.getPodName());
received = internalKafkaClient.receiveMessagesTls();
assertThat(received, is(MESSAGE_COUNT));
// Try to send and receive messages with new certificates
topicName = KafkaTopicUtils.generateRandomNameOfTopic();
resourceManager.createResource(extensionContext, KafkaTopicTemplates.topic(clusterName, topicName).build());
internalKafkaClient = internalKafkaClient.toBuilder().withConsumerGroupName(ClientUtils.generateRandomConsumerGroup()).withTopicName(topicName).build();
internalKafkaClient.checkProducedAndConsumedMessages(internalKafkaClient.sendMessagesTls(), internalKafkaClient.receiveMessagesTls());
}
use of io.strimzi.api.kafka.model.CertificateAuthorityBuilder in project strimzi by strimzi.
the class CertificateRenewalTest method testNewCertsGetGeneratedWhenInRenewalPeriodAutoWithinMaintenanceWindow.
@Test
public void testNewCertsGetGeneratedWhenInRenewalPeriodAutoWithinMaintenanceWindow(Vertx vertx, VertxTestContext context) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(2).withRenewalDays(3).withGenerateCertificateAuthority(true).build();
Kafka kafka = new KafkaBuilder().editOrNewMetadata().withName(NAME).withNamespace(NAMESPACE).endMetadata().withNewSpec().withClusterCa(certificateAuthority).withClientsCa(certificateAuthority).withMaintenanceTimeWindows("* 10-14 * * * ? *").endSpec().build();
List<Secret> clusterCaSecrets = initialClusterCaSecrets(certificateAuthority);
Secret initialClusterCaKeySecret = clusterCaSecrets.get(0);
Secret initialClusterCaCertSecret = clusterCaSecrets.get(1);
assertThat(initialClusterCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClusterCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClusterCaCertSecret.getData()), is(true));
assertThat(initialClusterCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClusterCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
List<Secret> clientsCaSecrets = initialClientsCaSecrets(certificateAuthority);
Secret initialClientsCaKeySecret = clientsCaSecrets.get(0);
Secret initialClientsCaCertSecret = clientsCaSecrets.get(1);
assertThat(initialClientsCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClientsCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClientsCaCertSecret.getData()), is(true));
assertThat(initialClientsCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClientsCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
secrets.add(initialClusterCaCertSecret);
secrets.add(initialClusterCaKeySecret);
secrets.add(initialClientsCaCertSecret);
secrets.add(initialClientsCaKeySecret);
Checkpoint async = context.checkpoint();
reconcileCa(vertx, kafka, () -> Date.from(Instant.parse("2018-11-26T09:12:00Z"))).onComplete(context.succeeding(c -> context.verify(() -> {
assertThat(c.getAllValues().size(), is(4));
Map<String, String> clusterCaCertData = c.getAllValues().get(0).getData();
assertThat(clusterCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
X509Certificate newX509ClusterCaCertStore = getCertificateFromTrustStore(CA_CRT, clusterCaCertData);
assertThat(c.getAllValues().get(0).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION, "1"));
String newClusterCaCert = clusterCaCertData.remove(CA_CRT);
String newClusterCaCertStore = clusterCaCertData.remove(CA_STORE);
String newClusterCaCertStorePassword = clusterCaCertData.remove(CA_STORE_PASSWORD);
assertThat(newClusterCaCert, is(notNullValue()));
assertThat(newClusterCaCertStore, is(notNullValue()));
assertThat(newClusterCaCertStorePassword, is(notNullValue()));
assertThat(newClusterCaCert, is(not(initialClusterCaCertSecret.getData().get(CA_CRT))));
assertThat(newClusterCaCertStore, is(not(initialClusterCaCertSecret.getData().get(CA_STORE))));
assertThat(newClusterCaCertStorePassword, is(not(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD))));
assertThat(newX509ClusterCaCertStore, is(x509Certificate(newClusterCaCert)));
Map<String, String> clusterCaKeyData = c.getAllValues().get(1).getData();
assertThat(clusterCaKeyData.keySet(), is(singleton(CA_KEY)));
assertThat(c.getAllValues().get(1).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION, "0"));
String newClusterCaKey = clusterCaKeyData.remove(CA_KEY);
assertThat(newClusterCaKey, is(notNullValue()));
assertThat(newClusterCaKey, is(initialClusterCaKeySecret.getData().get(CA_KEY)));
Map<String, String> clientsCaCertData = c.getAllValues().get(2).getData();
assertThat(clientsCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
X509Certificate newX509ClientsCaCertStore = getCertificateFromTrustStore(CA_CRT, clientsCaCertData);
assertThat(c.getAllValues().get(2).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION, "1"));
String newClientsCaCert = clientsCaCertData.remove(CA_CRT);
String newClientsCaCertStore = clientsCaCertData.remove(CA_STORE);
String newClientsCaCertStorePassword = clientsCaCertData.remove(CA_STORE_PASSWORD);
assertThat(newClientsCaCert, is(notNullValue()));
assertThat(newClientsCaCertStore, is(notNullValue()));
assertThat(newClientsCaCertStorePassword, is(notNullValue()));
assertThat(newClientsCaCert, is(not(initialClientsCaCertSecret.getData().get(CA_CRT))));
assertThat(newClientsCaCertStore, is(not(initialClientsCaCertSecret.getData().get(CA_STORE))));
assertThat(newClientsCaCertStorePassword, is(not(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD))));
assertThat(newX509ClientsCaCertStore, is(x509Certificate(newClientsCaCert)));
Map<String, String> clientsCaKeyData = c.getAllValues().get(3).getData();
assertThat(clientsCaKeyData.keySet(), is(singleton(CA_KEY)));
assertThat(c.getAllValues().get(3).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION, "0"));
String newClientsCaKey = clientsCaKeyData.remove(CA_KEY);
assertThat(newClientsCaKey, is(notNullValue()));
assertThat(newClientsCaKey, is(initialClientsCaKeySecret.getData().get(CA_KEY)));
async.flag();
})));
}
Aggregations