Example 1 with CertAndKey
use of io.strimzi.certs.CertAndKey in project strimzi by strimzi.
the class CertificateRenewalTest method initialCaSecrets.
private List<Secret> initialCaSecrets(CertificateAuthority certificateAuthority, String commonName, String caKeySecretName, String caCertSecretName) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
CertAndKey result = generateCa(certManager, certificateAuthority, commonName);
List<Secret> secrets = new ArrayList<>();
secrets.add(ResourceUtils.createInitialCaKeySecret(NAMESPACE, NAME, caKeySecretName, result.keyAsBase64String()));
secrets.add(ResourceUtils.createInitialCaCertSecret(NAMESPACE, NAME, caCertSecretName, result.certAsBase64String(), result.trustStoreAsBase64String(), result.storePasswordAsBase64String()));
return secrets;
}
Also used :
Secret(io.fabric8.kubernetes.api.model.Secret)
CertAndKey(io.strimzi.certs.CertAndKey)
ArrayList(java.util.ArrayList)
Example 2 with CertAndKey
use of io.strimzi.certs.CertAndKey in project strimzi by strimzi.
the class CertificateRenewalTest method testRenewalOfDeploymentCertificatesDelayedRenewalOutsideOfMaintenanceWindow.
@Test
public void testRenewalOfDeploymentCertificatesDelayedRenewalOutsideOfMaintenanceWindow() throws IOException {
Secret initialSecret = new SecretBuilder().withNewMetadata().withName("test-secret").endMetadata().addToData("deployment.crt", Base64.getEncoder().encodeToString("old-cert".getBytes())).addToData("deployment.key", Base64.getEncoder().encodeToString("old-key".getBytes())).addToData("deployment.p12", Base64.getEncoder().encodeToString("old-keystore".getBytes())).addToData("deployment.password", Base64.getEncoder().encodeToString("old-password".getBytes())).build();
CertAndKey newCertAndKey = new CertAndKey("new-key".getBytes(), "new-cert".getBytes(), "new-truststore".getBytes(), "new-keystore".getBytes(), "new-password");
ClusterCa clusterCaMock = mock(ClusterCa.class);
when(clusterCaMock.certRenewed()).thenReturn(false);
when(clusterCaMock.isExpiring(any(), any())).thenReturn(true);
when(clusterCaMock.generateSignedCert(anyString(), anyString())).thenReturn(newCertAndKey);
String namespace = "my-namespace";
String secretName = "my-secret";
String commonName = "deployment";
String keyCertName = "deployment";
Labels labels = Labels.forStrimziCluster("my-cluster");
OwnerReference ownerReference = new OwnerReference();
Secret newSecret = ModelUtils.buildSecret(Reconciliation.DUMMY_RECONCILIATION, clusterCaMock, initialSecret, namespace, secretName, commonName, keyCertName, labels, ownerReference, false);
assertThat(newSecret.getData(), hasEntry("deployment.crt", Base64.getEncoder().encodeToString("old-cert".getBytes())));
assertThat(newSecret.getData(), hasEntry("deployment.key", Base64.getEncoder().encodeToString("old-key".getBytes())));
assertThat(newSecret.getData(), hasEntry("deployment.p12", Base64.getEncoder().encodeToString("old-keystore".getBytes())));
assertThat(newSecret.getData(), hasEntry("deployment.password", Base64.getEncoder().encodeToString("old-password".getBytes())));
}
Also used :
Secret(io.fabric8.kubernetes.api.model.Secret)
SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder)
OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference)
CertAndKey(io.strimzi.certs.CertAndKey)
ClusterCa(io.strimzi.operator.cluster.model.ClusterCa)
Labels(io.strimzi.operator.common.model.Labels)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
Test(org.junit.jupiter.api.Test)
Example 3 with CertAndKey
use of io.strimzi.certs.CertAndKey in project strimzi by strimzi.
the class CertificateRenewalTest method generateCa.
private CertAndKey generateCa(OpenSslCertManager certManager, CertificateAuthority certificateAuthority, String commonName) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
String clusterCaStorePassword = "123456";
Path clusterCaKeyFile = Files.createTempFile("tls", "cluster-ca-key");
Path clusterCaCertFile = Files.createTempFile("tls", "cluster-ca-cert");
Path clusterCaStoreFile = Files.createTempFile("tls", "cluster-ca-store");
try {
Subject sbj = new Subject.Builder().withOrganizationName("io.strimzi").withCommonName(commonName).build();
certManager.generateSelfSignedCert(clusterCaKeyFile.toFile(), clusterCaCertFile.toFile(), sbj, ModelUtils.getCertificateValidity(certificateAuthority));
certManager.addCertToTrustStore(clusterCaCertFile.toFile(), CA_CRT, clusterCaStoreFile.toFile(), clusterCaStorePassword);
return new CertAndKey(Files.readAllBytes(clusterCaKeyFile), Files.readAllBytes(clusterCaCertFile), Files.readAllBytes(clusterCaStoreFile), null, clusterCaStorePassword);
} finally {
Files.delete(clusterCaKeyFile);
Files.delete(clusterCaCertFile);
Files.delete(clusterCaStoreFile);
}
}
Also used :
Path(java.nio.file.Path)
CertAndKey(io.strimzi.certs.CertAndKey)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
Subject(io.strimzi.certs.Subject)
Example 4 with CertAndKey
use of io.strimzi.certs.CertAndKey in project strimzi by strimzi.
the class Ca method generateSignedCert.
/**
* Generates a certificate signed by this CA
*
* @param commonName The CN of the certificate to be generated.
* @param organization The O of the certificate to be generated. May be null.
* @return The CertAndKey
* @throws IOException If the cert could not be generated.
*/
public CertAndKey generateSignedCert(String commonName, String organization) throws IOException {
File csrFile = File.createTempFile("tls", "csr");
File keyFile = File.createTempFile("tls", "key");
File certFile = File.createTempFile("tls", "cert");
File keyStoreFile = File.createTempFile("tls", "p12");
Subject.Builder subject = new Subject.Builder();
if (organization != null) {
subject.withOrganizationName(organization);
}
subject.withCommonName(commonName);
CertAndKey result = generateSignedCert(subject.build(), csrFile, keyFile, certFile, keyStoreFile);
delete(reconciliation, csrFile);
delete(reconciliation, keyFile);
delete(reconciliation, certFile);
delete(reconciliation, keyStoreFile);
return result;
}
Also used :
CertAndKey(io.strimzi.certs.CertAndKey)
DateTimeFormatterBuilder(java.time.format.DateTimeFormatterBuilder)
SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder)
File(java.io.File)
Subject(io.strimzi.certs.Subject)
Example 5 with CertAndKey
use of io.strimzi.certs.CertAndKey in project strimzi by strimzi.
the class Ca method generateCaKeyAndCert.
private void generateCaKeyAndCert(Subject subject, Map<String, String> keyData, Map<String, String> certData) {
try {
LOGGER.debugCr(reconciliation, "Generating CA with subject={}", subject);
File keyFile = File.createTempFile("tls", subject.commonName() + "-key");
try {
File certFile = File.createTempFile("tls", subject.commonName() + "-cert");
try {
File trustStoreFile = File.createTempFile("tls", subject.commonName() + "-truststore");
String trustStorePassword;
// if secret already contains the truststore, we have to reuse it without changing password
if (certData.containsKey(CA_STORE)) {
Files.write(trustStoreFile.toPath(), Base64.getDecoder().decode(certData.get(CA_STORE)));
trustStorePassword = new String(Base64.getDecoder().decode(certData.get(CA_STORE_PASSWORD)), StandardCharsets.US_ASCII);
} else {
trustStorePassword = passwordGenerator.generate();
}
try {
certManager.generateSelfSignedCert(keyFile, certFile, subject, validityDays);
certManager.addCertToTrustStore(certFile, CA_CRT, trustStoreFile, trustStorePassword);
CertAndKey ca = new CertAndKey(Files.readAllBytes(keyFile.toPath()), Files.readAllBytes(certFile.toPath()), Files.readAllBytes(trustStoreFile.toPath()), null, trustStorePassword);
certData.put(CA_CRT, ca.certAsBase64String());
keyData.put(CA_KEY, ca.keyAsBase64String());
certData.put(CA_STORE, ca.trustStoreAsBase64String());
certData.put(CA_STORE_PASSWORD, ca.storePasswordAsBase64String());
} finally {
delete(reconciliation, trustStoreFile);
}
} finally {
delete(reconciliation, certFile);
}
} finally {
delete(reconciliation, keyFile);
}
} catch (IOException | CertificateException | KeyStoreException | NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
}
Also used :
CertAndKey(io.strimzi.certs.CertAndKey)
CertificateException(java.security.cert.CertificateException)
IOException(java.io.IOException)
KeyStoreException(java.security.KeyStoreException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
File(java.io.File)
Aggregations
CertAndKey (io.strimzi.certs.CertAndKey)40
Secret (io.fabric8.kubernetes.api.model.Secret)18
IOException (java.io.IOException)18
SecretBuilder (io.fabric8.kubernetes.api.model.SecretBuilder)16
File (java.io.File)16
Subject (io.strimzi.certs.Subject)12
OwnerReference (io.fabric8.kubernetes.api.model.OwnerReference)10
Base64 (java.util.Base64)10
HashMap (java.util.HashMap)10
ArgumentMatchers.anyString (org.mockito.ArgumentMatchers.anyString)10
CertificateExpirationPolicy (io.strimzi.api.kafka.model.CertificateExpirationPolicy)8
CertManager (io.strimzi.certs.CertManager)8
ClusterCa (io.strimzi.operator.cluster.model.ClusterCa)8
PasswordGenerator (io.strimzi.operator.common.PasswordGenerator)8
Reconciliation (io.strimzi.operator.common.Reconciliation)8
Labels (io.strimzi.operator.common.model.Labels)8
CertificateException (java.security.cert.CertificateException)8
X509Certificate (java.security.cert.X509Certificate)8
Map (java.util.Map)8
Function (java.util.function.Function)8
