Search in sources :

Example 46 with GenericKafkaListener

use of io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener in project strimzi-kafka-operator by strimzi.

the class KafkaBrokerConfigurationBuilderTest method testWithExternalRouteListenersWithSaslAuth.

@ParallelTest
public void testWithExternalRouteListenersWithSaslAuth() {
    GenericKafkaListener listener = new GenericKafkaListenerBuilder().withName("external").withPort(9094).withType(KafkaListenerType.ROUTE).withTls(true).withNewKafkaListenerAuthenticationScramSha512Auth().endKafkaListenerAuthenticationScramSha512Auth().build();
    String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION).withListeners("my-cluster", "my-namespace", singletonList(listener), false).build();
    assertThat(configuration, isEquivalent("listener.name.controlplane-9090.ssl.client.auth=required", "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.controlplane-9090.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", "listener.name.controlplane-9090.ssl.truststore.password=${CERTS_STORE_PASSWORD}", "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.replication-9091.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.replication-9091.ssl.keystore.type=PKCS12", "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", "listener.name.replication-9091.ssl.truststore.password=${CERTS_STORE_PASSWORD}", "listener.name.replication-9091.ssl.truststore.type=PKCS12", "listener.name.replication-9091.ssl.client.auth=required", "listeners=CONTROLPLANE-9090://0.0.0.0:9090,REPLICATION-9091://0.0.0.0:9091,EXTERNAL-9094://0.0.0.0:9094", "advertised.listeners=CONTROLPLANE-9090://my-cluster-kafka-${STRIMZI_BROKER_ID}.my-cluster-kafka-brokers.my-namespace.svc:9090,REPLICATION-9091://my-cluster-kafka-${STRIMZI_BROKER_ID}.my-cluster-kafka-brokers.my-namespace.svc:9091,EXTERNAL-9094://${STRIMZI_EXTERNAL_9094_ADVERTISED_HOSTNAME}:${STRIMZI_EXTERNAL_9094_ADVERTISED_PORT}", "listener.security.protocol.map=CONTROLPLANE-9090:SSL,REPLICATION-9091:SSL,EXTERNAL-9094:SASL_SSL", "inter.broker.listener.name=REPLICATION-9091", "sasl.enabled.mechanisms=", "ssl.secure.random.implementation=SHA1PRNG", "ssl.endpoint.identification.algorithm=HTTPS", "listener.name.external-9094.scram-sha-512.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required;", "listener.name.external-9094.sasl.enabled.mechanisms=SCRAM-SHA-512", "listener.name.external-9094.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.external-9094.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.external-9094.ssl.keystore.type=PKCS12"));
}
Also used : GenericKafkaListener(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener) GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder) CoreMatchers.containsString(org.hamcrest.CoreMatchers.containsString) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Example 47 with GenericKafkaListener

use of io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener in project strimzi-kafka-operator by strimzi.

the class KafkaBrokerConfigurationBuilderTest method testCustomAuthConfigPrefixesUserProvidedConfig.

@ParallelTest
public void testCustomAuthConfigPrefixesUserProvidedConfig() {
    GenericKafkaListener listener = new GenericKafkaListenerBuilder().withName("CUSTOM-LISTENER").withPort(9092).withType(KafkaListenerType.INTERNAL).withTls(true).withNewKafkaListenerAuthenticationCustomAuth().withSasl(true).withListenerConfig(Map.of("oauthbearer.sasl.client.callback.handler.class", "client.class", "oauthbearer.sasl.server.callback.handler.class", "server.class", "oauthbearer.sasl.login.callback.handler.class", "login.class", "oauthbearer.connections.max.reauth.ms", 999999999, "sasl.enabled.mechanisms", "oauthbearer", "oauthbearer.sasl.jaas.config", "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required ;")).endKafkaListenerAuthenticationCustomAuth().build();
    String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION).withListeners("my-cluster", "my-namespace", singletonList(listener), false).build();
    assertThat(configuration, isEquivalent("listener.name.controlplane-9090.ssl.client.auth=required", "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.controlplane-9090.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", "listener.name.controlplane-9090.ssl.truststore.password=${CERTS_STORE_PASSWORD}", "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.replication-9091.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.replication-9091.ssl.keystore.type=PKCS12", "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", "listener.name.replication-9091.ssl.truststore.password=${CERTS_STORE_PASSWORD}", "listener.name.replication-9091.ssl.truststore.type=PKCS12", "listener.name.replication-9091.ssl.client.auth=required", "listener.name.custom-listener-9092.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.custom-listener-9092.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.custom-listener-9092.ssl.keystore.type=PKCS12", "listeners=CONTROLPLANE-9090://0.0.0.0:9090,REPLICATION-9091://0.0.0.0:9091,CUSTOM-LISTENER-9092://0.0.0.0:9092", "advertised.listeners=CONTROLPLANE-9090://my-cluster-kafka-${STRIMZI_BROKER_ID}.my-cluster" + "-kafka-brokers.my-namespace.svc:9090,REPLICATION-9091://my-cluster-kafka-${STRIMZI_BROKER_ID}.my-cluster-kafka-brokers.my-namespace.svc:9091,CUSTOM-LISTENER-9092://${STRIMZI_CUSTOM-LISTENER_9092_ADVERTISED_HOSTNAME}:${STRIMZI_CUSTOM-LISTENER_9092_ADVERTISED_PORT}", "listener.security.protocol.map=CONTROLPLANE-9090:SSL,REPLICATION-9091:SSL,CUSTOM-LISTENER-9092:SASL_SSL", "inter.broker.listener.name=REPLICATION-9091", "sasl.enabled.mechanisms=", "ssl.secure.random.implementation=SHA1PRNG", "ssl.endpoint.identification.algorithm=HTTPS", "listener.name.custom-listener-9092.sasl.enabled.mechanisms=oauthbearer", "listener.name.custom-listener-9092.oauthbearer.sasl.client.callback.handler.class=client.class", "listener.name.custom-listener-9092.oauthbearer.sasl.server.callback.handler.class=server.class", "listener.name.custom-listener-9092.oauthbearer.sasl.login.callback.handler.class=login.class", "listener.name.custom-listener-9092.oauthbearer.connections.max.reauth.ms=999999999", "listener.name.custom-listener-9092.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required ;"));
}
Also used : GenericKafkaListener(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener) GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder) CoreMatchers.containsString(org.hamcrest.CoreMatchers.containsString) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Example 48 with GenericKafkaListener

use of io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener in project strimzi-kafka-operator by strimzi.

the class KafkaClusterOAuthValidationTest method testOAuthAuthnAuthz.

@ParallelTest
public void testOAuthAuthnAuthz() {
    List<GenericKafkaListener> listeners = asList(new GenericKafkaListenerBuilder().withName("listener1").withPort(9900).withType(KafkaListenerType.INTERNAL).withAuth(new KafkaListenerAuthenticationOAuthBuilder().withClientId("my-client-id").withValidIssuerUri("http://valid-issuer").withJwksEndpointUri("http://jwks-endpoint").withJwksRefreshSeconds(30).withJwksExpirySeconds(90).withJwksMinRefreshPauseSeconds(5).withConnectTimeoutSeconds(20).withReadTimeoutSeconds(20).withGroupsClaim("$.groups").withMaxSecondsWithoutReauthentication(1800).withNewClientSecret().withSecretName("my-secret-secret").withKey("my-secret-key").endClientSecret().build()).build());
    Kafka kafkaAssembly = new KafkaBuilder().withNewMetadata().withName("my-cluster").withNamespace("my-namespace").endMetadata().withNewSpec().withNewKafka().withReplicas(3).withStorage(new EphemeralStorage()).withListeners(listeners).withAuthorization(new KafkaAuthorizationKeycloakBuilder().withTokenEndpointUri("http://token-endpoint").withClientId("my-client-id").withDelegateToKafkaAcls(true).withGrantsRefreshPeriodSeconds(60).withGrantsRefreshPoolSize(5).withSuperUsers("alice", "CN=alice").build()).endKafka().withNewZookeeper().withReplicas(3).withStorage(new EphemeralStorage()).endZookeeper().endSpec().build();
    KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, kafkaAssembly, VERSIONS);
}
Also used : GenericKafkaListener(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener) GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder) Kafka(io.strimzi.api.kafka.model.Kafka) KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder) KafkaAuthorizationKeycloakBuilder(io.strimzi.api.kafka.model.KafkaAuthorizationKeycloakBuilder) EphemeralStorage(io.strimzi.api.kafka.model.storage.EphemeralStorage) KafkaListenerAuthenticationOAuthBuilder(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuthBuilder) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Example 49 with GenericKafkaListener

use of io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener in project strimzi-kafka-operator by strimzi.

the class KafkaBrokerConfigurationBuilderTest method testWithExternalListenersNodePortWithTls.

@ParallelTest
public void testWithExternalListenersNodePortWithTls() {
    GenericKafkaListener listener = new GenericKafkaListenerBuilder().withName("external").withPort(9094).withType(KafkaListenerType.NODEPORT).withTls(true).build();
    String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION).withListeners("my-cluster", "my-namespace", singletonList(listener), false).build();
    assertThat(configuration, isEquivalent("listener.name.controlplane-9090.ssl.client.auth=required", "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.controlplane-9090.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", "listener.name.controlplane-9090.ssl.truststore.password=${CERTS_STORE_PASSWORD}", "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.replication-9091.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.replication-9091.ssl.keystore.type=PKCS12", "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", "listener.name.replication-9091.ssl.truststore.password=${CERTS_STORE_PASSWORD}", "listener.name.replication-9091.ssl.truststore.type=PKCS12", "listener.name.replication-9091.ssl.client.auth=required", "listeners=CONTROLPLANE-9090://0.0.0.0:9090,REPLICATION-9091://0.0.0.0:9091,EXTERNAL-9094://0.0.0.0:9094", "advertised.listeners=CONTROLPLANE-9090://my-cluster-kafka-${STRIMZI_BROKER_ID}.my-cluster-kafka-brokers.my-namespace.svc:9090,REPLICATION-9091://my-cluster-kafka-${STRIMZI_BROKER_ID}.my-cluster-kafka-brokers.my-namespace.svc:9091,EXTERNAL-9094://${STRIMZI_EXTERNAL_9094_ADVERTISED_HOSTNAME}:${STRIMZI_EXTERNAL_9094_ADVERTISED_PORT}", "listener.security.protocol.map=CONTROLPLANE-9090:SSL,REPLICATION-9091:SSL,EXTERNAL-9094:SSL", "inter.broker.listener.name=REPLICATION-9091", "sasl.enabled.mechanisms=", "ssl.secure.random.implementation=SHA1PRNG", "ssl.endpoint.identification.algorithm=HTTPS", "listener.name.external-9094.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.external-9094.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.external-9094.ssl.keystore.type=PKCS12"));
}
Also used : GenericKafkaListener(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener) GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder) CoreMatchers.containsString(org.hamcrest.CoreMatchers.containsString) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Example 50 with GenericKafkaListener

use of io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener in project strimzi-kafka-operator by strimzi.

the class KafkaBrokerConfigurationBuilderTest method testOauthConfigurationWithClientSecret.

@ParallelTest
public void testOauthConfigurationWithClientSecret() {
    GenericKafkaListener listener = new GenericKafkaListenerBuilder().withName("plain").withPort(9092).withType(KafkaListenerType.INTERNAL).withTls(false).withNewKafkaListenerAuthenticationOAuth().withValidIssuerUri("https://valid-issuer").withIntrospectionEndpointUri("https://intro").withCheckAudience(true).withCustomClaimCheck("'kafka-user' in @.roles.client-roles.kafka").withClientId("my-oauth-client").withNewClientSecret().withSecretName("my-secret").withKey("client-secret").endClientSecret().endKafkaListenerAuthenticationOAuth().build();
    String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION).withListeners("my-cluster", "my-namespace", singletonList(listener), false).build();
    assertThat(configuration, isEquivalent("listener.name.controlplane-9090.ssl.client.auth=required", "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.controlplane-9090.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", "listener.name.controlplane-9090.ssl.truststore.password=${CERTS_STORE_PASSWORD}", "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", "listener.name.replication-9091.ssl.keystore.password=${CERTS_STORE_PASSWORD}", "listener.name.replication-9091.ssl.keystore.type=PKCS12", "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", "listener.name.replication-9091.ssl.truststore.password=${CERTS_STORE_PASSWORD}", "listener.name.replication-9091.ssl.truststore.type=PKCS12", "listener.name.replication-9091.ssl.client.auth=required", "listeners=CONTROLPLANE-9090://0.0.0.0:9090,REPLICATION-9091://0.0.0.0:9091,PLAIN-9092://0.0.0.0:9092", "advertised.listeners=CONTROLPLANE-9090://my-cluster-kafka-${STRIMZI_BROKER_ID}.my-cluster-kafka-brokers.my-namespace.svc:9090,REPLICATION-9091://my-cluster-kafka-${STRIMZI_BROKER_ID}.my-cluster-kafka-brokers.my-namespace.svc:9091,PLAIN-9092://${STRIMZI_PLAIN_9092_ADVERTISED_HOSTNAME}:${STRIMZI_PLAIN_9092_ADVERTISED_PORT}", "listener.security.protocol.map=CONTROLPLANE-9090:SSL,REPLICATION-9091:SSL,PLAIN-9092:SASL_PLAINTEXT", "inter.broker.listener.name=REPLICATION-9091", "sasl.enabled.mechanisms=", "ssl.secure.random.implementation=SHA1PRNG", "ssl.endpoint.identification.algorithm=HTTPS", "listener.name.plain-9092.oauthbearer.sasl.server.callback.handler.class=io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler", "listener.name.plain-9092.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required unsecuredLoginStringClaim_sub=\"thePrincipalName\" oauth.client.id=\"my-oauth-client\" oauth.valid.issuer.uri=\"https://valid-issuer\" oauth.check.audience=\"true\" oauth.custom.claim.check=\"'kafka-user' in @.roles.client-roles.kafka\" oauth.introspection.endpoint.uri=\"https://intro\" oauth.client.secret=\"${STRIMZI_PLAIN_9092_OAUTH_CLIENT_SECRET}\";", "listener.name.plain-9092.sasl.enabled.mechanisms=OAUTHBEARER", "principal.builder.class=io.strimzi.kafka.oauth.server.OAuthKafkaPrincipalBuilder"));
}
Also used : GenericKafkaListener(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener) GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder) CoreMatchers.containsString(org.hamcrest.CoreMatchers.containsString) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Aggregations

GenericKafkaListener (io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener)160 GenericKafkaListenerBuilder (io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder)116 ParallelTest (io.strimzi.test.annotations.ParallelTest)102 CoreMatchers.containsString (org.hamcrest.CoreMatchers.containsString)50 ArrayList (java.util.ArrayList)38 GenericKafkaListenerConfigurationBrokerBuilder (io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerConfigurationBrokerBuilder)18 Matchers.containsString (org.hamcrest.Matchers.containsString)16 KafkaListenerAuthenticationOAuth (io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth)12 KafkaListenerAuthenticationOAuthBuilder (io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuthBuilder)12 Kafka (io.strimzi.api.kafka.model.Kafka)10 LabelSelector (io.fabric8.kubernetes.api.model.LabelSelector)8 HTTPIngressPathBuilder (io.fabric8.kubernetes.api.model.networking.v1.HTTPIngressPathBuilder)8 Ingress (io.fabric8.kubernetes.api.model.networking.v1.Ingress)8 IngressTLSBuilder (io.fabric8.kubernetes.api.model.networking.v1.IngressTLSBuilder)8 HashMap (java.util.HashMap)8 List (java.util.List)8 Collectors (java.util.stream.Collectors)8 NetworkPolicyIngressRule (io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule)6 NetworkPolicyIngressRuleBuilder (io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRuleBuilder)6 KafkaResources (io.strimzi.api.kafka.model.KafkaResources)6