Search in sources :

Example 11 with CertificateAuthorityBuilder

use of io.strimzi.api.kafka.model.CertificateAuthorityBuilder in project strimzi-kafka-operator by strimzi.

the class CertificateRenewalTest method testReconcileCasWhenCustomCertsAreMissingThrows.

@Test
public void testReconcileCasWhenCustomCertsAreMissingThrows(Vertx vertx, VertxTestContext context) {
    CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(100).withRenewalDays(10).withGenerateCertificateAuthority(false).build();
    Checkpoint async = context.checkpoint();
    reconcileCa(vertx, certificateAuthority, certificateAuthority).onComplete(context.failing(e -> context.verify(() -> {
        assertThat(e, instanceOf(InvalidConfigurationException.class));
        assertThat(e.getMessage(), is("Cluster CA should not be generated, but the secrets were not found."));
        async.flag();
    })));
}
Also used : X509Certificate(java.security.cert.X509Certificate) CoreMatchers.is(org.hamcrest.CoreMatchers.is) BeforeEach(org.junit.jupiter.api.BeforeEach) CertificateFactory(java.security.cert.CertificateFactory) CA_KEY(io.strimzi.operator.cluster.model.Ca.CA_KEY) Date(java.util.Date) ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq) KeyStoreException(java.security.KeyStoreException) CoreMatchers.notNullValue(org.hamcrest.CoreMatchers.notNullValue) CoreMatchers.instanceOf(org.hamcrest.CoreMatchers.instanceOf) ExtendWith(org.junit.jupiter.api.extension.ExtendWith) ByteArrayInputStream(java.io.ByteArrayInputStream) Collections.singleton(java.util.Collections.singleton) Ca(io.strimzi.operator.cluster.model.Ca) Map(java.util.Map) ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier) ResourceUtils(io.strimzi.operator.cluster.ResourceUtils) Path(java.nio.file.Path) AbstractModel(io.strimzi.operator.cluster.model.AbstractModel) ModelUtils(io.strimzi.operator.cluster.model.ModelUtils) SecretOperator(io.strimzi.operator.common.operator.resource.SecretOperator) KeyStore(java.security.KeyStore) VertxExtension(io.vertx.junit5.VertxExtension) Instant(java.time.Instant) Future(io.vertx.core.Future) Collectors(java.util.stream.Collectors) StandardCharsets(java.nio.charset.StandardCharsets) Subject(io.strimzi.certs.Subject) Test(org.junit.jupiter.api.Test) Objects(java.util.Objects) Base64(java.util.Base64) List(java.util.List) Labels(io.strimzi.operator.common.model.Labels) PasswordGenerator(io.strimzi.operator.common.PasswordGenerator) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) CA_STORE_PASSWORD(io.strimzi.operator.cluster.model.Ca.CA_STORE_PASSWORD) Secret(io.fabric8.kubernetes.api.model.Secret) CA_STORE(io.strimzi.operator.cluster.model.Ca.CA_STORE) Checkpoint(io.vertx.junit5.Checkpoint) ClusterCa(io.strimzi.operator.cluster.model.ClusterCa) PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability) Mockito.mock(org.mockito.Mockito.mock) VertxTestContext(io.vertx.junit5.VertxTestContext) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) Matchers.aMapWithSize(org.hamcrest.Matchers.aMapWithSize) CoreMatchers.not(org.hamcrest.CoreMatchers.not) OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference) CertAndKey(io.strimzi.certs.CertAndKey) Supplier(java.util.function.Supplier) KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder) ArrayList(java.util.ArrayList) ArgumentCaptor(org.mockito.ArgumentCaptor) KafkaCluster(io.strimzi.operator.cluster.model.KafkaCluster) TestUtils(io.strimzi.test.TestUtils) Matchers.hasSize(org.hamcrest.Matchers.hasSize) ReconcileResult(io.strimzi.operator.common.operator.resource.ReconcileResult) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy) Matchers.hasEntry(org.hamcrest.Matchers.hasEntry) CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority) Files(java.nio.file.Files) Promise(io.vertx.core.Promise) KubernetesVersion(io.strimzi.operator.KubernetesVersion) Vertx(io.vertx.core.Vertx) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) TestUtils.set(io.strimzi.test.TestUtils.set) Mockito.when(org.mockito.Mockito.when) Reconciliation(io.strimzi.operator.common.Reconciliation) InvalidConfigurationException(io.strimzi.operator.common.InvalidConfigurationException) CA_CRT(io.strimzi.operator.cluster.model.Ca.CA_CRT) SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder) Kafka(io.strimzi.api.kafka.model.Kafka) OpenSslCertManager(io.strimzi.certs.OpenSslCertManager) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) Checkpoint(io.vertx.junit5.Checkpoint) CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) InvalidConfigurationException(io.strimzi.operator.common.InvalidConfigurationException) Test(org.junit.jupiter.api.Test)

Example 12 with CertificateAuthorityBuilder

use of io.strimzi.api.kafka.model.CertificateAuthorityBuilder in project strimzi-kafka-operator by strimzi.

the class CertificateRenewalTest method testReconcileCasGeneratesCertsInitially.

@Test
public void testReconcileCasGeneratesCertsInitially(Vertx vertx, VertxTestContext context) {
    CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(100).withRenewalDays(10).withGenerateCertificateAuthority(true).build();
    // Delete secrets to emulate secrets not pre-existing
    secrets.clear();
    Checkpoint async = context.checkpoint();
    reconcileCa(vertx, certificateAuthority, certificateAuthority).onComplete(context.succeeding(c -> context.verify(() -> {
        assertThat(c.getAllValues(), hasSize(4));
        assertThat(c.getAllValues().get(0).getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
        assertThat(isCertInTrustStore(CA_CRT, c.getAllValues().get(0).getData()), is(true));
        assertThat(c.getAllValues().get(1).getData().keySet(), is(singleton(CA_KEY)));
        assertThat(c.getAllValues().get(2).getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
        assertThat(isCertInTrustStore(CA_CRT, c.getAllValues().get(2).getData()), is(true));
        assertThat(c.getAllValues().get(3).getData().keySet(), is(singleton(CA_KEY)));
        async.flag();
    })));
}
Also used : X509Certificate(java.security.cert.X509Certificate) CoreMatchers.is(org.hamcrest.CoreMatchers.is) BeforeEach(org.junit.jupiter.api.BeforeEach) CertificateFactory(java.security.cert.CertificateFactory) CA_KEY(io.strimzi.operator.cluster.model.Ca.CA_KEY) Date(java.util.Date) ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq) KeyStoreException(java.security.KeyStoreException) CoreMatchers.notNullValue(org.hamcrest.CoreMatchers.notNullValue) CoreMatchers.instanceOf(org.hamcrest.CoreMatchers.instanceOf) ExtendWith(org.junit.jupiter.api.extension.ExtendWith) ByteArrayInputStream(java.io.ByteArrayInputStream) Collections.singleton(java.util.Collections.singleton) Ca(io.strimzi.operator.cluster.model.Ca) Map(java.util.Map) ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier) ResourceUtils(io.strimzi.operator.cluster.ResourceUtils) Path(java.nio.file.Path) AbstractModel(io.strimzi.operator.cluster.model.AbstractModel) ModelUtils(io.strimzi.operator.cluster.model.ModelUtils) SecretOperator(io.strimzi.operator.common.operator.resource.SecretOperator) KeyStore(java.security.KeyStore) VertxExtension(io.vertx.junit5.VertxExtension) Instant(java.time.Instant) Future(io.vertx.core.Future) Collectors(java.util.stream.Collectors) StandardCharsets(java.nio.charset.StandardCharsets) Subject(io.strimzi.certs.Subject) Test(org.junit.jupiter.api.Test) Objects(java.util.Objects) Base64(java.util.Base64) List(java.util.List) Labels(io.strimzi.operator.common.model.Labels) PasswordGenerator(io.strimzi.operator.common.PasswordGenerator) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) CA_STORE_PASSWORD(io.strimzi.operator.cluster.model.Ca.CA_STORE_PASSWORD) Secret(io.fabric8.kubernetes.api.model.Secret) CA_STORE(io.strimzi.operator.cluster.model.Ca.CA_STORE) Checkpoint(io.vertx.junit5.Checkpoint) ClusterCa(io.strimzi.operator.cluster.model.ClusterCa) PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability) Mockito.mock(org.mockito.Mockito.mock) VertxTestContext(io.vertx.junit5.VertxTestContext) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) Matchers.aMapWithSize(org.hamcrest.Matchers.aMapWithSize) CoreMatchers.not(org.hamcrest.CoreMatchers.not) OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference) CertAndKey(io.strimzi.certs.CertAndKey) Supplier(java.util.function.Supplier) KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder) ArrayList(java.util.ArrayList) ArgumentCaptor(org.mockito.ArgumentCaptor) KafkaCluster(io.strimzi.operator.cluster.model.KafkaCluster) TestUtils(io.strimzi.test.TestUtils) Matchers.hasSize(org.hamcrest.Matchers.hasSize) ReconcileResult(io.strimzi.operator.common.operator.resource.ReconcileResult) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy) Matchers.hasEntry(org.hamcrest.Matchers.hasEntry) CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority) Files(java.nio.file.Files) Promise(io.vertx.core.Promise) KubernetesVersion(io.strimzi.operator.KubernetesVersion) Vertx(io.vertx.core.Vertx) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) TestUtils.set(io.strimzi.test.TestUtils.set) Mockito.when(org.mockito.Mockito.when) Reconciliation(io.strimzi.operator.common.Reconciliation) InvalidConfigurationException(io.strimzi.operator.common.InvalidConfigurationException) CA_CRT(io.strimzi.operator.cluster.model.Ca.CA_CRT) SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder) Kafka(io.strimzi.api.kafka.model.Kafka) OpenSslCertManager(io.strimzi.certs.OpenSslCertManager) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) Checkpoint(io.vertx.junit5.Checkpoint) CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) Test(org.junit.jupiter.api.Test)

Example 13 with CertificateAuthorityBuilder

use of io.strimzi.api.kafka.model.CertificateAuthorityBuilder in project strimzi-kafka-operator by strimzi.

the class CertificateRenewalTest method testNewCertsGetGeneratedWhenInRenewalPeriodAutoOutsideOfMaintenanceWindow.

@Test
public void testNewCertsGetGeneratedWhenInRenewalPeriodAutoOutsideOfMaintenanceWindow(Vertx vertx, VertxTestContext context) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
    CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(2).withRenewalDays(3).withGenerateCertificateAuthority(true).build();
    Kafka kafka = new KafkaBuilder().editOrNewMetadata().withName(NAME).withNamespace(NAMESPACE).endMetadata().withNewSpec().withClusterCa(certificateAuthority).withClientsCa(certificateAuthority).withMaintenanceTimeWindows("* 10-14 * * * ? *").endSpec().build();
    List<Secret> clusterCaSecrets = initialClusterCaSecrets(certificateAuthority);
    Secret initialClusterCaKeySecret = clusterCaSecrets.get(0);
    Secret initialClusterCaCertSecret = clusterCaSecrets.get(1);
    assertThat(initialClusterCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
    assertThat(initialClusterCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
    assertThat(initialClusterCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
    assertThat(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
    assertThat(isCertInTrustStore(CA_CRT, initialClusterCaCertSecret.getData()), is(true));
    assertThat(initialClusterCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
    assertThat(initialClusterCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
    List<Secret> clientsCaSecrets = initialClientsCaSecrets(certificateAuthority);
    Secret initialClientsCaKeySecret = clientsCaSecrets.get(0);
    Secret initialClientsCaCertSecret = clientsCaSecrets.get(1);
    assertThat(initialClientsCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
    assertThat(initialClientsCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
    assertThat(initialClientsCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
    assertThat(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
    assertThat(isCertInTrustStore(CA_CRT, initialClientsCaCertSecret.getData()), is(true));
    assertThat(initialClientsCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
    assertThat(initialClientsCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
    secrets.add(initialClusterCaCertSecret);
    secrets.add(initialClusterCaKeySecret);
    secrets.add(initialClientsCaCertSecret);
    secrets.add(initialClientsCaKeySecret);
    Checkpoint async = context.checkpoint();
    reconcileCa(vertx, kafka, () -> Date.from(Instant.parse("2018-11-26T09:00:00Z"))).onComplete(context.succeeding(c -> context.verify(() -> {
        assertThat(c.getAllValues(), hasSize(4));
        Map<String, String> clusterCaCertData = c.getAllValues().get(0).getData();
        assertThat(clusterCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
        X509Certificate newX509ClusterCaCertStore = getCertificateFromTrustStore(CA_CRT, clusterCaCertData);
        assertThat(c.getAllValues().get(0).getMetadata().getAnnotations().get(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION), is("0"));
        String newClusterCaCert = clusterCaCertData.remove(CA_CRT);
        String newClusterCaCertStore = clusterCaCertData.remove(CA_STORE);
        String newClusterCaCertStorePassword = clusterCaCertData.remove(CA_STORE_PASSWORD);
        assertThat(newClusterCaCert, is(notNullValue()));
        assertThat(newClusterCaCertStore, is(notNullValue()));
        assertThat(newClusterCaCertStorePassword, is(notNullValue()));
        assertThat(newClusterCaCert, is(initialClusterCaCertSecret.getData().get(CA_CRT)));
        assertThat(newClusterCaCertStore, is(initialClusterCaCertSecret.getData().get(CA_STORE)));
        assertThat(newClusterCaCertStorePassword, is(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD)));
        assertThat(newX509ClusterCaCertStore, is(x509Certificate(newClusterCaCert)));
        Map<String, String> clusterCaKeyData = c.getAllValues().get(1).getData();
        assertThat(clusterCaKeyData.keySet(), is(singleton(CA_KEY)));
        assertThat(c.getAllValues().get(1).getMetadata().getAnnotations().get(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION), is("0"));
        String newClusterCaKey = clusterCaKeyData.remove(CA_KEY);
        assertThat(newClusterCaKey, is(notNullValue()));
        assertThat(newClusterCaKey, is(initialClusterCaKeySecret.getData().get(CA_KEY)));
        Map<String, String> clientsCaCertData = c.getAllValues().get(2).getData();
        assertThat(clientsCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
        X509Certificate newX509ClientsCaCertStore = getCertificateFromTrustStore(CA_CRT, clientsCaCertData);
        assertThat(c.getAllValues().get(2).getMetadata().getAnnotations().get(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION), is("0"));
        String newClientsCaCert = clientsCaCertData.remove(CA_CRT);
        String newClientsCaCertStore = clientsCaCertData.remove(CA_STORE);
        String newClientsCaCertStorePassword = clientsCaCertData.remove(CA_STORE_PASSWORD);
        assertThat(newClientsCaCert, is(notNullValue()));
        assertThat(newClientsCaCertStore, is(notNullValue()));
        assertThat(newClientsCaCertStorePassword, is(notNullValue()));
        assertThat(newClientsCaCert, is(initialClientsCaCertSecret.getData().get(CA_CRT)));
        assertThat(newClientsCaCertStore, is(initialClientsCaCertSecret.getData().get(CA_STORE)));
        assertThat(newClientsCaCertStorePassword, is(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD)));
        assertThat(newX509ClientsCaCertStore, is(x509Certificate(newClientsCaCert)));
        Map<String, String> clientsCaKeyData = c.getAllValues().get(3).getData();
        assertThat(clientsCaKeyData.keySet(), is(singleton(CA_KEY)));
        assertThat(c.getAllValues().get(3).getMetadata().getAnnotations().get(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION), is("0"));
        String newClientsCaKey = clientsCaKeyData.remove(CA_KEY);
        assertThat(newClientsCaKey, is(notNullValue()));
        assertThat(newClientsCaKey, is(initialClientsCaKeySecret.getData().get(CA_KEY)));
        async.flag();
    })));
}
Also used : Secret(io.fabric8.kubernetes.api.model.Secret) X509Certificate(java.security.cert.X509Certificate) CoreMatchers.is(org.hamcrest.CoreMatchers.is) BeforeEach(org.junit.jupiter.api.BeforeEach) CertificateFactory(java.security.cert.CertificateFactory) CA_KEY(io.strimzi.operator.cluster.model.Ca.CA_KEY) Date(java.util.Date) ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq) KeyStoreException(java.security.KeyStoreException) CoreMatchers.notNullValue(org.hamcrest.CoreMatchers.notNullValue) CoreMatchers.instanceOf(org.hamcrest.CoreMatchers.instanceOf) ExtendWith(org.junit.jupiter.api.extension.ExtendWith) ByteArrayInputStream(java.io.ByteArrayInputStream) Collections.singleton(java.util.Collections.singleton) Ca(io.strimzi.operator.cluster.model.Ca) Map(java.util.Map) ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier) ResourceUtils(io.strimzi.operator.cluster.ResourceUtils) Path(java.nio.file.Path) AbstractModel(io.strimzi.operator.cluster.model.AbstractModel) ModelUtils(io.strimzi.operator.cluster.model.ModelUtils) SecretOperator(io.strimzi.operator.common.operator.resource.SecretOperator) KeyStore(java.security.KeyStore) VertxExtension(io.vertx.junit5.VertxExtension) Instant(java.time.Instant) Future(io.vertx.core.Future) Collectors(java.util.stream.Collectors) StandardCharsets(java.nio.charset.StandardCharsets) Subject(io.strimzi.certs.Subject) Test(org.junit.jupiter.api.Test) Objects(java.util.Objects) Base64(java.util.Base64) List(java.util.List) Labels(io.strimzi.operator.common.model.Labels) PasswordGenerator(io.strimzi.operator.common.PasswordGenerator) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) CA_STORE_PASSWORD(io.strimzi.operator.cluster.model.Ca.CA_STORE_PASSWORD) Secret(io.fabric8.kubernetes.api.model.Secret) CA_STORE(io.strimzi.operator.cluster.model.Ca.CA_STORE) Checkpoint(io.vertx.junit5.Checkpoint) ClusterCa(io.strimzi.operator.cluster.model.ClusterCa) PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability) Mockito.mock(org.mockito.Mockito.mock) VertxTestContext(io.vertx.junit5.VertxTestContext) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) Matchers.aMapWithSize(org.hamcrest.Matchers.aMapWithSize) CoreMatchers.not(org.hamcrest.CoreMatchers.not) OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference) CertAndKey(io.strimzi.certs.CertAndKey) Supplier(java.util.function.Supplier) KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder) ArrayList(java.util.ArrayList) ArgumentCaptor(org.mockito.ArgumentCaptor) KafkaCluster(io.strimzi.operator.cluster.model.KafkaCluster) TestUtils(io.strimzi.test.TestUtils) Matchers.hasSize(org.hamcrest.Matchers.hasSize) ReconcileResult(io.strimzi.operator.common.operator.resource.ReconcileResult) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy) Matchers.hasEntry(org.hamcrest.Matchers.hasEntry) CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority) Files(java.nio.file.Files) Promise(io.vertx.core.Promise) KubernetesVersion(io.strimzi.operator.KubernetesVersion) Vertx(io.vertx.core.Vertx) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) TestUtils.set(io.strimzi.test.TestUtils.set) Mockito.when(org.mockito.Mockito.when) Reconciliation(io.strimzi.operator.common.Reconciliation) InvalidConfigurationException(io.strimzi.operator.common.InvalidConfigurationException) CA_CRT(io.strimzi.operator.cluster.model.Ca.CA_CRT) SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder) Kafka(io.strimzi.api.kafka.model.Kafka) OpenSslCertManager(io.strimzi.certs.OpenSslCertManager) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) Checkpoint(io.vertx.junit5.Checkpoint) Kafka(io.strimzi.api.kafka.model.Kafka) CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority) KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.jupiter.api.Test)

Example 14 with CertificateAuthorityBuilder

use of io.strimzi.api.kafka.model.CertificateAuthorityBuilder in project strimzi-kafka-operator by strimzi.

the class SecurityST method testCaRenewalBreakInMiddle.

@ParallelNamespaceTest
@Tag(INTERNAL_CLIENTS_USED)
void testCaRenewalBreakInMiddle(ExtensionContext extensionContext) {
    final String namespaceName = StUtils.getNamespaceBasedOnRbac(namespace, extensionContext);
    final String clusterName = mapWithClusterNames.get(extensionContext.getDisplayName());
    String topicName = mapWithTestTopics.get(extensionContext.getDisplayName());
    final String userName = mapWithTestUsers.get(extensionContext.getDisplayName());
    final LabelSelector kafkaSelector = KafkaResource.getLabelSelector(clusterName, KafkaResources.kafkaStatefulSetName(clusterName));
    final LabelSelector zkSelector = KafkaResource.getLabelSelector(clusterName, KafkaResources.zookeeperStatefulSetName(clusterName));
    resourceManager.createResource(extensionContext, KafkaTemplates.kafkaPersistent(clusterName, 3, 3).editSpec().withNewClusterCa().withRenewalDays(1).withValidityDays(3).endClusterCa().endSpec().build());
    KafkaUser user = KafkaUserTemplates.tlsUser(clusterName, userName).build();
    resourceManager.createResource(extensionContext, user);
    resourceManager.createResource(extensionContext, KafkaTopicTemplates.topic(clusterName, topicName).build());
    resourceManager.createResource(extensionContext, KafkaClientsTemplates.kafkaClients(true, clusterName + "-" + Constants.KAFKA_CLIENTS, user).build());
    String defaultKafkaClientsPodName = kubeClient(namespaceName).listPodsByPrefixInName(namespaceName, clusterName + "-" + Constants.KAFKA_CLIENTS).get(0).getMetadata().getName();
    InternalKafkaClient internalKafkaClient = new InternalKafkaClient.Builder().withUsingPodName(defaultKafkaClientsPodName).withTopicName(topicName).withNamespaceName(namespaceName).withClusterName(clusterName).withKafkaUsername(userName).withMessageCount(MESSAGE_COUNT).withListenerName(Constants.TLS_LISTENER_DEFAULT_NAME).build();
    internalKafkaClient = internalKafkaClient.toBuilder().withUsingPodName(defaultKafkaClientsPodName).build();
    internalKafkaClient.checkProducedAndConsumedMessages(internalKafkaClient.sendMessagesTls(), internalKafkaClient.receiveMessagesTls());
    Map<String, String> zkPods = PodUtils.podSnapshot(namespaceName, zkSelector);
    Map<String, String> kafkaPods = PodUtils.podSnapshot(namespaceName, kafkaSelector);
    Map<String, String> eoPods = DeploymentUtils.depSnapshot(namespaceName, KafkaResources.entityOperatorDeploymentName(clusterName));
    InputStream secretInputStream = getClass().getClassLoader().getResourceAsStream("security-st-certs/expired-cluster-ca.crt");
    String clusterCaCert = TestUtils.readResource(secretInputStream);
    SecretUtils.createSecret(namespaceName, clusterCaCertificateSecretName(clusterName), "ca.crt", clusterCaCert);
    KafkaResource.replaceKafkaResourceInSpecificNamespace(clusterName, k -> {
        k.getSpec().getZookeeper().setResources(new ResourceRequirementsBuilder().addToRequests("cpu", new Quantity("100000m")).build());
        k.getSpec().setClusterCa(new CertificateAuthorityBuilder().withRenewalDays(4).withValidityDays(7).build());
    }, namespaceName);
    TestUtils.waitFor("Waiting for some kafka pod to be in the pending phase because of selected high cpu resource", Constants.GLOBAL_POLL_INTERVAL, Constants.GLOBAL_TIMEOUT, () -> {
        List<Pod> pendingPods = kubeClient(namespaceName).listPodsByPrefixInName(namespaceName, KafkaResources.zookeeperStatefulSetName(clusterName)).stream().filter(pod -> pod.getStatus().getPhase().equals("Pending")).collect(Collectors.toList());
        if (pendingPods.isEmpty()) {
            LOGGER.info("No pods of {} are in desired state", KafkaResources.zookeeperStatefulSetName(clusterName));
            return false;
        } else {
            LOGGER.info("Pod in 'Pending' state: {}", pendingPods.get(0).getMetadata().getName());
            return true;
        }
    });
    internalKafkaClient = internalKafkaClient.toBuilder().withConsumerGroupName(ClientUtils.generateRandomConsumerGroup()).build();
    int received = internalKafkaClient.receiveMessagesTls();
    assertThat(received, is(MESSAGE_COUNT));
    KafkaResource.replaceKafkaResourceInSpecificNamespace(clusterName, k -> {
        k.getSpec().getZookeeper().setResources(new ResourceRequirementsBuilder().addToRequests("cpu", new Quantity("200m")).build());
    }, namespaceName);
    // Wait until the certificates have been replaced
    SecretUtils.waitForCertToChange(namespaceName, clusterCaCert, KafkaResources.clusterCaCertificateSecretName(clusterName));
    RollingUpdateUtils.waitTillComponentHasRolledAndPodsReady(namespaceName, zkSelector, 3, zkPods);
    RollingUpdateUtils.waitTillComponentHasRolledAndPodsReady(namespaceName, kafkaSelector, 3, kafkaPods);
    DeploymentUtils.waitTillDepHasRolled(namespaceName, KafkaResources.entityOperatorDeploymentName(clusterName), 1, eoPods);
    internalKafkaClient = internalKafkaClient.toBuilder().withConsumerGroupName(ClientUtils.generateRandomConsumerGroup()).build();
    LOGGER.info("Checking produced and consumed messages to pod:{}", internalKafkaClient.getPodName());
    received = internalKafkaClient.receiveMessagesTls();
    assertThat(received, is(MESSAGE_COUNT));
    // Try to send and receive messages with new certificates
    topicName = KafkaTopicUtils.generateRandomNameOfTopic();
    resourceManager.createResource(extensionContext, KafkaTopicTemplates.topic(clusterName, topicName).build());
    internalKafkaClient = internalKafkaClient.toBuilder().withConsumerGroupName(ClientUtils.generateRandomConsumerGroup()).withTopicName(topicName).build();
    internalKafkaClient.checkProducedAndConsumedMessages(internalKafkaClient.sendMessagesTls(), internalKafkaClient.receiveMessagesTls());
}
Also used : Quantity(io.fabric8.kubernetes.api.model.Quantity) VolumeMount(io.fabric8.kubernetes.api.model.VolumeMount) DeletionPropagation(io.fabric8.kubernetes.api.model.DeletionPropagation) Arrays(java.util.Arrays) LabelSelector(io.fabric8.kubernetes.api.model.LabelSelector) KafkaExporterResources(io.strimzi.api.kafka.model.KafkaExporterResources) KafkaTopicUtils(io.strimzi.systemtest.utils.kafkaUtils.KafkaTopicUtils) KafkaUser(io.strimzi.api.kafka.model.KafkaUser) KafkaResources.clusterCaKeySecretName(io.strimzi.api.kafka.model.KafkaResources.clusterCaKeySecretName) KafkaResources.clientsCaKeySecretName(io.strimzi.api.kafka.model.KafkaResources.clientsCaKeySecretName) KafkaResources(io.strimzi.api.kafka.model.KafkaResources) Duration(java.time.Duration) Map(java.util.Map) Tag(org.junit.jupiter.api.Tag) RollingUpdateUtils(io.strimzi.systemtest.utils.RollingUpdateUtils) ACCEPTANCE(io.strimzi.systemtest.Constants.ACCEPTANCE) GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder) KafkaMirrorMakerUtils(io.strimzi.systemtest.utils.kafkaUtils.KafkaMirrorMakerUtils) Logger(org.apache.logging.log4j.Logger) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) Matchers.containsString(org.hamcrest.Matchers.containsString) AbstractST(io.strimzi.systemtest.AbstractST) Assertions.assertThrows(org.junit.jupiter.api.Assertions.assertThrows) Assertions.assertNotNull(org.junit.jupiter.api.Assertions.assertNotNull) KafkaClientsTemplates(io.strimzi.systemtest.templates.crd.KafkaClientsTemplates) KafkaConnectTemplates(io.strimzi.systemtest.templates.crd.KafkaConnectTemplates) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) ParallelSuite(io.strimzi.systemtest.annotations.ParallelSuite) CONNECT(io.strimzi.systemtest.Constants.CONNECT) LocalDateTime(java.time.LocalDateTime) ResourceRequirementsBuilder(io.fabric8.kubernetes.api.model.ResourceRequirementsBuilder) ExternalKafkaClient(io.strimzi.systemtest.kafkaclients.externalClients.ExternalKafkaClient) ExtensionContext(org.junit.jupiter.api.extension.ExtensionContext) MIRROR_MAKER(io.strimzi.systemtest.Constants.MIRROR_MAKER) ArrayList(java.util.ArrayList) PodUtils(io.strimzi.systemtest.utils.kubeUtils.objects.PodUtils) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) SslConfigs(org.apache.kafka.common.config.SslConfigs) KafkaTemplates(io.strimzi.systemtest.templates.crd.KafkaTemplates) CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority) Constants(io.strimzi.systemtest.Constants) Pod(io.fabric8.kubernetes.api.model.Pod) ParallelNamespaceTest(io.strimzi.systemtest.annotations.ParallelNamespaceTest) IOException(java.io.IOException) EXTERNAL_CLIENTS_USED(io.strimzi.systemtest.Constants.EXTERNAL_CLIENTS_USED) File(java.io.File) KafkaMirrorMakerResource(io.strimzi.systemtest.resources.crd.KafkaMirrorMakerResource) DeploymentUtils(io.strimzi.systemtest.utils.kubeUtils.controllers.DeploymentUtils) KafkaListenerType(io.strimzi.api.kafka.model.listener.arraylistener.KafkaListenerType) KafkaUserUtils(io.strimzi.systemtest.utils.kafkaUtils.KafkaUserUtils) CONNECT_COMPONENTS(io.strimzi.systemtest.Constants.CONNECT_COMPONENTS) SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder) REGRESSION(io.strimzi.systemtest.Constants.REGRESSION) KafkaConnectResources(io.strimzi.api.kafka.model.KafkaConnectResources) X509Certificate(java.security.cert.X509Certificate) CoreMatchers.is(org.hamcrest.CoreMatchers.is) KafkaMirrorMakerResources(io.strimzi.api.kafka.model.KafkaMirrorMakerResources) GroupAuthorizationException(org.apache.kafka.common.errors.GroupAuthorizationException) Date(java.util.Date) KafkaResource(io.strimzi.systemtest.resources.crd.KafkaResource) KubeClusterResource.cmdKubeClient(io.strimzi.test.k8s.KubeClusterResource.cmdKubeClient) Random(java.util.Random) STRIMZI_INTERMEDIATE_CA(io.strimzi.systemtest.security.SystemTestCertManager.STRIMZI_INTERMEDIATE_CA) AclOperation(io.strimzi.api.kafka.model.AclOperation) KafkaConnectResource(io.strimzi.systemtest.resources.crd.KafkaConnectResource) SystemTestCertManager.convertPrivateKeyToPKCS8File(io.strimzi.systemtest.security.SystemTestCertManager.convertPrivateKeyToPKCS8File) SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) CoreMatchers.notNullValue(org.hamcrest.CoreMatchers.notNullValue) KafkaListenerAuthenticationTls(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationTls) Ca(io.strimzi.operator.cluster.model.Ca) KafkaConnectUtils(io.strimzi.systemtest.utils.kafkaUtils.KafkaConnectUtils) StUtils(io.strimzi.systemtest.utils.StUtils) KafkaConnect(io.strimzi.api.kafka.model.KafkaConnect) KafkaMirrorMaker(io.strimzi.api.kafka.model.KafkaMirrorMaker) INTERNAL_CLIENTS_USED(io.strimzi.systemtest.Constants.INTERNAL_CLIENTS_USED) Collectors(java.util.stream.Collectors) ClientUtils(io.strimzi.systemtest.utils.ClientUtils) CruiseControlResources(io.strimzi.api.kafka.model.CruiseControlResources) KafkaResources.clusterCaCertificateSecretName(io.strimzi.api.kafka.model.KafkaResources.clusterCaCertificateSecretName) List(java.util.List) Labels(io.strimzi.operator.common.model.Labels) KafkaTopicTemplates(io.strimzi.systemtest.templates.crd.KafkaTopicTemplates) Secret(io.fabric8.kubernetes.api.model.Secret) IntStream(java.util.stream.IntStream) KafkaMirrorMakerTemplates(io.strimzi.systemtest.templates.crd.KafkaMirrorMakerTemplates) CoreMatchers.not(org.hamcrest.CoreMatchers.not) HashMap(java.util.HashMap) SecretUtils(io.strimzi.systemtest.utils.kubeUtils.objects.SecretUtils) TestUtils(io.strimzi.test.TestUtils) Collections.singletonMap(java.util.Collections.singletonMap) NODEPORT_SUPPORTED(io.strimzi.systemtest.Constants.NODEPORT_SUPPORTED) ROLLING_UPDATE(io.strimzi.systemtest.Constants.ROLLING_UPDATE) KafkaUtils(io.strimzi.systemtest.utils.kafkaUtils.KafkaUtils) KafkaResources.clientsCaCertificateSecretName(io.strimzi.api.kafka.model.KafkaResources.clientsCaCertificateSecretName) InternalKafkaClient(io.strimzi.systemtest.kafkaclients.clients.InternalKafkaClient) Matchers(org.hamcrest.Matchers) KubeClusterResource.kubeClient(io.strimzi.test.k8s.KubeClusterResource.kubeClient) KafkaUserTemplates(io.strimzi.systemtest.templates.crd.KafkaUserTemplates) LogManager(org.apache.logging.log4j.LogManager) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) InputStream(java.io.InputStream) Pod(io.fabric8.kubernetes.api.model.Pod) InputStream(java.io.InputStream) GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder) ResourceRequirementsBuilder(io.fabric8.kubernetes.api.model.ResourceRequirementsBuilder) SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) ResourceRequirementsBuilder(io.fabric8.kubernetes.api.model.ResourceRequirementsBuilder) LabelSelector(io.fabric8.kubernetes.api.model.LabelSelector) Quantity(io.fabric8.kubernetes.api.model.Quantity) Matchers.containsString(org.hamcrest.Matchers.containsString) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) InternalKafkaClient(io.strimzi.systemtest.kafkaclients.clients.InternalKafkaClient) KafkaUser(io.strimzi.api.kafka.model.KafkaUser) ParallelNamespaceTest(io.strimzi.systemtest.annotations.ParallelNamespaceTest) Tag(org.junit.jupiter.api.Tag)

Example 15 with CertificateAuthorityBuilder

use of io.strimzi.api.kafka.model.CertificateAuthorityBuilder in project strimzi by strimzi.

the class CertificateRenewalTest method testNewCertsGetGeneratedWhenInRenewalPeriodAutoWithinMaintenanceWindow.

@Test
public void testNewCertsGetGeneratedWhenInRenewalPeriodAutoWithinMaintenanceWindow(Vertx vertx, VertxTestContext context) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
    CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(2).withRenewalDays(3).withGenerateCertificateAuthority(true).build();
    Kafka kafka = new KafkaBuilder().editOrNewMetadata().withName(NAME).withNamespace(NAMESPACE).endMetadata().withNewSpec().withClusterCa(certificateAuthority).withClientsCa(certificateAuthority).withMaintenanceTimeWindows("* 10-14 * * * ? *").endSpec().build();
    List<Secret> clusterCaSecrets = initialClusterCaSecrets(certificateAuthority);
    Secret initialClusterCaKeySecret = clusterCaSecrets.get(0);
    Secret initialClusterCaCertSecret = clusterCaSecrets.get(1);
    assertThat(initialClusterCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
    assertThat(initialClusterCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
    assertThat(initialClusterCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
    assertThat(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
    assertThat(isCertInTrustStore(CA_CRT, initialClusterCaCertSecret.getData()), is(true));
    assertThat(initialClusterCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
    assertThat(initialClusterCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
    List<Secret> clientsCaSecrets = initialClientsCaSecrets(certificateAuthority);
    Secret initialClientsCaKeySecret = clientsCaSecrets.get(0);
    Secret initialClientsCaCertSecret = clientsCaSecrets.get(1);
    assertThat(initialClientsCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
    assertThat(initialClientsCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
    assertThat(initialClientsCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
    assertThat(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
    assertThat(isCertInTrustStore(CA_CRT, initialClientsCaCertSecret.getData()), is(true));
    assertThat(initialClientsCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
    assertThat(initialClientsCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
    secrets.add(initialClusterCaCertSecret);
    secrets.add(initialClusterCaKeySecret);
    secrets.add(initialClientsCaCertSecret);
    secrets.add(initialClientsCaKeySecret);
    Checkpoint async = context.checkpoint();
    reconcileCa(vertx, kafka, () -> Date.from(Instant.parse("2018-11-26T09:12:00Z"))).onComplete(context.succeeding(c -> context.verify(() -> {
        assertThat(c.getAllValues().size(), is(4));
        Map<String, String> clusterCaCertData = c.getAllValues().get(0).getData();
        assertThat(clusterCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
        X509Certificate newX509ClusterCaCertStore = getCertificateFromTrustStore(CA_CRT, clusterCaCertData);
        assertThat(c.getAllValues().get(0).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION, "1"));
        String newClusterCaCert = clusterCaCertData.remove(CA_CRT);
        String newClusterCaCertStore = clusterCaCertData.remove(CA_STORE);
        String newClusterCaCertStorePassword = clusterCaCertData.remove(CA_STORE_PASSWORD);
        assertThat(newClusterCaCert, is(notNullValue()));
        assertThat(newClusterCaCertStore, is(notNullValue()));
        assertThat(newClusterCaCertStorePassword, is(notNullValue()));
        assertThat(newClusterCaCert, is(not(initialClusterCaCertSecret.getData().get(CA_CRT))));
        assertThat(newClusterCaCertStore, is(not(initialClusterCaCertSecret.getData().get(CA_STORE))));
        assertThat(newClusterCaCertStorePassword, is(not(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD))));
        assertThat(newX509ClusterCaCertStore, is(x509Certificate(newClusterCaCert)));
        Map<String, String> clusterCaKeyData = c.getAllValues().get(1).getData();
        assertThat(clusterCaKeyData.keySet(), is(singleton(CA_KEY)));
        assertThat(c.getAllValues().get(1).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION, "0"));
        String newClusterCaKey = clusterCaKeyData.remove(CA_KEY);
        assertThat(newClusterCaKey, is(notNullValue()));
        assertThat(newClusterCaKey, is(initialClusterCaKeySecret.getData().get(CA_KEY)));
        Map<String, String> clientsCaCertData = c.getAllValues().get(2).getData();
        assertThat(clientsCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
        X509Certificate newX509ClientsCaCertStore = getCertificateFromTrustStore(CA_CRT, clientsCaCertData);
        assertThat(c.getAllValues().get(2).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION, "1"));
        String newClientsCaCert = clientsCaCertData.remove(CA_CRT);
        String newClientsCaCertStore = clientsCaCertData.remove(CA_STORE);
        String newClientsCaCertStorePassword = clientsCaCertData.remove(CA_STORE_PASSWORD);
        assertThat(newClientsCaCert, is(notNullValue()));
        assertThat(newClientsCaCertStore, is(notNullValue()));
        assertThat(newClientsCaCertStorePassword, is(notNullValue()));
        assertThat(newClientsCaCert, is(not(initialClientsCaCertSecret.getData().get(CA_CRT))));
        assertThat(newClientsCaCertStore, is(not(initialClientsCaCertSecret.getData().get(CA_STORE))));
        assertThat(newClientsCaCertStorePassword, is(not(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD))));
        assertThat(newX509ClientsCaCertStore, is(x509Certificate(newClientsCaCert)));
        Map<String, String> clientsCaKeyData = c.getAllValues().get(3).getData();
        assertThat(clientsCaKeyData.keySet(), is(singleton(CA_KEY)));
        assertThat(c.getAllValues().get(3).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION, "0"));
        String newClientsCaKey = clientsCaKeyData.remove(CA_KEY);
        assertThat(newClientsCaKey, is(notNullValue()));
        assertThat(newClientsCaKey, is(initialClientsCaKeySecret.getData().get(CA_KEY)));
        async.flag();
    })));
}
Also used : Secret(io.fabric8.kubernetes.api.model.Secret) X509Certificate(java.security.cert.X509Certificate) CoreMatchers.is(org.hamcrest.CoreMatchers.is) BeforeEach(org.junit.jupiter.api.BeforeEach) CertificateFactory(java.security.cert.CertificateFactory) CA_KEY(io.strimzi.operator.cluster.model.Ca.CA_KEY) Date(java.util.Date) ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq) KeyStoreException(java.security.KeyStoreException) CoreMatchers.notNullValue(org.hamcrest.CoreMatchers.notNullValue) CoreMatchers.instanceOf(org.hamcrest.CoreMatchers.instanceOf) ExtendWith(org.junit.jupiter.api.extension.ExtendWith) ByteArrayInputStream(java.io.ByteArrayInputStream) Collections.singleton(java.util.Collections.singleton) Ca(io.strimzi.operator.cluster.model.Ca) Map(java.util.Map) ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier) ResourceUtils(io.strimzi.operator.cluster.ResourceUtils) Path(java.nio.file.Path) AbstractModel(io.strimzi.operator.cluster.model.AbstractModel) ModelUtils(io.strimzi.operator.cluster.model.ModelUtils) SecretOperator(io.strimzi.operator.common.operator.resource.SecretOperator) KeyStore(java.security.KeyStore) VertxExtension(io.vertx.junit5.VertxExtension) Instant(java.time.Instant) Future(io.vertx.core.Future) Collectors(java.util.stream.Collectors) StandardCharsets(java.nio.charset.StandardCharsets) Subject(io.strimzi.certs.Subject) Test(org.junit.jupiter.api.Test) Objects(java.util.Objects) Base64(java.util.Base64) List(java.util.List) Labels(io.strimzi.operator.common.model.Labels) PasswordGenerator(io.strimzi.operator.common.PasswordGenerator) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) CA_STORE_PASSWORD(io.strimzi.operator.cluster.model.Ca.CA_STORE_PASSWORD) Secret(io.fabric8.kubernetes.api.model.Secret) CA_STORE(io.strimzi.operator.cluster.model.Ca.CA_STORE) Checkpoint(io.vertx.junit5.Checkpoint) ClusterCa(io.strimzi.operator.cluster.model.ClusterCa) PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability) Mockito.mock(org.mockito.Mockito.mock) VertxTestContext(io.vertx.junit5.VertxTestContext) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) Matchers.aMapWithSize(org.hamcrest.Matchers.aMapWithSize) CoreMatchers.not(org.hamcrest.CoreMatchers.not) OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference) CertAndKey(io.strimzi.certs.CertAndKey) Supplier(java.util.function.Supplier) KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder) ArrayList(java.util.ArrayList) ArgumentCaptor(org.mockito.ArgumentCaptor) KafkaCluster(io.strimzi.operator.cluster.model.KafkaCluster) TestUtils(io.strimzi.test.TestUtils) Matchers.hasSize(org.hamcrest.Matchers.hasSize) ReconcileResult(io.strimzi.operator.common.operator.resource.ReconcileResult) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy) Matchers.hasEntry(org.hamcrest.Matchers.hasEntry) CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority) Files(java.nio.file.Files) Promise(io.vertx.core.Promise) KubernetesVersion(io.strimzi.operator.KubernetesVersion) Vertx(io.vertx.core.Vertx) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) TestUtils.set(io.strimzi.test.TestUtils.set) Mockito.when(org.mockito.Mockito.when) Reconciliation(io.strimzi.operator.common.Reconciliation) InvalidConfigurationException(io.strimzi.operator.common.InvalidConfigurationException) CA_CRT(io.strimzi.operator.cluster.model.Ca.CA_CRT) SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder) Kafka(io.strimzi.api.kafka.model.Kafka) OpenSslCertManager(io.strimzi.certs.OpenSslCertManager) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) Checkpoint(io.vertx.junit5.Checkpoint) Kafka(io.strimzi.api.kafka.model.Kafka) CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority) KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.jupiter.api.Test)

Aggregations

Secret (io.fabric8.kubernetes.api.model.Secret)26 SecretBuilder (io.fabric8.kubernetes.api.model.SecretBuilder)26 CertificateAuthority (io.strimzi.api.kafka.model.CertificateAuthority)26 CertificateAuthorityBuilder (io.strimzi.api.kafka.model.CertificateAuthorityBuilder)26 Ca (io.strimzi.operator.cluster.model.Ca)26 Labels (io.strimzi.operator.common.model.Labels)26 TestUtils (io.strimzi.test.TestUtils)26 IOException (java.io.IOException)26 OwnerReference (io.fabric8.kubernetes.api.model.OwnerReference)24 CertificateExpirationPolicy (io.strimzi.api.kafka.model.CertificateExpirationPolicy)24 Kafka (io.strimzi.api.kafka.model.Kafka)24 KafkaBuilder (io.strimzi.api.kafka.model.KafkaBuilder)24 CertAndKey (io.strimzi.certs.CertAndKey)24 OpenSslCertManager (io.strimzi.certs.OpenSslCertManager)24 Subject (io.strimzi.certs.Subject)24 KubernetesVersion (io.strimzi.operator.KubernetesVersion)24 PlatformFeaturesAvailability (io.strimzi.operator.PlatformFeaturesAvailability)24 ResourceUtils (io.strimzi.operator.cluster.ResourceUtils)24 AbstractModel (io.strimzi.operator.cluster.model.AbstractModel)24 CA_CRT (io.strimzi.operator.cluster.model.Ca.CA_CRT)24