use of io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener in project strimzi-kafka-operator by strimzi.
the class KafkaBrokerConfigurationBuilderTest method testWithExternalRouteListenersWithSaslAuth.
@ParallelTest
public void testWithExternalRouteListenersWithSaslAuth() {
GenericKafkaListener listener = new GenericKafkaListenerBuilder().withName("external").withPort(9094).withType(KafkaListenerType.ROUTE).withTls(true).withNewKafkaListenerAuthenticationScramSha512Auth().endKafkaListenerAuthenticationScramSha512Auth().build();
String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION).withListeners("my-cluster", "my-namespace", singletonList(listener), false).build();
assertThat(configuration, isEquivalent("listener.name.controlplane-9090.ssl.client.auth=required", "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.controlplane-9090.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", "listener.name.controlplane-9090.ssl.truststore.password=${CERTS_STORE_PASSWORD}", "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.replication-9091.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.replication-9091.ssl.keystore.type=PKCS12", "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", "listener.name.replication-9091.ssl.truststore.password=${CERTS_STORE_PASSWORD}", "listener.name.replication-9091.ssl.truststore.type=PKCS12", "listener.name.replication-9091.ssl.client.auth=required", "listeners=CONTROLPLANE-9090://0.0.0.0:9090,REPLICATION-9091://0.0.0.0:9091,EXTERNAL-9094://0.0.0.0:9094", "advertised.listeners=CONTROLPLANE-9090://my-cluster-kafka-${STRIMZI_BROKER_ID}.my-cluster-kafka-brokers.my-namespace.svc:9090,REPLICATION-9091://my-cluster-kafka-${STRIMZI_BROKER_ID}.my-cluster-kafka-brokers.my-namespace.svc:9091,EXTERNAL-9094://${STRIMZI_EXTERNAL_9094_ADVERTISED_HOSTNAME}:${STRIMZI_EXTERNAL_9094_ADVERTISED_PORT}", "listener.security.protocol.map=CONTROLPLANE-9090:SSL,REPLICATION-9091:SSL,EXTERNAL-9094:SASL_SSL", "inter.broker.listener.name=REPLICATION-9091", "sasl.enabled.mechanisms=", "ssl.secure.random.implementation=SHA1PRNG", "ssl.endpoint.identification.algorithm=HTTPS", "listener.name.external-9094.scram-sha-512.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required;", "listener.name.external-9094.sasl.enabled.mechanisms=SCRAM-SHA-512", "listener.name.external-9094.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.external-9094.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.external-9094.ssl.keystore.type=PKCS12"));
}
use of io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener in project strimzi-kafka-operator by strimzi.
the class KafkaBrokerConfigurationBuilderTest method testCustomAuthConfigPrefixesUserProvidedConfig.
@ParallelTest
public void testCustomAuthConfigPrefixesUserProvidedConfig() {
GenericKafkaListener listener = new GenericKafkaListenerBuilder().withName("CUSTOM-LISTENER").withPort(9092).withType(KafkaListenerType.INTERNAL).withTls(true).withNewKafkaListenerAuthenticationCustomAuth().withSasl(true).withListenerConfig(Map.of("oauthbearer.sasl.client.callback.handler.class", "client.class", "oauthbearer.sasl.server.callback.handler.class", "server.class", "oauthbearer.sasl.login.callback.handler.class", "login.class", "oauthbearer.connections.max.reauth.ms", 999999999, "sasl.enabled.mechanisms", "oauthbearer", "oauthbearer.sasl.jaas.config", "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required ;")).endKafkaListenerAuthenticationCustomAuth().build();
String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION).withListeners("my-cluster", "my-namespace", singletonList(listener), false).build();
assertThat(configuration, isEquivalent("listener.name.controlplane-9090.ssl.client.auth=required", "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.controlplane-9090.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", "listener.name.controlplane-9090.ssl.truststore.password=${CERTS_STORE_PASSWORD}", "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.replication-9091.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.replication-9091.ssl.keystore.type=PKCS12", "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", "listener.name.replication-9091.ssl.truststore.password=${CERTS_STORE_PASSWORD}", "listener.name.replication-9091.ssl.truststore.type=PKCS12", "listener.name.replication-9091.ssl.client.auth=required", "listener.name.custom-listener-9092.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.custom-listener-9092.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.custom-listener-9092.ssl.keystore.type=PKCS12", "listeners=CONTROLPLANE-9090://0.0.0.0:9090,REPLICATION-9091://0.0.0.0:9091,CUSTOM-LISTENER-9092://0.0.0.0:9092", "advertised.listeners=CONTROLPLANE-9090://my-cluster-kafka-${STRIMZI_BROKER_ID}.my-cluster" + "-kafka-brokers.my-namespace.svc:9090,REPLICATION-9091://my-cluster-kafka-${STRIMZI_BROKER_ID}.my-cluster-kafka-brokers.my-namespace.svc:9091,CUSTOM-LISTENER-9092://${STRIMZI_CUSTOM-LISTENER_9092_ADVERTISED_HOSTNAME}:${STRIMZI_CUSTOM-LISTENER_9092_ADVERTISED_PORT}", "listener.security.protocol.map=CONTROLPLANE-9090:SSL,REPLICATION-9091:SSL,CUSTOM-LISTENER-9092:SASL_SSL", "inter.broker.listener.name=REPLICATION-9091", "sasl.enabled.mechanisms=", "ssl.secure.random.implementation=SHA1PRNG", "ssl.endpoint.identification.algorithm=HTTPS", "listener.name.custom-listener-9092.sasl.enabled.mechanisms=oauthbearer", "listener.name.custom-listener-9092.oauthbearer.sasl.client.callback.handler.class=client.class", "listener.name.custom-listener-9092.oauthbearer.sasl.server.callback.handler.class=server.class", "listener.name.custom-listener-9092.oauthbearer.sasl.login.callback.handler.class=login.class", "listener.name.custom-listener-9092.oauthbearer.connections.max.reauth.ms=999999999", "listener.name.custom-listener-9092.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required ;"));
}
use of io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener in project strimzi-kafka-operator by strimzi.
the class KafkaClusterOAuthValidationTest method testOAuthAuthnAuthz.
@ParallelTest
public void testOAuthAuthnAuthz() {
List<GenericKafkaListener> listeners = asList(new GenericKafkaListenerBuilder().withName("listener1").withPort(9900).withType(KafkaListenerType.INTERNAL).withAuth(new KafkaListenerAuthenticationOAuthBuilder().withClientId("my-client-id").withValidIssuerUri("http://valid-issuer").withJwksEndpointUri("http://jwks-endpoint").withJwksRefreshSeconds(30).withJwksExpirySeconds(90).withJwksMinRefreshPauseSeconds(5).withConnectTimeoutSeconds(20).withReadTimeoutSeconds(20).withGroupsClaim("$.groups").withMaxSecondsWithoutReauthentication(1800).withNewClientSecret().withSecretName("my-secret-secret").withKey("my-secret-key").endClientSecret().build()).build());
Kafka kafkaAssembly = new KafkaBuilder().withNewMetadata().withName("my-cluster").withNamespace("my-namespace").endMetadata().withNewSpec().withNewKafka().withReplicas(3).withStorage(new EphemeralStorage()).withListeners(listeners).withAuthorization(new KafkaAuthorizationKeycloakBuilder().withTokenEndpointUri("http://token-endpoint").withClientId("my-client-id").withDelegateToKafkaAcls(true).withGrantsRefreshPeriodSeconds(60).withGrantsRefreshPoolSize(5).withSuperUsers("alice", "CN=alice").build()).endKafka().withNewZookeeper().withReplicas(3).withStorage(new EphemeralStorage()).endZookeeper().endSpec().build();
KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, kafkaAssembly, VERSIONS);
}
use of io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener in project strimzi-kafka-operator by strimzi.
the class KafkaBrokerConfigurationBuilderTest method testWithExternalListenersNodePortWithTls.
@ParallelTest
public void testWithExternalListenersNodePortWithTls() {
GenericKafkaListener listener = new GenericKafkaListenerBuilder().withName("external").withPort(9094).withType(KafkaListenerType.NODEPORT).withTls(true).build();
String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION).withListeners("my-cluster", "my-namespace", singletonList(listener), false).build();
assertThat(configuration, isEquivalent("listener.name.controlplane-9090.ssl.client.auth=required", "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.controlplane-9090.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", "listener.name.controlplane-9090.ssl.truststore.password=${CERTS_STORE_PASSWORD}", "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.replication-9091.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.replication-9091.ssl.keystore.type=PKCS12", "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", "listener.name.replication-9091.ssl.truststore.password=${CERTS_STORE_PASSWORD}", "listener.name.replication-9091.ssl.truststore.type=PKCS12", "listener.name.replication-9091.ssl.client.auth=required", "listeners=CONTROLPLANE-9090://0.0.0.0:9090,REPLICATION-9091://0.0.0.0:9091,EXTERNAL-9094://0.0.0.0:9094", "advertised.listeners=CONTROLPLANE-9090://my-cluster-kafka-${STRIMZI_BROKER_ID}.my-cluster-kafka-brokers.my-namespace.svc:9090,REPLICATION-9091://my-cluster-kafka-${STRIMZI_BROKER_ID}.my-cluster-kafka-brokers.my-namespace.svc:9091,EXTERNAL-9094://${STRIMZI_EXTERNAL_9094_ADVERTISED_HOSTNAME}:${STRIMZI_EXTERNAL_9094_ADVERTISED_PORT}", "listener.security.protocol.map=CONTROLPLANE-9090:SSL,REPLICATION-9091:SSL,EXTERNAL-9094:SSL", "inter.broker.listener.name=REPLICATION-9091", "sasl.enabled.mechanisms=", "ssl.secure.random.implementation=SHA1PRNG", "ssl.endpoint.identification.algorithm=HTTPS", "listener.name.external-9094.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.external-9094.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.external-9094.ssl.keystore.type=PKCS12"));
}
use of io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener in project strimzi-kafka-operator by strimzi.
the class KafkaBrokerConfigurationBuilderTest method testOauthConfigurationWithClientSecret.
@ParallelTest
public void testOauthConfigurationWithClientSecret() {
GenericKafkaListener listener = new GenericKafkaListenerBuilder().withName("plain").withPort(9092).withType(KafkaListenerType.INTERNAL).withTls(false).withNewKafkaListenerAuthenticationOAuth().withValidIssuerUri("https://valid-issuer").withIntrospectionEndpointUri("https://intro").withCheckAudience(true).withCustomClaimCheck("'kafka-user' in @.roles.client-roles.kafka").withClientId("my-oauth-client").withNewClientSecret().withSecretName("my-secret").withKey("client-secret").endClientSecret().endKafkaListenerAuthenticationOAuth().build();
String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION).withListeners("my-cluster", "my-namespace", singletonList(listener), false).build();
assertThat(configuration, isEquivalent("listener.name.controlplane-9090.ssl.client.auth=required", "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.controlplane-9090.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", "listener.name.controlplane-9090.ssl.truststore.password=${CERTS_STORE_PASSWORD}", "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.replication-9091.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.replication-9091.ssl.keystore.type=PKCS12", "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", "listener.name.replication-9091.ssl.truststore.password=${CERTS_STORE_PASSWORD}", "listener.name.replication-9091.ssl.truststore.type=PKCS12", "listener.name.replication-9091.ssl.client.auth=required", "listeners=CONTROLPLANE-9090://0.0.0.0:9090,REPLICATION-9091://0.0.0.0:9091,PLAIN-9092://0.0.0.0:9092", "advertised.listeners=CONTROLPLANE-9090://my-cluster-kafka-${STRIMZI_BROKER_ID}.my-cluster-kafka-brokers.my-namespace.svc:9090,REPLICATION-9091://my-cluster-kafka-${STRIMZI_BROKER_ID}.my-cluster-kafka-brokers.my-namespace.svc:9091,PLAIN-9092://${STRIMZI_PLAIN_9092_ADVERTISED_HOSTNAME}:${STRIMZI_PLAIN_9092_ADVERTISED_PORT}", "listener.security.protocol.map=CONTROLPLANE-9090:SSL,REPLICATION-9091:SSL,PLAIN-9092:SASL_PLAINTEXT", "inter.broker.listener.name=REPLICATION-9091", "sasl.enabled.mechanisms=", "ssl.secure.random.implementation=SHA1PRNG", "ssl.endpoint.identification.algorithm=HTTPS", "listener.name.plain-9092.oauthbearer.sasl.server.callback.handler.class=io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler", "listener.name.plain-9092.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required unsecuredLoginStringClaim_sub=\"thePrincipalName\" oauth.client.id=\"my-oauth-client\" oauth.valid.issuer.uri=\"https://valid-issuer\" oauth.check.audience=\"true\" oauth.custom.claim.check=\"'kafka-user' in @.roles.client-roles.kafka\" oauth.introspection.endpoint.uri=\"https://intro\" oauth.client.secret=\"${STRIMZI_PLAIN_9092_OAUTH_CLIENT_SECRET}\";", "listener.name.plain-9092.sasl.enabled.mechanisms=OAUTHBEARER", "principal.builder.class=io.strimzi.kafka.oauth.server.OAuthKafkaPrincipalBuilder"));
}
Aggregations