Search in sources :

Example 6 with CertAndKey

use of io.strimzi.certs.CertAndKey in project strimzi by strimzi.

the class CertificateRenewalTest method generateCa.

private CertAndKey generateCa(OpenSslCertManager certManager, CertificateAuthority certificateAuthority, String commonName) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
    String clusterCaStorePassword = "123456";
    Path clusterCaKeyFile = Files.createTempFile("tls", "cluster-ca-key");
    Path clusterCaCertFile = Files.createTempFile("tls", "cluster-ca-cert");
    Path clusterCaStoreFile = Files.createTempFile("tls", "cluster-ca-store");
    try {
        Subject sbj = new Subject.Builder().withOrganizationName("io.strimzi").withCommonName(commonName).build();
        certManager.generateSelfSignedCert(clusterCaKeyFile.toFile(), clusterCaCertFile.toFile(), sbj, ModelUtils.getCertificateValidity(certificateAuthority));
        certManager.addCertToTrustStore(clusterCaCertFile.toFile(), CA_CRT, clusterCaStoreFile.toFile(), clusterCaStorePassword);
        return new CertAndKey(Files.readAllBytes(clusterCaKeyFile), Files.readAllBytes(clusterCaCertFile), Files.readAllBytes(clusterCaStoreFile), null, clusterCaStorePassword);
    } finally {
        Files.delete(clusterCaKeyFile);
        Files.delete(clusterCaCertFile);
        Files.delete(clusterCaStoreFile);
    }
}
Also used : Path(java.nio.file.Path) CertAndKey(io.strimzi.certs.CertAndKey) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) Subject(io.strimzi.certs.Subject)

Example 7 with CertAndKey

use of io.strimzi.certs.CertAndKey in project strimzi by strimzi.

the class CertificateRenewalTest method testRenewalOfDeploymentCertificatesDelayedRenewalOutsideOfMaintenanceWindow.

@Test
public void testRenewalOfDeploymentCertificatesDelayedRenewalOutsideOfMaintenanceWindow() throws IOException {
    Secret initialSecret = new SecretBuilder().withNewMetadata().withName("test-secret").endMetadata().addToData("deployment.crt", Base64.getEncoder().encodeToString("old-cert".getBytes())).addToData("deployment.key", Base64.getEncoder().encodeToString("old-key".getBytes())).addToData("deployment.p12", Base64.getEncoder().encodeToString("old-keystore".getBytes())).addToData("deployment.password", Base64.getEncoder().encodeToString("old-password".getBytes())).build();
    CertAndKey newCertAndKey = new CertAndKey("new-key".getBytes(), "new-cert".getBytes(), "new-truststore".getBytes(), "new-keystore".getBytes(), "new-password");
    ClusterCa clusterCaMock = mock(ClusterCa.class);
    when(clusterCaMock.certRenewed()).thenReturn(false);
    when(clusterCaMock.isExpiring(any(), any())).thenReturn(true);
    when(clusterCaMock.generateSignedCert(anyString(), anyString())).thenReturn(newCertAndKey);
    String namespace = "my-namespace";
    String secretName = "my-secret";
    String commonName = "deployment";
    String keyCertName = "deployment";
    Labels labels = Labels.forStrimziCluster("my-cluster");
    OwnerReference ownerReference = new OwnerReference();
    Secret newSecret = ModelUtils.buildSecret(Reconciliation.DUMMY_RECONCILIATION, clusterCaMock, initialSecret, namespace, secretName, commonName, keyCertName, labels, ownerReference, false);
    assertThat(newSecret.getData(), hasEntry("deployment.crt", Base64.getEncoder().encodeToString("old-cert".getBytes())));
    assertThat(newSecret.getData(), hasEntry("deployment.key", Base64.getEncoder().encodeToString("old-key".getBytes())));
    assertThat(newSecret.getData(), hasEntry("deployment.p12", Base64.getEncoder().encodeToString("old-keystore".getBytes())));
    assertThat(newSecret.getData(), hasEntry("deployment.password", Base64.getEncoder().encodeToString("old-password".getBytes())));
}
Also used : Secret(io.fabric8.kubernetes.api.model.Secret) SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder) OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference) CertAndKey(io.strimzi.certs.CertAndKey) ClusterCa(io.strimzi.operator.cluster.model.ClusterCa) Labels(io.strimzi.operator.common.model.Labels) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) Test(org.junit.jupiter.api.Test)

Example 8 with CertAndKey

use of io.strimzi.certs.CertAndKey in project strimzi by strimzi.

the class CertificateRenewalTest method initialCaSecrets.

private List<Secret> initialCaSecrets(CertificateAuthority certificateAuthority, String commonName, String caKeySecretName, String caCertSecretName) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
    CertAndKey result = generateCa(certManager, certificateAuthority, commonName);
    List<Secret> secrets = new ArrayList<>();
    secrets.add(ResourceUtils.createInitialCaKeySecret(NAMESPACE, NAME, caKeySecretName, result.keyAsBase64String()));
    secrets.add(ResourceUtils.createInitialCaCertSecret(NAMESPACE, NAME, caCertSecretName, result.certAsBase64String(), result.trustStoreAsBase64String(), result.storePasswordAsBase64String()));
    return secrets;
}
Also used : Secret(io.fabric8.kubernetes.api.model.Secret) CertAndKey(io.strimzi.certs.CertAndKey) ArrayList(java.util.ArrayList)

Example 9 with CertAndKey

use of io.strimzi.certs.CertAndKey in project strimzi by strimzi.

the class Ca method generateCaKeyAndCert.

private void generateCaKeyAndCert(Subject subject, Map<String, String> keyData, Map<String, String> certData) {
    try {
        LOGGER.debugCr(reconciliation, "Generating CA with subject={}", subject);
        File keyFile = File.createTempFile("tls", subject.commonName() + "-key");
        try {
            File certFile = File.createTempFile("tls", subject.commonName() + "-cert");
            try {
                File trustStoreFile = File.createTempFile("tls", subject.commonName() + "-truststore");
                String trustStorePassword;
                // if secret already contains the truststore, we have to reuse it without changing password
                if (certData.containsKey(CA_STORE)) {
                    Files.write(trustStoreFile.toPath(), Base64.getDecoder().decode(certData.get(CA_STORE)));
                    trustStorePassword = new String(Base64.getDecoder().decode(certData.get(CA_STORE_PASSWORD)), StandardCharsets.US_ASCII);
                } else {
                    trustStorePassword = passwordGenerator.generate();
                }
                try {
                    certManager.generateSelfSignedCert(keyFile, certFile, subject, validityDays);
                    certManager.addCertToTrustStore(certFile, CA_CRT, trustStoreFile, trustStorePassword);
                    CertAndKey ca = new CertAndKey(Files.readAllBytes(keyFile.toPath()), Files.readAllBytes(certFile.toPath()), Files.readAllBytes(trustStoreFile.toPath()), null, trustStorePassword);
                    certData.put(CA_CRT, ca.certAsBase64String());
                    keyData.put(CA_KEY, ca.keyAsBase64String());
                    certData.put(CA_STORE, ca.trustStoreAsBase64String());
                    certData.put(CA_STORE_PASSWORD, ca.storePasswordAsBase64String());
                } finally {
                    delete(reconciliation, trustStoreFile);
                }
            } finally {
                delete(reconciliation, certFile);
            }
        } finally {
            delete(reconciliation, keyFile);
        }
    } catch (IOException | CertificateException | KeyStoreException | NoSuchAlgorithmException e) {
        throw new RuntimeException(e);
    }
}
Also used : CertAndKey(io.strimzi.certs.CertAndKey) CertificateException(java.security.cert.CertificateException) IOException(java.io.IOException) KeyStoreException(java.security.KeyStoreException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) File(java.io.File)

Example 10 with CertAndKey

use of io.strimzi.certs.CertAndKey in project strimzi by strimzi.

the class Ca method generateSignedCert.

/**
 * Generates a certificate signed by this CA
 *
 * @param commonName The CN of the certificate to be generated.
 * @param organization The O of the certificate to be generated. May be null.
 * @return The CertAndKey
 * @throws IOException If the cert could not be generated.
 */
public CertAndKey generateSignedCert(String commonName, String organization) throws IOException {
    File csrFile = File.createTempFile("tls", "csr");
    File keyFile = File.createTempFile("tls", "key");
    File certFile = File.createTempFile("tls", "cert");
    File keyStoreFile = File.createTempFile("tls", "p12");
    Subject.Builder subject = new Subject.Builder();
    if (organization != null) {
        subject.withOrganizationName(organization);
    }
    subject.withCommonName(commonName);
    CertAndKey result = generateSignedCert(subject.build(), csrFile, keyFile, certFile, keyStoreFile);
    delete(reconciliation, csrFile);
    delete(reconciliation, keyFile);
    delete(reconciliation, certFile);
    delete(reconciliation, keyStoreFile);
    return result;
}
Also used : CertAndKey(io.strimzi.certs.CertAndKey) DateTimeFormatterBuilder(java.time.format.DateTimeFormatterBuilder) SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder) File(java.io.File) Subject(io.strimzi.certs.Subject)

Aggregations

CertAndKey (io.strimzi.certs.CertAndKey)46 IOException (java.io.IOException)24 Secret (io.fabric8.kubernetes.api.model.Secret)18 SecretBuilder (io.fabric8.kubernetes.api.model.SecretBuilder)16 File (java.io.File)16 HashMap (java.util.HashMap)16 Subject (io.strimzi.certs.Subject)12 OwnerReference (io.fabric8.kubernetes.api.model.OwnerReference)10 Base64 (java.util.Base64)10 ArgumentMatchers.anyString (org.mockito.ArgumentMatchers.anyString)10 IntOrString (io.fabric8.kubernetes.api.model.IntOrString)8 CertificateExpirationPolicy (io.strimzi.api.kafka.model.CertificateExpirationPolicy)8 CertManager (io.strimzi.certs.CertManager)8 ClusterCa (io.strimzi.operator.cluster.model.ClusterCa)8 PasswordGenerator (io.strimzi.operator.common.PasswordGenerator)8 Reconciliation (io.strimzi.operator.common.Reconciliation)8 Labels (io.strimzi.operator.common.model.Labels)8 CertificateException (java.security.cert.CertificateException)8 X509Certificate (java.security.cert.X509Certificate)8 Map (java.util.Map)8