Example 6 with KafkaUserScramSha512ClientAuthentication
use of io.strimzi.api.kafka.model.KafkaUserScramSha512ClientAuthentication in project strimzi-kafka-operator by strimzi.
the class UserST method testUpdateUser.
@ParallelTest
@Tag(ACCEPTANCE)
void testUpdateUser(ExtensionContext extensionContext) {
String userName = mapWithTestUsers.get(extensionContext.getDisplayName());
resourceManager.createResource(extensionContext, KafkaUserTemplates.tlsUser(namespace, userClusterName, userName).build());
String kafkaUserSecret = TestUtils.toJsonString(kubeClient(namespace).getSecret(userName));
assertThat(kafkaUserSecret, hasJsonPath("$.data['ca.crt']", notNullValue()));
assertThat(kafkaUserSecret, hasJsonPath("$.data['user.crt']", notNullValue()));
assertThat(kafkaUserSecret, hasJsonPath("$.data['user.key']", notNullValue()));
assertThat(kafkaUserSecret, hasJsonPath("$.metadata.name", equalTo(userName)));
assertThat(kafkaUserSecret, hasJsonPath("$.metadata.namespace", equalTo(namespace)));
KafkaUser kUser = KafkaUserResource.kafkaUserClient().inNamespace(namespace).withName(userName).get();
String kafkaUserAsJson = TestUtils.toJsonString(kUser);
assertThat(kafkaUserAsJson, hasJsonPath("$.metadata.name", equalTo(userName)));
assertThat(kafkaUserAsJson, hasJsonPath("$.metadata.namespace", equalTo(namespace)));
assertThat(kafkaUserAsJson, hasJsonPath("$.spec.authentication.type", equalTo(Constants.TLS_LISTENER_DEFAULT_NAME)));
long observedGeneration = KafkaUserResource.kafkaUserClient().inNamespace(namespace).withName(userName).get().getStatus().getObservedGeneration();
KafkaUserResource.replaceUserResourceInSpecificNamespace(userName, ku -> {
ku.getMetadata().setResourceVersion(null);
ku.getSpec().setAuthentication(new KafkaUserScramSha512ClientAuthentication());
}, namespace);
KafkaUserUtils.waitForKafkaUserIncreaseObserverGeneration(namespace, observedGeneration, userName);
KafkaUserUtils.waitForKafkaUserCreation(namespace, userName);
String anotherKafkaUserSecret = TestUtils.toJsonString(kubeClient(namespace).getSecret(namespace, userName));
assertThat(anotherKafkaUserSecret, hasJsonPath("$.data.password", notNullValue()));
kUser = Crds.kafkaUserOperation(kubeClient().getClient()).inNamespace(namespace).withName(userName).get();
kafkaUserAsJson = TestUtils.toJsonString(kUser);
assertThat(kafkaUserAsJson, hasJsonPath("$.metadata.name", equalTo(userName)));
assertThat(kafkaUserAsJson, hasJsonPath("$.metadata.namespace", equalTo(namespace)));
assertThat(kafkaUserAsJson, hasJsonPath("$.spec.authentication.type", equalTo("scram-sha-512")));
Crds.kafkaUserOperation(kubeClient().getClient()).inNamespace(namespace).delete(kUser);
KafkaUserUtils.waitForKafkaUserDeletion(userName);
}
Also used :
KafkaUserScramSha512ClientAuthentication(io.strimzi.api.kafka.model.KafkaUserScramSha512ClientAuthentication)
KafkaUser(io.strimzi.api.kafka.model.KafkaUser)
ParallelTest(io.strimzi.systemtest.annotations.ParallelTest)
Tag(org.junit.jupiter.api.Tag)
Example 7 with KafkaUserScramSha512ClientAuthentication
use of io.strimzi.api.kafka.model.KafkaUserScramSha512ClientAuthentication in project strimzi-kafka-operator by strimzi.
the class ThrottlingQuotaST method setup.
@BeforeAll
void setup(ExtensionContext extensionContext) {
sharedTestStorage = new TestStorage(extensionContext, namespace);
// Deploy kafka with ScramSHA512
LOGGER.info("Deploying shared Kafka across all test cases in {} namespace", sharedTestStorage.getNamespaceName());
resourceManager.createResource(extensionContext, KafkaTemplates.kafkaEphemeral(sharedTestStorage.getClusterName(), 3).editMetadata().withNamespace(sharedTestStorage.getNamespaceName()).endMetadata().editSpec().editKafka().withListeners(new GenericKafkaListenerBuilder().withName(Constants.PLAIN_LISTENER_DEFAULT_NAME).withPort(9092).withType(KafkaListenerType.INTERNAL).withTls(false).withNewKafkaListenerAuthenticationScramSha512Auth().endKafkaListenerAuthenticationScramSha512Auth().build(), new GenericKafkaListenerBuilder().withName(Constants.TLS_LISTENER_DEFAULT_NAME).withPort(9093).withType(KafkaListenerType.INTERNAL).withTls(true).withNewKafkaListenerAuthenticationTlsAuth().endKafkaListenerAuthenticationTlsAuth().build()).endKafka().endSpec().build());
resourceManager.createResource(extensionContext, KafkaUserTemplates.defaultUser(sharedTestStorage.getNamespaceName(), sharedTestStorage.getClusterName(), sharedTestStorage.getUserName()).editOrNewSpec().withNewQuotas().withControllerMutationRate(1.0).endQuotas().withAuthentication(new KafkaUserScramSha512ClientAuthentication()).endSpec().build());
adminClientsBuilder = new KafkaAdminClientsBuilder().withBootstrapAddress(KafkaResources.plainBootstrapAddress(sharedTestStorage.getClusterName())).withNamespaceName(sharedTestStorage.getNamespaceName()).withAdditionalConfig(KafkaAdminClients.getAdminClientScramConfig(sharedTestStorage.getNamespaceName(), sharedTestStorage.getUserName(), 240000));
}
Also used :
GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder)
KafkaAdminClientsBuilder(io.strimzi.systemtest.kafkaclients.internalClients.KafkaAdminClientsBuilder)
TestStorage(io.strimzi.systemtest.storage.TestStorage)
KafkaUserScramSha512ClientAuthentication(io.strimzi.api.kafka.model.KafkaUserScramSha512ClientAuthentication)
BeforeAll(org.junit.jupiter.api.BeforeAll)
Example 8 with KafkaUserScramSha512ClientAuthentication
use of io.strimzi.api.kafka.model.KafkaUserScramSha512ClientAuthentication in project strimzi-kafka-operator by strimzi.
the class KafkaClientsTemplates method createClientSpec.
private static PodSpec createClientSpec(String namespaceName, boolean tlsListener, String kafkaClientsName, boolean hostnameVerification, String listenerName, String secretPrefix, KafkaUser... kafkaUsers) {
PodSpecBuilder podSpecBuilder = new PodSpecBuilder();
if (Environment.SYSTEM_TEST_STRIMZI_IMAGE_PULL_SECRET != null && !Environment.SYSTEM_TEST_STRIMZI_IMAGE_PULL_SECRET.isEmpty()) {
List<LocalObjectReference> imagePullSecrets = Collections.singletonList(new LocalObjectReference(Environment.SYSTEM_TEST_STRIMZI_IMAGE_PULL_SECRET));
podSpecBuilder.withImagePullSecrets(imagePullSecrets);
}
ContainerBuilder containerBuilder = new ContainerBuilder().withName(kafkaClientsName).withImage(Environment.TEST_CLIENT_IMAGE).withCommand("sleep").withArgs("infinity").withImagePullPolicy(Environment.COMPONENTS_IMAGE_PULL_POLICY);
String producerConfiguration = ProducerConfig.ACKS_CONFIG + "=all\n";
String consumerConfiguration = ConsumerConfig.AUTO_OFFSET_RESET_CONFIG + "=earliest\n";
if (kafkaUsers == null) {
containerBuilder.addNewEnv().withName("PRODUCER_CONFIGURATION").withValue(producerConfiguration).endEnv();
containerBuilder.addNewEnv().withName("CONSUMER_CONFIGURATION").withValue(consumerConfiguration).endEnv();
} else {
for (KafkaUser kafkaUser : kafkaUsers) {
String kafkaUserName = secretPrefix == null ? kafkaUser.getMetadata().getName() : secretPrefix + kafkaUser.getMetadata().getName();
boolean tlsUser = kafkaUser.getSpec() != null && kafkaUser.getSpec().getAuthentication() instanceof KafkaUserTlsClientAuthentication;
boolean scramShaUser = kafkaUser.getSpec() != null && kafkaUser.getSpec().getAuthentication() instanceof KafkaUserScramSha512ClientAuthentication;
containerBuilder.addNewEnv().withName("PRODUCER_CONFIGURATION").withValue(producerConfiguration).endEnv();
containerBuilder.addNewEnv().withName("CONSUMER_CONFIGURATION").withValue(consumerConfiguration).endEnv();
String envVariablesSuffix = String.format("_%s", kafkaUserName.replace("-", "_"));
containerBuilder.addNewEnv().withName("KAFKA_USER" + envVariablesSuffix).withValue(kafkaUserName).endEnv();
if (tlsListener) {
if (scramShaUser) {
producerConfiguration += "security.protocol=SASL_SSL\n";
producerConfiguration += saslConfigs(namespaceName, kafkaUser, secretPrefix);
consumerConfiguration += "security.protocol=SASL_SSL\n";
consumerConfiguration += saslConfigs(namespaceName, kafkaUser, secretPrefix);
} else {
producerConfiguration += "security.protocol=SSL\n";
consumerConfiguration += "security.protocol=SSL\n";
}
producerConfiguration += SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG + "=/tmp/" + kafkaUserName + "-truststore.p12\n" + SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG + "=pkcs12\n";
consumerConfiguration += SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG + "=/tmp/" + kafkaUserName + "-truststore.p12\n" + SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG + "=pkcs12\n";
} else {
if (scramShaUser) {
producerConfiguration += "security.protocol=SASL_PLAINTEXT\n";
producerConfiguration += saslConfigs(namespaceName, kafkaUser, secretPrefix);
consumerConfiguration += "security.protocol=SASL_PLAINTEXT\n";
consumerConfiguration += saslConfigs(namespaceName, kafkaUser, secretPrefix);
} else {
producerConfiguration += "security.protocol=PLAINTEXT\n";
consumerConfiguration += "security.protocol=PLAINTEXT\n";
}
}
if (tlsUser) {
producerConfiguration += SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG + "=/tmp/" + kafkaUserName + "-keystore.p12\n" + SslConfigs.SSL_KEYSTORE_TYPE_CONFIG + "=pkcs12\n";
consumerConfiguration += SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG + "=/tmp/" + kafkaUserName + "-keystore.p12\n" + SslConfigs.SSL_KEYSTORE_TYPE_CONFIG + "=pkcs12\n";
containerBuilder.addNewEnv().withName("PRODUCER_TLS" + envVariablesSuffix).withValue("TRUE").endEnv().addNewEnv().withName("CONSUMER_TLS" + envVariablesSuffix).withValue("TRUE").endEnv();
String userSecretVolumeName = "tls-cert-" + kafkaUserName;
String userSecretMountPoint = "/opt/kafka/user-secret-" + kafkaUserName;
containerBuilder.addNewVolumeMount().withName(userSecretVolumeName).withMountPath(userSecretMountPoint).endVolumeMount().addNewEnv().withName("USER_LOCATION" + envVariablesSuffix).withValue(userSecretMountPoint).endEnv();
podSpecBuilder.addNewVolume().withName(userSecretVolumeName).withNewSecret().withSecretName(kafkaUserName).endSecret().endVolume();
}
if (tlsListener) {
String clusterName = kafkaUser.getMetadata().getLabels().get(Labels.STRIMZI_CLUSTER_LABEL);
String clusterNamespace = KafkaResource.kafkaClient().inAnyNamespace().list().getItems().stream().filter(kafka -> kafka.getMetadata().getName().equals(clusterName)).findFirst().orElseThrow().getMetadata().getNamespace();
String clusterCaSecretName = KafkaUtils.getKafkaTlsListenerCaCertName(clusterNamespace, clusterName, listenerName);
String clusterCaSecretVolumeName = "ca-cert-" + kafkaUserName;
String caSecretMountPoint = "/opt/kafka/cluster-ca-" + kafkaUserName;
containerBuilder.addNewVolumeMount().withName(clusterCaSecretVolumeName).withMountPath(caSecretMountPoint).endVolumeMount().addNewEnv().withName("PRODUCER_TLS" + envVariablesSuffix).withValue("TRUE").endEnv().addNewEnv().withName("CONSUMER_TLS" + envVariablesSuffix).withValue("TRUE").endEnv().addNewEnv().withName("CA_LOCATION" + envVariablesSuffix).withValue(caSecretMountPoint).endEnv().addNewEnv().withName("TRUSTSTORE_LOCATION" + envVariablesSuffix).withValue("/tmp/" + kafkaUserName + "-truststore.p12").endEnv();
if (tlsUser) {
containerBuilder.addNewEnv().withName("KEYSTORE_LOCATION" + envVariablesSuffix).withValue("/tmp/" + kafkaUserName + "-keystore.p12").endEnv();
}
podSpecBuilder.addNewVolume().withName(clusterCaSecretVolumeName).withNewSecret().withSecretName(clusterCaSecretName).endSecret().endVolume();
}
if (!hostnameVerification) {
producerConfiguration += SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG + "=";
consumerConfiguration += SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG + "=";
}
containerBuilder.addNewEnv().withName("PRODUCER_CONFIGURATION" + envVariablesSuffix).withValue(producerConfiguration).endEnv();
containerBuilder.addNewEnv().withName("CONSUMER_CONFIGURATION" + envVariablesSuffix).withValue(consumerConfiguration).endEnv();
containerBuilder.withResources(new ResourceRequirementsBuilder().addToRequests("memory", new Quantity("200M")).build());
}
}
return podSpecBuilder.withContainers(containerBuilder.build()).build();
}
Also used :
PodSpecBuilder(io.fabric8.kubernetes.api.model.PodSpecBuilder)
KafkaUserTlsClientAuthentication(io.strimzi.api.kafka.model.KafkaUserTlsClientAuthentication)
ContainerBuilder(io.fabric8.kubernetes.api.model.ContainerBuilder)
LocalObjectReference(io.fabric8.kubernetes.api.model.LocalObjectReference)
ResourceRequirementsBuilder(io.fabric8.kubernetes.api.model.ResourceRequirementsBuilder)
Quantity(io.fabric8.kubernetes.api.model.Quantity)
TestUtils.toYamlString(io.strimzi.test.TestUtils.toYamlString)
KafkaUserScramSha512ClientAuthentication(io.strimzi.api.kafka.model.KafkaUserScramSha512ClientAuthentication)
KafkaUser(io.strimzi.api.kafka.model.KafkaUser)
Aggregations
KafkaUserScramSha512ClientAuthentication (io.strimzi.api.kafka.model.KafkaUserScramSha512ClientAuthentication)8
KafkaUser (io.strimzi.api.kafka.model.KafkaUser)6
ContainerBuilder (io.fabric8.kubernetes.api.model.ContainerBuilder)2
LocalObjectReference (io.fabric8.kubernetes.api.model.LocalObjectReference)2
PodSpecBuilder (io.fabric8.kubernetes.api.model.PodSpecBuilder)2
Quantity (io.fabric8.kubernetes.api.model.Quantity)2
ResourceRequirementsBuilder (io.fabric8.kubernetes.api.model.ResourceRequirementsBuilder)2
KafkaUserTlsClientAuthentication (io.strimzi.api.kafka.model.KafkaUserTlsClientAuthentication)2
GenericKafkaListenerBuilder (io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder)2
ParallelTest (io.strimzi.systemtest.annotations.ParallelTest)2
KafkaAdminClientsBuilder (io.strimzi.systemtest.kafkaclients.internalClients.KafkaAdminClientsBuilder)2
TestStorage (io.strimzi.systemtest.storage.TestStorage)2
TestUtils.toYamlString (io.strimzi.test.TestUtils.toYamlString)2
BeforeAll (org.junit.jupiter.api.BeforeAll)2
Tag (org.junit.jupiter.api.Tag)2
