Example 11 with Subject
use of io.strimzi.certs.Subject in project strimzi-kafka-operator by strimzi.
the class CertificateRenewalTest method generateCa.
private CertAndKey generateCa(OpenSslCertManager certManager, CertificateAuthority certificateAuthority, String commonName) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
String clusterCaStorePassword = "123456";
Path clusterCaKeyFile = Files.createTempFile("tls", "cluster-ca-key");
Path clusterCaCertFile = Files.createTempFile("tls", "cluster-ca-cert");
Path clusterCaStoreFile = Files.createTempFile("tls", "cluster-ca-store");
try {
Subject sbj = new Subject.Builder().withOrganizationName("io.strimzi").withCommonName(commonName).build();
certManager.generateSelfSignedCert(clusterCaKeyFile.toFile(), clusterCaCertFile.toFile(), sbj, ModelUtils.getCertificateValidity(certificateAuthority));
certManager.addCertToTrustStore(clusterCaCertFile.toFile(), CA_CRT, clusterCaStoreFile.toFile(), clusterCaStorePassword);
return new CertAndKey(Files.readAllBytes(clusterCaKeyFile), Files.readAllBytes(clusterCaCertFile), Files.readAllBytes(clusterCaStoreFile), null, clusterCaStorePassword);
} finally {
Files.delete(clusterCaKeyFile);
Files.delete(clusterCaCertFile);
Files.delete(clusterCaStoreFile);
}
}
Also used :
Path(java.nio.file.Path)
CertAndKey(io.strimzi.certs.CertAndKey)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
Subject(io.strimzi.certs.Subject)
Example 12 with Subject
use of io.strimzi.certs.Subject in project strimzi-kafka-operator by strimzi.
the class Ca method generateSignedCert.
/**
* Generates a certificate signed by this CA
*
* @param commonName The CN of the certificate to be generated.
* @param organization The O of the certificate to be generated. May be null.
* @return The CertAndKey
* @throws IOException If the cert could not be generated.
*/
public CertAndKey generateSignedCert(String commonName, String organization) throws IOException {
File csrFile = File.createTempFile("tls", "csr");
File keyFile = File.createTempFile("tls", "key");
File certFile = File.createTempFile("tls", "cert");
File keyStoreFile = File.createTempFile("tls", "p12");
Subject.Builder subject = new Subject.Builder();
if (organization != null) {
subject.withOrganizationName(organization);
}
subject.withCommonName(commonName);
CertAndKey result = generateSignedCert(subject.build(), csrFile, keyFile, certFile, keyStoreFile);
delete(reconciliation, csrFile);
delete(reconciliation, keyFile);
delete(reconciliation, certFile);
delete(reconciliation, keyStoreFile);
return result;
}
Also used :
CertAndKey(io.strimzi.certs.CertAndKey)
DateTimeFormatterBuilder(java.time.format.DateTimeFormatterBuilder)
SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder)
File(java.io.File)
Subject(io.strimzi.certs.Subject)
Example 13 with Subject
use of io.strimzi.certs.Subject in project strimzi-kafka-operator by strimzi.
the class Ca method maybeCopyOrGenerateCerts.
/**
* Copy already existing certificates from provided Secret based on number of effective replicas
* and maybe generate new ones for new replicas (i.e. scale-up).
*/
protected Map<String, CertAndKey> maybeCopyOrGenerateCerts(Reconciliation reconciliation, int replicas, Function<Integer, Subject> subjectFn, Secret secret, Function<Integer, String> podNameFn, boolean isMaintenanceTimeWindowsSatisfied) throws IOException {
int replicasInSecret;
if (secret == null || secret.getData() == null || this.certRenewed()) {
replicasInSecret = 0;
} else {
replicasInSecret = (int) secret.getData().keySet().stream().filter(k -> k.contains(".crt")).count();
}
File brokerCsrFile = File.createTempFile("tls", "broker-csr");
File brokerKeyFile = File.createTempFile("tls", "broker-key");
File brokerCertFile = File.createTempFile("tls", "broker-cert");
File brokerKeyStoreFile = File.createTempFile("tls", "broker-p12");
int replicasInNewSecret = Math.min(replicasInSecret, replicas);
Map<String, CertAndKey> certs = new HashMap<>(replicasInNewSecret);
// scale down -> it will copy just the requested number of replicas
for (int i = 0; i < replicasInNewSecret; i++) {
String podName = podNameFn.apply(i);
LOGGER.debugCr(reconciliation, "Certificate for {} already exists", podName);
Subject subject = subjectFn.apply(i);
CertAndKey certAndKey;
if (secret.getData().get(podName + ".p12") != null && !secret.getData().get(podName + ".p12").isEmpty() && secret.getData().get(podName + ".password") != null && !secret.getData().get(podName + ".password").isEmpty()) {
certAndKey = asCertAndKey(secret, podName + ".key", podName + ".crt", podName + ".p12", podName + ".password");
} else {
// coming from an older operator version, the secret exists but without keystore and password
certAndKey = addKeyAndCertToKeyStore(subject.commonName(), Base64.getDecoder().decode(secret.getData().get(podName + ".key")), Base64.getDecoder().decode(secret.getData().get(podName + ".crt")));
}
List<String> reasons = new ArrayList<>(2);
if (certSubjectChanged(certAndKey, subject, podName)) {
reasons.add("DNS names changed");
}
if (isExpiring(secret, podName + ".crt") && isMaintenanceTimeWindowsSatisfied) {
reasons.add("certificate is expiring");
}
if (renewalType.equals(RenewalType.CREATE)) {
reasons.add("certificate added");
}
if (!reasons.isEmpty()) {
LOGGER.debugCr(reconciliation, "Certificate for pod {} need to be regenerated because: {}", podName, String.join(", ", reasons));
CertAndKey newCertAndKey = generateSignedCert(subject, brokerCsrFile, brokerKeyFile, brokerCertFile, brokerKeyStoreFile);
certs.put(podName, newCertAndKey);
} else {
certs.put(podName, certAndKey);
}
}
// scale down -> does nothing
for (int i = replicasInSecret; i < replicas; i++) {
String podName = podNameFn.apply(i);
LOGGER.debugCr(reconciliation, "Certificate for pod {} to generate", podName);
CertAndKey k = generateSignedCert(subjectFn.apply(i), brokerCsrFile, brokerKeyFile, brokerCertFile, brokerKeyStoreFile);
certs.put(podName, k);
}
delete(reconciliation, brokerCsrFile);
delete(reconciliation, brokerKeyFile);
delete(reconciliation, brokerCertFile);
delete(reconciliation, brokerKeyStoreFile);
return certs;
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
HOUR_OF_DAY(java.time.temporal.ChronoField.HOUR_OF_DAY)
SECOND_OF_MINUTE(java.time.temporal.ChronoField.SECOND_OF_MINUTE)
CertificateFactory(java.security.cert.CertificateFactory)
Annotations(io.strimzi.operator.common.Annotations)
KeyStoreException(java.security.KeyStoreException)
SignStyle(java.time.format.SignStyle)
ByteArrayInputStream(java.io.ByteArrayInputStream)
IsoChronology(java.time.chrono.IsoChronology)
Map(java.util.Map)
Predicate(java.util.function.Predicate)
Collection(java.util.Collection)
Set(java.util.Set)
Instant(java.time.Instant)
Collectors(java.util.stream.Collectors)
StandardCharsets(java.nio.charset.StandardCharsets)
ZoneId(java.time.ZoneId)
Subject(io.strimzi.certs.Subject)
Base64(java.util.Base64)
List(java.util.List)
Certificate(java.security.cert.Certificate)
NANO_OF_SECOND(java.time.temporal.ChronoField.NANO_OF_SECOND)
PasswordGenerator(io.strimzi.operator.common.PasswordGenerator)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
Secret(io.fabric8.kubernetes.api.model.Secret)
Optional(java.util.Optional)
Pattern(java.util.regex.Pattern)
DateTimeFormatterBuilder(java.time.format.DateTimeFormatterBuilder)
CertManager(io.strimzi.certs.CertManager)
HashMap(java.util.HashMap)
OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference)
CertAndKey(io.strimzi.certs.CertAndKey)
Function(java.util.function.Function)
ArrayList(java.util.ArrayList)
YEAR(java.time.temporal.ChronoField.YEAR)
Collections.singletonMap(java.util.Collections.singletonMap)
CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy)
SecretCertProvider(io.strimzi.certs.SecretCertProvider)
ReconciliationLogger(io.strimzi.operator.common.ReconciliationLogger)
MONTH_OF_YEAR(java.time.temporal.ChronoField.MONTH_OF_YEAR)
Collections.emptyMap(java.util.Collections.emptyMap)
Iterator(java.util.Iterator)
Files(java.nio.file.Files)
MINUTE_OF_HOUR(java.time.temporal.ChronoField.MINUTE_OF_HOUR)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
DAY_OF_MONTH(java.time.temporal.ChronoField.DAY_OF_MONTH)
File(java.io.File)
Reconciliation(io.strimzi.operator.common.Reconciliation)
Util(io.strimzi.operator.common.Util)
ChronoUnit(java.time.temporal.ChronoUnit)
DateTimeFormatter(java.time.format.DateTimeFormatter)
Clock(java.time.Clock)
SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder)
CertAndKey(io.strimzi.certs.CertAndKey)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
File(java.io.File)
Subject(io.strimzi.certs.Subject)
Example 14 with Subject
use of io.strimzi.certs.Subject in project strimzi-kafka-operator by strimzi.
the class Ca method getSubjectAltNames.
/**
* Extracts the alternate subject names out of existing certificate
*
* @param certificate Existing X509 certificate as a byte array
* @return
*/
protected List<String> getSubjectAltNames(byte[] certificate) {
List<String> subjectAltNames = null;
try {
X509Certificate cert = x509Certificate(certificate);
Collection<List<?>> altNames = cert.getSubjectAlternativeNames();
subjectAltNames = altNames.stream().filter(name -> name.get(1) instanceof String).map(item -> (String) item.get(1)).collect(Collectors.toList());
} catch (CertificateException | RuntimeException e) {
// TODO: We should mock the certificates properly so that this doesn't fail in tests (not now => long term :-o)
LOGGER.debugCr(reconciliation, "Failed to parse existing certificate", e);
}
return subjectAltNames;
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
HOUR_OF_DAY(java.time.temporal.ChronoField.HOUR_OF_DAY)
SECOND_OF_MINUTE(java.time.temporal.ChronoField.SECOND_OF_MINUTE)
CertificateFactory(java.security.cert.CertificateFactory)
Annotations(io.strimzi.operator.common.Annotations)
KeyStoreException(java.security.KeyStoreException)
SignStyle(java.time.format.SignStyle)
ByteArrayInputStream(java.io.ByteArrayInputStream)
IsoChronology(java.time.chrono.IsoChronology)
Map(java.util.Map)
Predicate(java.util.function.Predicate)
Collection(java.util.Collection)
Set(java.util.Set)
Instant(java.time.Instant)
Collectors(java.util.stream.Collectors)
StandardCharsets(java.nio.charset.StandardCharsets)
ZoneId(java.time.ZoneId)
Subject(io.strimzi.certs.Subject)
Base64(java.util.Base64)
List(java.util.List)
Certificate(java.security.cert.Certificate)
NANO_OF_SECOND(java.time.temporal.ChronoField.NANO_OF_SECOND)
PasswordGenerator(io.strimzi.operator.common.PasswordGenerator)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
Secret(io.fabric8.kubernetes.api.model.Secret)
Optional(java.util.Optional)
Pattern(java.util.regex.Pattern)
DateTimeFormatterBuilder(java.time.format.DateTimeFormatterBuilder)
CertManager(io.strimzi.certs.CertManager)
HashMap(java.util.HashMap)
OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference)
CertAndKey(io.strimzi.certs.CertAndKey)
Function(java.util.function.Function)
ArrayList(java.util.ArrayList)
YEAR(java.time.temporal.ChronoField.YEAR)
Collections.singletonMap(java.util.Collections.singletonMap)
CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy)
SecretCertProvider(io.strimzi.certs.SecretCertProvider)
ReconciliationLogger(io.strimzi.operator.common.ReconciliationLogger)
MONTH_OF_YEAR(java.time.temporal.ChronoField.MONTH_OF_YEAR)
Collections.emptyMap(java.util.Collections.emptyMap)
Iterator(java.util.Iterator)
Files(java.nio.file.Files)
MINUTE_OF_HOUR(java.time.temporal.ChronoField.MINUTE_OF_HOUR)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
DAY_OF_MONTH(java.time.temporal.ChronoField.DAY_OF_MONTH)
File(java.io.File)
Reconciliation(io.strimzi.operator.common.Reconciliation)
Util(io.strimzi.operator.common.Util)
ChronoUnit(java.time.temporal.ChronoUnit)
DateTimeFormatter(java.time.format.DateTimeFormatter)
Clock(java.time.Clock)
SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder)
List(java.util.List)
ArrayList(java.util.ArrayList)
CertificateException(java.security.cert.CertificateException)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
CertAndKey (io.strimzi.certs.CertAndKey)14
Subject (io.strimzi.certs.Subject)14
SecretBuilder (io.fabric8.kubernetes.api.model.SecretBuilder)12
File (java.io.File)12
Secret (io.fabric8.kubernetes.api.model.Secret)10
CertificateExpirationPolicy (io.strimzi.api.kafka.model.CertificateExpirationPolicy)10
CertManager (io.strimzi.certs.CertManager)10
PasswordGenerator (io.strimzi.operator.common.PasswordGenerator)10
Reconciliation (io.strimzi.operator.common.Reconciliation)10
IOException (java.io.IOException)10
X509Certificate (java.security.cert.X509Certificate)10
Base64 (java.util.Base64)10
Map (java.util.Map)10
Function (java.util.function.Function)10
ParallelSuite (io.strimzi.test.annotations.ParallelSuite)6
ParallelTest (io.strimzi.test.annotations.ParallelTest)6
VertxExtension (io.vertx.junit5.VertxExtension)6
DateTimeFormatterBuilder (java.time.format.DateTimeFormatterBuilder)6
AtomicInteger (java.util.concurrent.atomic.AtomicInteger)6
CoreMatchers.is (org.hamcrest.CoreMatchers.is)6
