Examples with CertAndKey io.strimzi.certs.CertAndKey used on opensource projects

Search in sources :

Example 31 with CertAndKey

use of io.strimzi.certs.CertAndKey in project strimzi by strimzi.

the class CertificateRenewalTest method testRenewalOfDeploymentCertificatesWithNullSecret.

@Test
public void testRenewalOfDeploymentCertificatesWithNullSecret() throws IOException {
    CertAndKey newCertAndKey = new CertAndKey("new-key".getBytes(), "new-cert".getBytes(), "new-truststore".getBytes(), "new-keystore".getBytes(), "new-password");
    ClusterCa clusterCaMock = mock(ClusterCa.class);
    when(clusterCaMock.generateSignedCert(anyString(), anyString())).thenReturn(newCertAndKey);
    String namespace = "my-namespace";
    String secretName = "my-secret";
    String commonName = "deployment";
    String keyCertName = "deployment";
    Labels labels = Labels.forStrimziCluster("my-cluster");
    OwnerReference ownerReference = new OwnerReference();
    Secret newSecret = ModelUtils.buildSecret(Reconciliation.DUMMY_RECONCILIATION, clusterCaMock, null, namespace, secretName, commonName, keyCertName, labels, ownerReference, true);
    assertThat(newSecret.getData(), hasEntry("deployment.crt", newCertAndKey.certAsBase64String()));
    assertThat(newSecret.getData(), hasEntry("deployment.key", newCertAndKey.keyAsBase64String()));
    assertThat(newSecret.getData(), hasEntry("deployment.p12", newCertAndKey.keyStoreAsBase64String()));
    assertThat(newSecret.getData(), hasEntry("deployment.password", newCertAndKey.storePasswordAsBase64String()));
}
Also used : Secret(io.fabric8.kubernetes.api.model.Secret) OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference) CertAndKey(io.strimzi.certs.CertAndKey) ClusterCa(io.strimzi.operator.cluster.model.ClusterCa) Labels(io.strimzi.operator.common.model.Labels) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) Test(org.junit.jupiter.api.Test)

Example 32 with CertAndKey

use of io.strimzi.certs.CertAndKey in project strimzi-kafka-operator by strimzi.

the class ZookeeperCluster method generateCertificatesSecret.

/**
 * Generate the Secret containing the Zookeeper nodes certificates signed by the cluster CA certificate used for TLS
 * based internal communication with Kafka. It contains both the public and private keys.
 *
 * @param clusterCa                         The CA for cluster certificates
 * @param isMaintenanceTimeWindowsSatisfied Indicates whether we are in the maintenance window or not.
 *
 * @return The generated Secret with the ZooKeeper node certificates
 */
public Secret generateCertificatesSecret(ClusterCa clusterCa, boolean isMaintenanceTimeWindowsSatisfied) {
    Map<String, String> secretData = new HashMap<>(replicas * 4);
    Map<String, CertAndKey> certs;
    try {
        certs = clusterCa.generateZkCerts(namespace, cluster, replicas, isMaintenanceTimeWindowsSatisfied);
    } catch (IOException e) {
        LOGGER.warnCr(reconciliation, "Error while generating certificates", e);
        throw new RuntimeException("Failed to prepare ZooKeeper certificates", e);
    }
    for (int i = 0; i < replicas; i++) {
        CertAndKey cert = certs.get(KafkaResources.zookeeperPodName(cluster, i));
        secretData.put(KafkaResources.zookeeperPodName(cluster, i) + ".key", cert.keyAsBase64String());
        secretData.put(KafkaResources.zookeeperPodName(cluster, i) + ".crt", cert.certAsBase64String());
        secretData.put(KafkaResources.zookeeperPodName(cluster, i) + ".p12", cert.keyStoreAsBase64String());
        secretData.put(KafkaResources.zookeeperPodName(cluster, i) + ".password", cert.storePasswordAsBase64String());
    }
    return createSecret(KafkaResources.zookeeperSecretName(cluster), secretData, Collections.singletonMap(clusterCa.caCertGenerationAnnotation(), String.valueOf(clusterCa.certGeneration())));
}
Also used : CertAndKey(io.strimzi.certs.CertAndKey) HashMap(java.util.HashMap) IntOrString(io.fabric8.kubernetes.api.model.IntOrString) IOException(java.io.IOException)

Example 33 with CertAndKey

use of io.strimzi.certs.CertAndKey in project strimzi-kafka-operator by strimzi.

the class ZookeeperLeaderFinder method keyCertOptions.

/**
 * Validate the CO certificate and key passed in the given Secret
 * and return the PemKeyCertOptions for using it for TLS authentication.
 */
protected PemKeyCertOptions keyCertOptions(Secret coCertKeySecret) {
    CertAndKey coCertKey = Ca.asCertAndKey(coCertKeySecret, "cluster-operator.key", "cluster-operator.crt", "cluster-operator.p12", "cluster-operator.password");
    if (coCertKey == null) {
        throw Util.missingSecretException(coCertKeySecret.getMetadata().getNamespace(), coCertKeySecret.getMetadata().getName());
    }
    CertificateFactory x509 = x509Factory();
    try {
        x509.generateCertificate(new ByteArrayInputStream(coCertKey.cert()));
    } catch (CertificateException e) {
        throw corruptCertificate(coCertKeySecret, "cluster-operator.crt", e);
    }
    return new PemKeyCertOptions().setCertValue(Buffer.buffer(coCertKey.cert())).setKeyValue(Buffer.buffer(coCertKey.key()));
}
Also used : CertAndKey(io.strimzi.certs.CertAndKey) ByteArrayInputStream(java.io.ByteArrayInputStream) PemKeyCertOptions(io.vertx.core.net.PemKeyCertOptions) CertificateException(java.security.cert.CertificateException) CertificateFactory(java.security.cert.CertificateFactory)

Example 34 with CertAndKey

use of io.strimzi.certs.CertAndKey in project strimzi-kafka-operator by strimzi.

the class KafkaCluster method generateCertificatesSecret.

/**
 * Generates the private keys for the Kafka brokers (if needed) and the secret with them which contains both the
 * public and private keys.
 *
 * @param clusterCa                             The CA for cluster certificates
 * @param clientsCa                             The CA for clients certificates
 * @param externalBootstrapDnsName              Map with bootstrap DNS names which should be added to the certificate
 * @param externalDnsNames                      Map with broker DNS names  which should be added to the certificate
 * @param isMaintenanceTimeWindowsSatisfied     Indicates whether we are in a maintenance window or not
 *
 * @return  The generated Secret with broker certificates
 */
public Secret generateCertificatesSecret(ClusterCa clusterCa, ClientsCa clientsCa, Set<String> externalBootstrapDnsName, Map<Integer, Set<String>> externalDnsNames, boolean isMaintenanceTimeWindowsSatisfied) {
    Map<String, CertAndKey> brokerCerts;
    Map<String, String> data = new HashMap<>(replicas * 4);
    try {
        brokerCerts = clusterCa.generateBrokerCerts(namespace, cluster, replicas, externalBootstrapDnsName, externalDnsNames, isMaintenanceTimeWindowsSatisfied);
    } catch (IOException e) {
        LOGGER.warnCr(reconciliation, "Error while generating certificates", e);
        throw new RuntimeException("Failed to prepare Kafka certificates", e);
    }
    for (int i = 0; i < replicas; i++) {
        CertAndKey cert = brokerCerts.get(KafkaResources.kafkaPodName(cluster, i));
        data.put(KafkaResources.kafkaPodName(cluster, i) + ".key", cert.keyAsBase64String());
        data.put(KafkaResources.kafkaPodName(cluster, i) + ".crt", cert.certAsBase64String());
        data.put(KafkaResources.kafkaPodName(cluster, i) + ".p12", cert.keyStoreAsBase64String());
        data.put(KafkaResources.kafkaPodName(cluster, i) + ".password", cert.storePasswordAsBase64String());
    }
    return createSecret(KafkaResources.kafkaSecretName(cluster), data, Map.of(clusterCa.caCertGenerationAnnotation(), String.valueOf(clusterCa.certGeneration()), clientsCa.caCertGenerationAnnotation(), String.valueOf(clientsCa.certGeneration())));
}
Also used : CertAndKey(io.strimzi.certs.CertAndKey) HashMap(java.util.HashMap) IOException(java.io.IOException)

Example 35 with CertAndKey

use of io.strimzi.certs.CertAndKey in project strimzi-kafka-operator by strimzi.

the class CaRenewalTest method renewalOfStatefulSetCertificatesDelayedRenewalOutsideWindow.

@ParallelTest
public void renewalOfStatefulSetCertificatesDelayedRenewalOutsideWindow() throws IOException {
    MockedCa mockedCa = new MockedCa(Reconciliation.DUMMY_RECONCILIATION, null, null, null, null, null, null, null, 2, 1, true, null);
    mockedCa.setCertExpiring(true);
    Secret initialSecret = new SecretBuilder().withNewMetadata().withName("test-secret").endMetadata().addToData("pod0.crt", Base64.getEncoder().encodeToString("old-cert".getBytes())).addToData("pod0.key", Base64.getEncoder().encodeToString("old-key".getBytes())).addToData("pod0.p12", Base64.getEncoder().encodeToString("old-keystore".getBytes())).addToData("pod0.password", Base64.getEncoder().encodeToString("old-password".getBytes())).addToData("pod1.crt", Base64.getEncoder().encodeToString("old-cert".getBytes())).addToData("pod1.key", Base64.getEncoder().encodeToString("old-key".getBytes())).addToData("pod1.p12", Base64.getEncoder().encodeToString("old-keystore".getBytes())).addToData("pod1.password", Base64.getEncoder().encodeToString("old-password".getBytes())).addToData("pod2.crt", Base64.getEncoder().encodeToString("old-cert".getBytes())).addToData("pod2.key", Base64.getEncoder().encodeToString("old-key".getBytes())).addToData("pod2.p12", Base64.getEncoder().encodeToString("old-keystore".getBytes())).addToData("pod2.password", Base64.getEncoder().encodeToString("old-password".getBytes())).build();
    int replicas = 3;
    Function<Integer, Subject> subjectFn = i -> new Subject.Builder().build();
    Function<Integer, String> podNameFn = i -> "pod" + i;
    boolean isMaintenanceTimeWindowsSatisfied = false;
    Map<String, CertAndKey> newCerts = mockedCa.maybeCopyOrGenerateCerts(Reconciliation.DUMMY_RECONCILIATION, replicas, subjectFn, initialSecret, podNameFn, isMaintenanceTimeWindowsSatisfied);
    assertThat(new String(newCerts.get("pod0").cert()), is("old-cert"));
    assertThat(new String(newCerts.get("pod0").key()), is("old-key"));
    assertThat(new String(newCerts.get("pod0").keyStore()), is("old-keystore"));
    assertThat(newCerts.get("pod0").storePassword(), is("old-password"));
    assertThat(new String(newCerts.get("pod1").cert()), is("old-cert"));
    assertThat(new String(newCerts.get("pod1").key()), is("old-key"));
    assertThat(new String(newCerts.get("pod1").keyStore()), is("old-keystore"));
    assertThat(newCerts.get("pod1").storePassword(), is("old-password"));
    assertThat(new String(newCerts.get("pod2").cert()), is("old-cert"));
    assertThat(new String(newCerts.get("pod2").key()), is("old-key"));
    assertThat(new String(newCerts.get("pod2").keyStore()), is("old-keystore"));
    assertThat(newCerts.get("pod2").storePassword(), is("old-password"));
}
Also used : X509Certificate(java.security.cert.X509Certificate) CoreMatchers.is(org.hamcrest.CoreMatchers.is) ParallelSuite(io.strimzi.test.annotations.ParallelSuite) ParallelTest(io.strimzi.test.annotations.ParallelTest) CertManager(io.strimzi.certs.CertManager) IOException(java.io.IOException) VertxExtension(io.vertx.junit5.VertxExtension) CertAndKey(io.strimzi.certs.CertAndKey) Function(java.util.function.Function) File(java.io.File) Subject(io.strimzi.certs.Subject) Reconciliation(io.strimzi.operator.common.Reconciliation) Base64(java.util.Base64) ExtendWith(org.junit.jupiter.api.extension.ExtendWith) AtomicInteger(java.util.concurrent.atomic.AtomicInteger) PasswordGenerator(io.strimzi.operator.common.PasswordGenerator) Map(java.util.Map) Secret(io.fabric8.kubernetes.api.model.Secret) SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy) Subject(io.strimzi.certs.Subject) Secret(io.fabric8.kubernetes.api.model.Secret) SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder) AtomicInteger(java.util.concurrent.atomic.AtomicInteger) CertAndKey(io.strimzi.certs.CertAndKey) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Aggregations

CertAndKey (io.strimzi.certs.CertAndKey)46 IOException (java.io.IOException)24 Secret (io.fabric8.kubernetes.api.model.Secret)18 SecretBuilder (io.fabric8.kubernetes.api.model.SecretBuilder)16 File (java.io.File)16 HashMap (java.util.HashMap)16 Subject (io.strimzi.certs.Subject)12 OwnerReference (io.fabric8.kubernetes.api.model.OwnerReference)10 Base64 (java.util.Base64)10 ArgumentMatchers.anyString (org.mockito.ArgumentMatchers.anyString)10 IntOrString (io.fabric8.kubernetes.api.model.IntOrString)8 CertificateExpirationPolicy (io.strimzi.api.kafka.model.CertificateExpirationPolicy)8 CertManager (io.strimzi.certs.CertManager)8 ClusterCa (io.strimzi.operator.cluster.model.ClusterCa)8 PasswordGenerator (io.strimzi.operator.common.PasswordGenerator)8 Reconciliation (io.strimzi.operator.common.Reconciliation)8 Labels (io.strimzi.operator.common.model.Labels)8 CertificateException (java.security.cert.CertificateException)8 X509Certificate (java.security.cert.X509Certificate)8 Map (java.util.Map)8
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial