Search in sources :

Example 6 with KafkaUserScramSha512ClientAuthentication

use of io.strimzi.api.kafka.model.KafkaUserScramSha512ClientAuthentication in project strimzi-kafka-operator by strimzi.

the class UserST method testUpdateUser.

@ParallelTest
@Tag(ACCEPTANCE)
void testUpdateUser(ExtensionContext extensionContext) {
    String userName = mapWithTestUsers.get(extensionContext.getDisplayName());
    resourceManager.createResource(extensionContext, KafkaUserTemplates.tlsUser(namespace, userClusterName, userName).build());
    String kafkaUserSecret = TestUtils.toJsonString(kubeClient(namespace).getSecret(userName));
    assertThat(kafkaUserSecret, hasJsonPath("$.data['ca.crt']", notNullValue()));
    assertThat(kafkaUserSecret, hasJsonPath("$.data['user.crt']", notNullValue()));
    assertThat(kafkaUserSecret, hasJsonPath("$.data['user.key']", notNullValue()));
    assertThat(kafkaUserSecret, hasJsonPath("$.metadata.name", equalTo(userName)));
    assertThat(kafkaUserSecret, hasJsonPath("$.metadata.namespace", equalTo(namespace)));
    KafkaUser kUser = KafkaUserResource.kafkaUserClient().inNamespace(namespace).withName(userName).get();
    String kafkaUserAsJson = TestUtils.toJsonString(kUser);
    assertThat(kafkaUserAsJson, hasJsonPath("$.metadata.name", equalTo(userName)));
    assertThat(kafkaUserAsJson, hasJsonPath("$.metadata.namespace", equalTo(namespace)));
    assertThat(kafkaUserAsJson, hasJsonPath("$.spec.authentication.type", equalTo(Constants.TLS_LISTENER_DEFAULT_NAME)));
    long observedGeneration = KafkaUserResource.kafkaUserClient().inNamespace(namespace).withName(userName).get().getStatus().getObservedGeneration();
    KafkaUserResource.replaceUserResourceInSpecificNamespace(userName, ku -> {
        ku.getMetadata().setResourceVersion(null);
        ku.getSpec().setAuthentication(new KafkaUserScramSha512ClientAuthentication());
    }, namespace);
    KafkaUserUtils.waitForKafkaUserIncreaseObserverGeneration(namespace, observedGeneration, userName);
    KafkaUserUtils.waitForKafkaUserCreation(namespace, userName);
    String anotherKafkaUserSecret = TestUtils.toJsonString(kubeClient(namespace).getSecret(namespace, userName));
    assertThat(anotherKafkaUserSecret, hasJsonPath("$.data.password", notNullValue()));
    kUser = Crds.kafkaUserOperation(kubeClient().getClient()).inNamespace(namespace).withName(userName).get();
    kafkaUserAsJson = TestUtils.toJsonString(kUser);
    assertThat(kafkaUserAsJson, hasJsonPath("$.metadata.name", equalTo(userName)));
    assertThat(kafkaUserAsJson, hasJsonPath("$.metadata.namespace", equalTo(namespace)));
    assertThat(kafkaUserAsJson, hasJsonPath("$.spec.authentication.type", equalTo("scram-sha-512")));
    Crds.kafkaUserOperation(kubeClient().getClient()).inNamespace(namespace).delete(kUser);
    KafkaUserUtils.waitForKafkaUserDeletion(userName);
}
Also used : KafkaUserScramSha512ClientAuthentication(io.strimzi.api.kafka.model.KafkaUserScramSha512ClientAuthentication) KafkaUser(io.strimzi.api.kafka.model.KafkaUser) ParallelTest(io.strimzi.systemtest.annotations.ParallelTest) Tag(org.junit.jupiter.api.Tag)

Example 7 with KafkaUserScramSha512ClientAuthentication

use of io.strimzi.api.kafka.model.KafkaUserScramSha512ClientAuthentication in project strimzi-kafka-operator by strimzi.

the class ThrottlingQuotaST method setup.

@BeforeAll
void setup(ExtensionContext extensionContext) {
    sharedTestStorage = new TestStorage(extensionContext, namespace);
    // Deploy kafka with ScramSHA512
    LOGGER.info("Deploying shared Kafka across all test cases in {} namespace", sharedTestStorage.getNamespaceName());
    resourceManager.createResource(extensionContext, KafkaTemplates.kafkaEphemeral(sharedTestStorage.getClusterName(), 3).editMetadata().withNamespace(sharedTestStorage.getNamespaceName()).endMetadata().editSpec().editKafka().withListeners(new GenericKafkaListenerBuilder().withName(Constants.PLAIN_LISTENER_DEFAULT_NAME).withPort(9092).withType(KafkaListenerType.INTERNAL).withTls(false).withNewKafkaListenerAuthenticationScramSha512Auth().endKafkaListenerAuthenticationScramSha512Auth().build(), new GenericKafkaListenerBuilder().withName(Constants.TLS_LISTENER_DEFAULT_NAME).withPort(9093).withType(KafkaListenerType.INTERNAL).withTls(true).withNewKafkaListenerAuthenticationTlsAuth().endKafkaListenerAuthenticationTlsAuth().build()).endKafka().endSpec().build());
    resourceManager.createResource(extensionContext, KafkaUserTemplates.defaultUser(sharedTestStorage.getNamespaceName(), sharedTestStorage.getClusterName(), sharedTestStorage.getUserName()).editOrNewSpec().withNewQuotas().withControllerMutationRate(1.0).endQuotas().withAuthentication(new KafkaUserScramSha512ClientAuthentication()).endSpec().build());
    adminClientsBuilder = new KafkaAdminClientsBuilder().withBootstrapAddress(KafkaResources.plainBootstrapAddress(sharedTestStorage.getClusterName())).withNamespaceName(sharedTestStorage.getNamespaceName()).withAdditionalConfig(KafkaAdminClients.getAdminClientScramConfig(sharedTestStorage.getNamespaceName(), sharedTestStorage.getUserName(), 240000));
}
Also used : GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder) KafkaAdminClientsBuilder(io.strimzi.systemtest.kafkaclients.internalClients.KafkaAdminClientsBuilder) TestStorage(io.strimzi.systemtest.storage.TestStorage) KafkaUserScramSha512ClientAuthentication(io.strimzi.api.kafka.model.KafkaUserScramSha512ClientAuthentication) BeforeAll(org.junit.jupiter.api.BeforeAll)

Example 8 with KafkaUserScramSha512ClientAuthentication

use of io.strimzi.api.kafka.model.KafkaUserScramSha512ClientAuthentication in project strimzi-kafka-operator by strimzi.

the class KafkaClientsTemplates method createClientSpec.

private static PodSpec createClientSpec(String namespaceName, boolean tlsListener, String kafkaClientsName, boolean hostnameVerification, String listenerName, String secretPrefix, KafkaUser... kafkaUsers) {
    PodSpecBuilder podSpecBuilder = new PodSpecBuilder();
    if (Environment.SYSTEM_TEST_STRIMZI_IMAGE_PULL_SECRET != null && !Environment.SYSTEM_TEST_STRIMZI_IMAGE_PULL_SECRET.isEmpty()) {
        List<LocalObjectReference> imagePullSecrets = Collections.singletonList(new LocalObjectReference(Environment.SYSTEM_TEST_STRIMZI_IMAGE_PULL_SECRET));
        podSpecBuilder.withImagePullSecrets(imagePullSecrets);
    }
    ContainerBuilder containerBuilder = new ContainerBuilder().withName(kafkaClientsName).withImage(Environment.TEST_CLIENT_IMAGE).withCommand("sleep").withArgs("infinity").withImagePullPolicy(Environment.COMPONENTS_IMAGE_PULL_POLICY);
    String producerConfiguration = ProducerConfig.ACKS_CONFIG + "=all\n";
    String consumerConfiguration = ConsumerConfig.AUTO_OFFSET_RESET_CONFIG + "=earliest\n";
    if (kafkaUsers == null) {
        containerBuilder.addNewEnv().withName("PRODUCER_CONFIGURATION").withValue(producerConfiguration).endEnv();
        containerBuilder.addNewEnv().withName("CONSUMER_CONFIGURATION").withValue(consumerConfiguration).endEnv();
    } else {
        for (KafkaUser kafkaUser : kafkaUsers) {
            String kafkaUserName = secretPrefix == null ? kafkaUser.getMetadata().getName() : secretPrefix + kafkaUser.getMetadata().getName();
            boolean tlsUser = kafkaUser.getSpec() != null && kafkaUser.getSpec().getAuthentication() instanceof KafkaUserTlsClientAuthentication;
            boolean scramShaUser = kafkaUser.getSpec() != null && kafkaUser.getSpec().getAuthentication() instanceof KafkaUserScramSha512ClientAuthentication;
            containerBuilder.addNewEnv().withName("PRODUCER_CONFIGURATION").withValue(producerConfiguration).endEnv();
            containerBuilder.addNewEnv().withName("CONSUMER_CONFIGURATION").withValue(consumerConfiguration).endEnv();
            String envVariablesSuffix = String.format("_%s", kafkaUserName.replace("-", "_"));
            containerBuilder.addNewEnv().withName("KAFKA_USER" + envVariablesSuffix).withValue(kafkaUserName).endEnv();
            if (tlsListener) {
                if (scramShaUser) {
                    producerConfiguration += "security.protocol=SASL_SSL\n";
                    producerConfiguration += saslConfigs(namespaceName, kafkaUser, secretPrefix);
                    consumerConfiguration += "security.protocol=SASL_SSL\n";
                    consumerConfiguration += saslConfigs(namespaceName, kafkaUser, secretPrefix);
                } else {
                    producerConfiguration += "security.protocol=SSL\n";
                    consumerConfiguration += "security.protocol=SSL\n";
                }
                producerConfiguration += SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG + "=/tmp/" + kafkaUserName + "-truststore.p12\n" + SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG + "=pkcs12\n";
                consumerConfiguration += SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG + "=/tmp/" + kafkaUserName + "-truststore.p12\n" + SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG + "=pkcs12\n";
            } else {
                if (scramShaUser) {
                    producerConfiguration += "security.protocol=SASL_PLAINTEXT\n";
                    producerConfiguration += saslConfigs(namespaceName, kafkaUser, secretPrefix);
                    consumerConfiguration += "security.protocol=SASL_PLAINTEXT\n";
                    consumerConfiguration += saslConfigs(namespaceName, kafkaUser, secretPrefix);
                } else {
                    producerConfiguration += "security.protocol=PLAINTEXT\n";
                    consumerConfiguration += "security.protocol=PLAINTEXT\n";
                }
            }
            if (tlsUser) {
                producerConfiguration += SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG + "=/tmp/" + kafkaUserName + "-keystore.p12\n" + SslConfigs.SSL_KEYSTORE_TYPE_CONFIG + "=pkcs12\n";
                consumerConfiguration += SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG + "=/tmp/" + kafkaUserName + "-keystore.p12\n" + SslConfigs.SSL_KEYSTORE_TYPE_CONFIG + "=pkcs12\n";
                containerBuilder.addNewEnv().withName("PRODUCER_TLS" + envVariablesSuffix).withValue("TRUE").endEnv().addNewEnv().withName("CONSUMER_TLS" + envVariablesSuffix).withValue("TRUE").endEnv();
                String userSecretVolumeName = "tls-cert-" + kafkaUserName;
                String userSecretMountPoint = "/opt/kafka/user-secret-" + kafkaUserName;
                containerBuilder.addNewVolumeMount().withName(userSecretVolumeName).withMountPath(userSecretMountPoint).endVolumeMount().addNewEnv().withName("USER_LOCATION" + envVariablesSuffix).withValue(userSecretMountPoint).endEnv();
                podSpecBuilder.addNewVolume().withName(userSecretVolumeName).withNewSecret().withSecretName(kafkaUserName).endSecret().endVolume();
            }
            if (tlsListener) {
                String clusterName = kafkaUser.getMetadata().getLabels().get(Labels.STRIMZI_CLUSTER_LABEL);
                String clusterNamespace = KafkaResource.kafkaClient().inAnyNamespace().list().getItems().stream().filter(kafka -> kafka.getMetadata().getName().equals(clusterName)).findFirst().orElseThrow().getMetadata().getNamespace();
                String clusterCaSecretName = KafkaUtils.getKafkaTlsListenerCaCertName(clusterNamespace, clusterName, listenerName);
                String clusterCaSecretVolumeName = "ca-cert-" + kafkaUserName;
                String caSecretMountPoint = "/opt/kafka/cluster-ca-" + kafkaUserName;
                containerBuilder.addNewVolumeMount().withName(clusterCaSecretVolumeName).withMountPath(caSecretMountPoint).endVolumeMount().addNewEnv().withName("PRODUCER_TLS" + envVariablesSuffix).withValue("TRUE").endEnv().addNewEnv().withName("CONSUMER_TLS" + envVariablesSuffix).withValue("TRUE").endEnv().addNewEnv().withName("CA_LOCATION" + envVariablesSuffix).withValue(caSecretMountPoint).endEnv().addNewEnv().withName("TRUSTSTORE_LOCATION" + envVariablesSuffix).withValue("/tmp/" + kafkaUserName + "-truststore.p12").endEnv();
                if (tlsUser) {
                    containerBuilder.addNewEnv().withName("KEYSTORE_LOCATION" + envVariablesSuffix).withValue("/tmp/" + kafkaUserName + "-keystore.p12").endEnv();
                }
                podSpecBuilder.addNewVolume().withName(clusterCaSecretVolumeName).withNewSecret().withSecretName(clusterCaSecretName).endSecret().endVolume();
            }
            if (!hostnameVerification) {
                producerConfiguration += SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG + "=";
                consumerConfiguration += SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG + "=";
            }
            containerBuilder.addNewEnv().withName("PRODUCER_CONFIGURATION" + envVariablesSuffix).withValue(producerConfiguration).endEnv();
            containerBuilder.addNewEnv().withName("CONSUMER_CONFIGURATION" + envVariablesSuffix).withValue(consumerConfiguration).endEnv();
            containerBuilder.withResources(new ResourceRequirementsBuilder().addToRequests("memory", new Quantity("200M")).build());
        }
    }
    return podSpecBuilder.withContainers(containerBuilder.build()).build();
}
Also used : PodSpecBuilder(io.fabric8.kubernetes.api.model.PodSpecBuilder) KafkaUserTlsClientAuthentication(io.strimzi.api.kafka.model.KafkaUserTlsClientAuthentication) ContainerBuilder(io.fabric8.kubernetes.api.model.ContainerBuilder) LocalObjectReference(io.fabric8.kubernetes.api.model.LocalObjectReference) ResourceRequirementsBuilder(io.fabric8.kubernetes.api.model.ResourceRequirementsBuilder) Quantity(io.fabric8.kubernetes.api.model.Quantity) TestUtils.toYamlString(io.strimzi.test.TestUtils.toYamlString) KafkaUserScramSha512ClientAuthentication(io.strimzi.api.kafka.model.KafkaUserScramSha512ClientAuthentication) KafkaUser(io.strimzi.api.kafka.model.KafkaUser)

Aggregations

KafkaUserScramSha512ClientAuthentication (io.strimzi.api.kafka.model.KafkaUserScramSha512ClientAuthentication)8 KafkaUser (io.strimzi.api.kafka.model.KafkaUser)6 ContainerBuilder (io.fabric8.kubernetes.api.model.ContainerBuilder)2 LocalObjectReference (io.fabric8.kubernetes.api.model.LocalObjectReference)2 PodSpecBuilder (io.fabric8.kubernetes.api.model.PodSpecBuilder)2 Quantity (io.fabric8.kubernetes.api.model.Quantity)2 ResourceRequirementsBuilder (io.fabric8.kubernetes.api.model.ResourceRequirementsBuilder)2 KafkaUserTlsClientAuthentication (io.strimzi.api.kafka.model.KafkaUserTlsClientAuthentication)2 GenericKafkaListenerBuilder (io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder)2 ParallelTest (io.strimzi.systemtest.annotations.ParallelTest)2 KafkaAdminClientsBuilder (io.strimzi.systemtest.kafkaclients.internalClients.KafkaAdminClientsBuilder)2 TestStorage (io.strimzi.systemtest.storage.TestStorage)2 TestUtils.toYamlString (io.strimzi.test.TestUtils.toYamlString)2 BeforeAll (org.junit.jupiter.api.BeforeAll)2 Tag (org.junit.jupiter.api.Tag)2