Example 1 with SecretCertProvider
use of io.strimzi.certs.SecretCertProvider in project strimzi-kafka-operator by strimzi.
the class Ca method createRenewOrReplace.
/**
* Create the CA {@code Secrets} if they don't exist, otherwise if within the renewal period then either renew the CA cert
* or replace the CA cert and key, according to the configured policy.
* After calling this method {@link #certRenewed()} and {@link #certsRemoved()}
* will return whether the certificate was renewed and whether expired secrets were removed from the Secret.
* @param namespace The namespace containing the cluster.
* @param clusterName The name of the cluster.
* @param labels The labels of the {@code Secrets} created.
* @param additonalLabels The additional labels of the {@code Secrets} created.
* @param additonalAnnotations The additional annotations of the {@code Secrets} created.
* @param ownerRef The owner of the {@code Secrets} created.
* @param maintenanceWindowSatisfied Flag indicating whether we are in the maintenance window
*/
public void createRenewOrReplace(String namespace, String clusterName, Map<String, String> labels, Map<String, String> additonalLabels, Map<String, String> additonalAnnotations, OwnerReference ownerRef, boolean maintenanceWindowSatisfied) {
X509Certificate currentCert = cert(caCertSecret, CA_CRT);
Map<String, String> certData;
Map<String, String> keyData;
int caCertGeneration = certGeneration();
int caKeyGeneration = keyGeneration();
if (!generateCa) {
certData = caCertSecret != null ? caCertSecret.getData() : emptyMap();
keyData = caKeySecret != null ? singletonMap(CA_KEY, caKeySecret.getData().get(CA_KEY)) : emptyMap();
renewalType = hasCaCertGenerationChanged() ? RenewalType.REPLACE_KEY : RenewalType.NOOP;
caCertsRemoved = false;
} else {
this.renewalType = shouldCreateOrRenew(currentCert, namespace, clusterName, maintenanceWindowSatisfied);
LOGGER.debugCr(reconciliation, "{} renewalType {}", this, renewalType);
switch(renewalType) {
case CREATE:
keyData = new HashMap<>(1);
certData = new HashMap<>(3);
generateCaKeyAndCert(nextCaSubject(caKeyGeneration), keyData, certData);
break;
case REPLACE_KEY:
keyData = new HashMap<>(1);
certData = new HashMap<>(caCertSecret.getData());
if (certData.containsKey(CA_CRT)) {
String notAfterDate = DATE_TIME_FORMATTER.format(currentCert.getNotAfter().toInstant().atZone(ZoneId.of("Z")));
addCertCaToTrustStore("ca-" + notAfterDate + ".crt", certData);
certData.put("ca-" + notAfterDate + ".crt", certData.remove(CA_CRT));
}
++caCertGeneration;
generateCaKeyAndCert(nextCaSubject(++caKeyGeneration), keyData, certData);
break;
case RENEW_CERT:
keyData = caKeySecret.getData();
certData = new HashMap<>(3);
++caCertGeneration;
renewCaCert(nextCaSubject(caKeyGeneration), certData);
break;
default:
keyData = caKeySecret.getData();
certData = caCertSecret.getData();
// coming from an older version, the secret could not have the CA truststore
if (!certData.containsKey(CA_STORE)) {
addCertCaToTrustStore(CA_CRT, certData);
}
}
this.caCertsRemoved = removeExpiredCerts(certData) > 0;
}
SecretCertProvider secretCertProvider = new SecretCertProvider();
if (caCertsRemoved) {
LOGGER.infoCr(reconciliation, "{}: Expired CA certificates removed", this);
}
if (renewalType != RenewalType.NOOP && renewalType != RenewalType.POSTPONED) {
LOGGER.debugCr(reconciliation, "{}: {}", this, renewalType.postDescription(caKeySecretName, caCertSecretName));
}
// cluster CA certificate annotation handling
Map<String, String> certAnnotations = new HashMap<>(2);
certAnnotations.put(ANNO_STRIMZI_IO_CA_CERT_GENERATION, String.valueOf(caCertGeneration));
if (renewalType.equals(RenewalType.POSTPONED) && this.caCertSecret.getMetadata() != null && Annotations.hasAnnotation(caCertSecret, ANNO_STRIMZI_IO_FORCE_RENEW)) {
certAnnotations.put(ANNO_STRIMZI_IO_FORCE_RENEW, Annotations.stringAnnotation(caCertSecret, ANNO_STRIMZI_IO_FORCE_RENEW, "false"));
}
Map<String, String> keyAnnotations = new HashMap<>(2);
keyAnnotations.put(ANNO_STRIMZI_IO_CA_KEY_GENERATION, String.valueOf(caKeyGeneration));
if (renewalType.equals(RenewalType.POSTPONED) && this.caKeySecret.getMetadata() != null && Annotations.hasAnnotation(caKeySecret, ANNO_STRIMZI_IO_FORCE_REPLACE)) {
keyAnnotations.put(ANNO_STRIMZI_IO_FORCE_REPLACE, Annotations.stringAnnotation(caKeySecret, ANNO_STRIMZI_IO_FORCE_REPLACE, "false"));
}
caCertSecret = secretCertProvider.createSecret(namespace, caCertSecretName, certData, Util.mergeLabelsOrAnnotations(labels, additonalLabels), Util.mergeLabelsOrAnnotations(certAnnotations, additonalAnnotations), ownerRef);
caKeySecret = secretCertProvider.createSecret(namespace, caKeySecretName, keyData, labels, keyAnnotations, ownerRef);
}
Also used :
HashMap(java.util.HashMap)
SecretCertProvider(io.strimzi.certs.SecretCertProvider)
X509Certificate(java.security.cert.X509Certificate)
Example 2 with SecretCertProvider
use of io.strimzi.certs.SecretCertProvider in project strimzi by strimzi.
the class Ca method createRenewOrReplace.
/**
* Create the CA {@code Secrets} if they don't exist, otherwise if within the renewal period then either renew the CA cert
* or replace the CA cert and key, according to the configured policy.
* After calling this method {@link #certRenewed()} and {@link #certsRemoved()}
* will return whether the certificate was renewed and whether expired secrets were removed from the Secret.
* @param namespace The namespace containing the cluster.
* @param clusterName The name of the cluster.
* @param labels The labels of the {@code Secrets} created.
* @param additonalLabels The additional labels of the {@code Secrets} created.
* @param additonalAnnotations The additional annotations of the {@code Secrets} created.
* @param ownerRef The owner of the {@code Secrets} created.
* @param maintenanceWindowSatisfied Flag indicating whether we are in the maintenance window
*/
public void createRenewOrReplace(String namespace, String clusterName, Map<String, String> labels, Map<String, String> additonalLabels, Map<String, String> additonalAnnotations, OwnerReference ownerRef, boolean maintenanceWindowSatisfied) {
X509Certificate currentCert = cert(caCertSecret, CA_CRT);
Map<String, String> certData;
Map<String, String> keyData;
int caCertGeneration = certGeneration();
int caKeyGeneration = keyGeneration();
if (!generateCa) {
certData = caCertSecret != null ? caCertSecret.getData() : emptyMap();
keyData = caKeySecret != null ? singletonMap(CA_KEY, caKeySecret.getData().get(CA_KEY)) : emptyMap();
renewalType = hasCaCertGenerationChanged() ? RenewalType.REPLACE_KEY : RenewalType.NOOP;
caCertsRemoved = false;
} else {
this.renewalType = shouldCreateOrRenew(currentCert, namespace, clusterName, maintenanceWindowSatisfied);
LOGGER.debugCr(reconciliation, "{} renewalType {}", this, renewalType);
switch(renewalType) {
case CREATE:
keyData = new HashMap<>(1);
certData = new HashMap<>(3);
generateCaKeyAndCert(nextCaSubject(caKeyGeneration), keyData, certData);
break;
case REPLACE_KEY:
keyData = new HashMap<>(1);
certData = new HashMap<>(caCertSecret.getData());
if (certData.containsKey(CA_CRT)) {
String notAfterDate = DATE_TIME_FORMATTER.format(currentCert.getNotAfter().toInstant().atZone(ZoneId.of("Z")));
addCertCaToTrustStore("ca-" + notAfterDate + ".crt", certData);
certData.put("ca-" + notAfterDate + ".crt", certData.remove(CA_CRT));
}
++caCertGeneration;
generateCaKeyAndCert(nextCaSubject(++caKeyGeneration), keyData, certData);
break;
case RENEW_CERT:
keyData = caKeySecret.getData();
certData = new HashMap<>(3);
++caCertGeneration;
renewCaCert(nextCaSubject(caKeyGeneration), certData);
break;
default:
keyData = caKeySecret.getData();
certData = caCertSecret.getData();
// coming from an older version, the secret could not have the CA truststore
if (!certData.containsKey(CA_STORE)) {
addCertCaToTrustStore(CA_CRT, certData);
}
}
this.caCertsRemoved = removeExpiredCerts(certData) > 0;
}
SecretCertProvider secretCertProvider = new SecretCertProvider();
if (caCertsRemoved) {
LOGGER.infoCr(reconciliation, "{}: Expired CA certificates removed", this);
}
if (renewalType != RenewalType.NOOP && renewalType != RenewalType.POSTPONED) {
LOGGER.debugCr(reconciliation, "{}: {}", this, renewalType.postDescription(caKeySecretName, caCertSecretName));
}
// cluster CA certificate annotation handling
Map<String, String> certAnnotations = new HashMap<>(2);
certAnnotations.put(ANNO_STRIMZI_IO_CA_CERT_GENERATION, String.valueOf(caCertGeneration));
if (renewalType.equals(RenewalType.POSTPONED) && this.caCertSecret.getMetadata() != null && Annotations.hasAnnotation(caCertSecret, ANNO_STRIMZI_IO_FORCE_RENEW)) {
certAnnotations.put(ANNO_STRIMZI_IO_FORCE_RENEW, Annotations.stringAnnotation(caCertSecret, ANNO_STRIMZI_IO_FORCE_RENEW, "false"));
}
Map<String, String> keyAnnotations = new HashMap<>(2);
keyAnnotations.put(ANNO_STRIMZI_IO_CA_KEY_GENERATION, String.valueOf(caKeyGeneration));
if (renewalType.equals(RenewalType.POSTPONED) && this.caKeySecret.getMetadata() != null && Annotations.hasAnnotation(caKeySecret, ANNO_STRIMZI_IO_FORCE_REPLACE)) {
keyAnnotations.put(ANNO_STRIMZI_IO_FORCE_REPLACE, Annotations.stringAnnotation(caKeySecret, ANNO_STRIMZI_IO_FORCE_REPLACE, "false"));
}
caCertSecret = secretCertProvider.createSecret(namespace, caCertSecretName, certData, Util.mergeLabelsOrAnnotations(labels, additonalLabels), Util.mergeLabelsOrAnnotations(certAnnotations, additonalAnnotations), ownerRef);
caKeySecret = secretCertProvider.createSecret(namespace, caKeySecretName, keyData, labels, keyAnnotations, ownerRef);
}
Also used :
HashMap(java.util.HashMap)
SecretCertProvider(io.strimzi.certs.SecretCertProvider)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
SecretCertProvider (io.strimzi.certs.SecretCertProvider)2
X509Certificate (java.security.cert.X509Certificate)2
HashMap (java.util.HashMap)2
