use of io.strimzi.certs.CertAndKey in project strimzi by strimzi.
the class Ca method renewCaCert.
private void renewCaCert(Subject subject, Map<String, String> certData) {
try {
LOGGER.debugCr(reconciliation, "Renewing CA with subject={}, org={}", subject);
Base64.Decoder decoder = Base64.getDecoder();
byte[] bytes = decoder.decode(caKeySecret.getData().get(CA_KEY));
File keyFile = File.createTempFile("tls", subject.commonName() + "-key");
try {
Files.write(keyFile.toPath(), bytes);
File certFile = File.createTempFile("tls", subject.commonName() + "-cert");
try {
File trustStoreFile = File.createTempFile("tls", subject.commonName() + "-truststore");
try {
String trustStorePassword = passwordGenerator.generate();
certManager.renewSelfSignedCert(keyFile, certFile, subject, validityDays);
certManager.addCertToTrustStore(certFile, CA_CRT, trustStoreFile, trustStorePassword);
CertAndKey ca = new CertAndKey(bytes, Files.readAllBytes(certFile.toPath()), Files.readAllBytes(trustStoreFile.toPath()), null, trustStorePassword);
certData.put(CA_CRT, ca.certAsBase64String());
certData.put(CA_STORE, ca.trustStoreAsBase64String());
certData.put(CA_STORE_PASSWORD, ca.storePasswordAsBase64String());
} finally {
delete(reconciliation, trustStoreFile);
}
} finally {
delete(reconciliation, certFile);
}
} finally {
delete(reconciliation, keyFile);
}
} catch (IOException | CertificateException | KeyStoreException | NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
}
use of io.strimzi.certs.CertAndKey in project strimzi-kafka-operator by strimzi.
the class ModelUtils method buildSecret.
public static Secret buildSecret(Reconciliation reconciliation, ClusterCa clusterCa, Secret secret, String namespace, String secretName, String commonName, String keyCertName, Labels labels, OwnerReference ownerReference, boolean isMaintenanceTimeWindowsSatisfied) {
Map<String, String> data = new HashMap<>(4);
CertAndKey certAndKey = null;
boolean shouldBeRegenerated = false;
List<String> reasons = new ArrayList<>(2);
if (secret == null) {
reasons.add("certificate doesn't exist yet");
shouldBeRegenerated = true;
} else {
if (clusterCa.keyCreated() || clusterCa.certRenewed() || (isMaintenanceTimeWindowsSatisfied && clusterCa.isExpiring(secret, keyCertName + ".crt")) || clusterCa.hasCaCertGenerationChanged(secret)) {
reasons.add("certificate needs to be renewed");
shouldBeRegenerated = true;
}
}
if (shouldBeRegenerated) {
LOGGER.debugCr(reconciliation, "Certificate for pod {} need to be regenerated because: {}", keyCertName, String.join(", ", reasons));
try {
certAndKey = clusterCa.generateSignedCert(commonName, Ca.IO_STRIMZI);
} catch (IOException e) {
LOGGER.warnCr(reconciliation, "Error while generating certificates", e);
}
LOGGER.debugCr(reconciliation, "End generating certificates");
} else {
if (secret.getData().get(keyCertName + ".p12") != null && !secret.getData().get(keyCertName + ".p12").isEmpty() && secret.getData().get(keyCertName + ".password") != null && !secret.getData().get(keyCertName + ".password").isEmpty()) {
certAndKey = new CertAndKey(decodeFromSecret(secret, keyCertName + ".key"), decodeFromSecret(secret, keyCertName + ".crt"), null, decodeFromSecret(secret, keyCertName + ".p12"), new String(decodeFromSecret(secret, keyCertName + ".password"), StandardCharsets.US_ASCII));
} else {
try {
// coming from an older operator version, the secret exists but without keystore and password
certAndKey = clusterCa.addKeyAndCertToKeyStore(commonName, decodeFromSecret(secret, keyCertName + ".key"), decodeFromSecret(secret, keyCertName + ".crt"));
} catch (IOException e) {
LOGGER.errorCr(reconciliation, "Error generating the keystore for {}", keyCertName, e);
}
}
}
if (certAndKey != null) {
data.put(keyCertName + ".key", certAndKey.keyAsBase64String());
data.put(keyCertName + ".crt", certAndKey.certAsBase64String());
data.put(keyCertName + ".p12", certAndKey.keyStoreAsBase64String());
data.put(keyCertName + ".password", certAndKey.storePasswordAsBase64String());
}
return createSecret(secretName, namespace, labels, ownerReference, data, Collections.singletonMap(clusterCa.caCertGenerationAnnotation(), String.valueOf(clusterCa.certGeneration())), emptyMap());
}
use of io.strimzi.certs.CertAndKey in project strimzi-kafka-operator by strimzi.
the class Ca method addKeyAndCertToKeyStore.
public CertAndKey addKeyAndCertToKeyStore(String alias, byte[] key, byte[] cert) throws IOException {
File keyFile = File.createTempFile("tls", "key");
File certFile = File.createTempFile("tls", "cert");
File keyStoreFile = File.createTempFile("tls", "p12");
Files.write(keyFile.toPath(), key);
Files.write(certFile.toPath(), cert);
String keyStorePassword = passwordGenerator.generate();
certManager.addKeyAndCertToKeyStore(keyFile, certFile, alias, keyStoreFile, keyStorePassword);
CertAndKey result = new CertAndKey(Files.readAllBytes(keyFile.toPath()), Files.readAllBytes(certFile.toPath()), null, Files.readAllBytes(keyStoreFile.toPath()), keyStorePassword);
delete(reconciliation, keyFile);
delete(reconciliation, certFile);
delete(reconciliation, keyStoreFile);
return result;
}
use of io.strimzi.certs.CertAndKey in project strimzi-kafka-operator by strimzi.
the class Ca method renewCaCert.
private void renewCaCert(Subject subject, Map<String, String> certData) {
try {
LOGGER.debugCr(reconciliation, "Renewing CA with subject={}, org={}", subject);
Base64.Decoder decoder = Base64.getDecoder();
byte[] bytes = decoder.decode(caKeySecret.getData().get(CA_KEY));
File keyFile = File.createTempFile("tls", subject.commonName() + "-key");
try {
Files.write(keyFile.toPath(), bytes);
File certFile = File.createTempFile("tls", subject.commonName() + "-cert");
try {
File trustStoreFile = File.createTempFile("tls", subject.commonName() + "-truststore");
try {
String trustStorePassword = passwordGenerator.generate();
certManager.renewSelfSignedCert(keyFile, certFile, subject, validityDays);
certManager.addCertToTrustStore(certFile, CA_CRT, trustStoreFile, trustStorePassword);
CertAndKey ca = new CertAndKey(bytes, Files.readAllBytes(certFile.toPath()), Files.readAllBytes(trustStoreFile.toPath()), null, trustStorePassword);
certData.put(CA_CRT, ca.certAsBase64String());
certData.put(CA_STORE, ca.trustStoreAsBase64String());
certData.put(CA_STORE_PASSWORD, ca.storePasswordAsBase64String());
} finally {
delete(reconciliation, trustStoreFile);
}
} finally {
delete(reconciliation, certFile);
}
} finally {
delete(reconciliation, keyFile);
}
} catch (IOException | CertificateException | KeyStoreException | NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
}
use of io.strimzi.certs.CertAndKey in project strimzi-kafka-operator by strimzi.
the class CruiseControl method generateCertificatesSecret.
/**
* Generate the Secret containing the Cruise Control certificate signed by the cluster CA certificate used for TLS based
* internal communication with Kafka
* It also contains the related Cruise Control private key.
*
* @param namespace Namespace in which the Cruise Control cluster runs
* @param kafkaName Name of the Kafka cluster (it is used for the SANs in the certificate)
* @param clusterCa The cluster CA.
* @param isMaintenanceTimeWindowsSatisfied Indicates whether we are in the maintenance window or not.
* This is used for certificate renewals
*
* @return The generated Secret.
*/
public Secret generateCertificatesSecret(String namespace, String kafkaName, ClusterCa clusterCa, boolean isMaintenanceTimeWindowsSatisfied) {
Map<String, CertAndKey> ccCerts = new HashMap<>(4);
LOGGER.debugCr(reconciliation, "Generating certificates");
try {
ccCerts = clusterCa.generateCcCerts(namespace, kafkaName, isMaintenanceTimeWindowsSatisfied);
} catch (IOException e) {
LOGGER.warnCr(reconciliation, "Error while generating certificates", e);
}
LOGGER.debugCr(reconciliation, "End generating certificates");
String keyCertName = "cruise-control";
Map<String, String> data = new HashMap<>(4);
CertAndKey cert = ccCerts.get(keyCertName);
data.put(keyCertName + ".key", cert.keyAsBase64String());
data.put(keyCertName + ".crt", cert.certAsBase64String());
data.put(keyCertName + ".p12", cert.keyStoreAsBase64String());
data.put(keyCertName + ".password", cert.storePasswordAsBase64String());
return createSecret(CruiseControlResources.secretName(cluster), data, Collections.singletonMap(clusterCa.caCertGenerationAnnotation(), String.valueOf(clusterCa.certGeneration())));
}
Aggregations