Search in sources :

Example 11 with CA_KEY

use of io.strimzi.operator.cluster.model.Ca.CA_KEY in project strimzi by strimzi.

the class CertificateRenewalTest method testNewKeyGeneratedWhenInRenewalPeriodAutoWithinTimeWindow.

@Test
public void testNewKeyGeneratedWhenInRenewalPeriodAutoWithinTimeWindow(Vertx vertx, VertxTestContext context) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
    CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(2).withRenewalDays(3).withGenerateCertificateAuthority(true).withCertificateExpirationPolicy(CertificateExpirationPolicy.REPLACE_KEY).build();
    Kafka kafka = new KafkaBuilder().editOrNewMetadata().withName(NAME).withNamespace(NAMESPACE).endMetadata().withNewSpec().withClusterCa(certificateAuthority).withClientsCa(certificateAuthority).withMaintenanceTimeWindows("* 10-14 * * * ? *").endSpec().build();
    List<Secret> clusterCaSecrets = initialClusterCaSecrets(certificateAuthority);
    Secret initialClusterCaKeySecret = clusterCaSecrets.get(0);
    Secret initialClusterCaCertSecret = clusterCaSecrets.get(1);
    assertThat(initialClusterCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
    assertThat(initialClusterCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
    assertThat(initialClusterCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
    assertThat(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
    assertThat(isCertInTrustStore(CA_CRT, initialClusterCaCertSecret.getData()), is(true));
    assertThat(initialClusterCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
    assertThat(initialClusterCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
    List<Secret> clientsCaSecrets = initialClientsCaSecrets(certificateAuthority);
    Secret initialClientsCaKeySecret = clientsCaSecrets.get(0);
    Secret initialClientsCaCertSecret = clientsCaSecrets.get(1);
    assertThat(initialClientsCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
    assertThat(initialClientsCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
    assertThat(initialClientsCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
    assertThat(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
    assertThat(isCertInTrustStore(CA_CRT, initialClientsCaCertSecret.getData()), is(true));
    assertThat(initialClientsCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
    assertThat(initialClientsCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
    secrets.add(initialClusterCaCertSecret);
    secrets.add(initialClusterCaKeySecret);
    secrets.add(initialClientsCaCertSecret);
    secrets.add(initialClientsCaKeySecret);
    Checkpoint async = context.checkpoint();
    reconcileCa(vertx, kafka, () -> Date.from(Instant.parse("2018-11-26T09:12:00Z"))).onComplete(context.succeeding(c -> context.verify(() -> {
        assertThat(c.getAllValues(), hasSize(4));
        Map<String, String> clusterCaCertData = c.getAllValues().get(0).getData();
        assertThat(c.getAllValues().get(0).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION, "1"));
        assertThat(clusterCaCertData, aMapWithSize(4));
        X509Certificate newX509ClusterCaCertStore = getCertificateFromTrustStore(CA_CRT, clusterCaCertData);
        String oldClusterCaCertKey = clusterCaCertData.keySet().stream().filter(alias -> alias.startsWith("ca-")).findAny().orElseThrow();
        X509Certificate oldX509ClusterCaCertStore = getCertificateFromTrustStore(oldClusterCaCertKey, clusterCaCertData);
        String newClusterCaCert = clusterCaCertData.remove(CA_CRT);
        String newClusterCaCertStore = clusterCaCertData.remove(CA_STORE);
        String newClusterCaCertStorePassword = clusterCaCertData.remove(CA_STORE_PASSWORD);
        assertThat(newClusterCaCert, is(not(initialClusterCaCertSecret.getData().get(CA_CRT))));
        assertThat(newClusterCaCertStore, is(not(initialClusterCaCertSecret.getData().get(CA_STORE))));
        assertThat(newClusterCaCertStorePassword, is(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD)));
        assertThat(newX509ClusterCaCertStore, is(x509Certificate(newClusterCaCert)));
        Map.Entry<String, String> oldClusterCaCert = clusterCaCertData.entrySet().iterator().next();
        assertThat(oldClusterCaCert.getValue(), is(initialClusterCaCertSecret.getData().get(CA_CRT)));
        assertThat(oldX509ClusterCaCertStore, is(x509Certificate(String.valueOf(oldClusterCaCert.getValue()))));
        assertThat(x509Certificate(newClusterCaCert).getSubjectDN().getName(), is("CN=cluster-ca v1, O=io.strimzi"));
        Secret clusterCaKeySecret = c.getAllValues().get(1);
        assertThat(clusterCaKeySecret.getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION, "1"));
        Map<String, String> clusterCaKeyData = clusterCaKeySecret.getData();
        assertThat(clusterCaKeyData.keySet(), is(singleton(CA_KEY)));
        String newClusterCaKey = clusterCaKeyData.remove(CA_KEY);
        assertThat(newClusterCaKey, is(notNullValue()));
        assertThat(newClusterCaKey, is(not(initialClusterCaKeySecret.getData().get(CA_KEY))));
        Map<String, String> clientsCaCertData = c.getAllValues().get(2).getData();
        assertThat(c.getAllValues().get(2).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION, "1"));
        assertThat(clientsCaCertData, aMapWithSize(4));
        X509Certificate newX509ClientsCaCertStore = getCertificateFromTrustStore(CA_CRT, clientsCaCertData);
        String oldClientsCaCertKey = clientsCaCertData.keySet().stream().filter(alias -> alias.startsWith("ca-")).findAny().orElseThrow();
        X509Certificate oldX509ClientsCaCertStore = getCertificateFromTrustStore(oldClientsCaCertKey, clientsCaCertData);
        String newClientsCaCert = clientsCaCertData.remove(CA_CRT);
        String newClientsCaCertStore = clientsCaCertData.remove(CA_STORE);
        String newClientsCaCertStorePassword = clientsCaCertData.remove(CA_STORE_PASSWORD);
        assertThat(newClientsCaCert, is(not(initialClientsCaCertSecret.getData().get(CA_CRT))));
        assertThat(newClientsCaCertStore, is(not(initialClientsCaCertSecret.getData().get(CA_STORE))));
        assertThat(newClientsCaCertStorePassword, is(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD)));
        assertThat(newX509ClientsCaCertStore, is(x509Certificate(newClientsCaCert)));
        Map.Entry<String, String> oldClientsCaCert = clientsCaCertData.entrySet().iterator().next();
        assertThat(oldClientsCaCert.getValue(), is(initialClientsCaCertSecret.getData().get(CA_CRT)));
        assertThat(oldX509ClientsCaCertStore, is(x509Certificate(String.valueOf(oldClientsCaCert.getValue()))));
        assertThat(x509Certificate(newClientsCaCert).getSubjectDN().getName(), is("CN=clients-ca v1, O=io.strimzi"));
        Secret clientsCaKeySecret = c.getAllValues().get(3);
        assertThat(clientsCaKeySecret.getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION, "1"));
        Map<String, String> clientsCaKeyData = clientsCaKeySecret.getData();
        assertThat(clientsCaKeyData.keySet(), is(singleton(CA_KEY)));
        String newClientsCaKey = clientsCaKeyData.remove(CA_KEY);
        assertThat(newClientsCaKey, is(notNullValue()));
        assertThat(newClientsCaKey, is(not(initialClientsCaKeySecret.getData().get(CA_KEY))));
        async.flag();
    })));
}
Also used : X509Certificate(java.security.cert.X509Certificate) CoreMatchers.is(org.hamcrest.CoreMatchers.is) BeforeEach(org.junit.jupiter.api.BeforeEach) CertificateFactory(java.security.cert.CertificateFactory) CA_KEY(io.strimzi.operator.cluster.model.Ca.CA_KEY) Date(java.util.Date) ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq) KeyStoreException(java.security.KeyStoreException) CoreMatchers.notNullValue(org.hamcrest.CoreMatchers.notNullValue) CoreMatchers.instanceOf(org.hamcrest.CoreMatchers.instanceOf) ExtendWith(org.junit.jupiter.api.extension.ExtendWith) ByteArrayInputStream(java.io.ByteArrayInputStream) Collections.singleton(java.util.Collections.singleton) KafkaResources(io.strimzi.api.kafka.model.KafkaResources) Ca(io.strimzi.operator.cluster.model.Ca) Map(java.util.Map) PodOperator(io.strimzi.operator.common.operator.resource.PodOperator) ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier) ResourceUtils(io.strimzi.operator.cluster.ResourceUtils) Path(java.nio.file.Path) AbstractModel(io.strimzi.operator.cluster.model.AbstractModel) StatefulSetOperator(io.strimzi.operator.cluster.operator.resource.StatefulSetOperator) ModelUtils(io.strimzi.operator.cluster.model.ModelUtils) DeploymentOperator(io.strimzi.operator.common.operator.resource.DeploymentOperator) SecretOperator(io.strimzi.operator.common.operator.resource.SecretOperator) KeyStore(java.security.KeyStore) VertxExtension(io.vertx.junit5.VertxExtension) Instant(java.time.Instant) Future(io.vertx.core.Future) Collectors(java.util.stream.Collectors) StandardCharsets(java.nio.charset.StandardCharsets) Subject(io.strimzi.certs.Subject) Test(org.junit.jupiter.api.Test) Objects(java.util.Objects) Base64(java.util.Base64) List(java.util.List) Labels(io.strimzi.operator.common.model.Labels) PasswordGenerator(io.strimzi.operator.common.PasswordGenerator) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) CA_STORE_PASSWORD(io.strimzi.operator.cluster.model.Ca.CA_STORE_PASSWORD) Secret(io.fabric8.kubernetes.api.model.Secret) CA_STORE(io.strimzi.operator.cluster.model.Ca.CA_STORE) Checkpoint(io.vertx.junit5.Checkpoint) ClusterCa(io.strimzi.operator.cluster.model.ClusterCa) PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability) Mockito.mock(org.mockito.Mockito.mock) VertxTestContext(io.vertx.junit5.VertxTestContext) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) Matchers.aMapWithSize(org.hamcrest.Matchers.aMapWithSize) CoreMatchers.not(org.hamcrest.CoreMatchers.not) OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference) CertAndKey(io.strimzi.certs.CertAndKey) Supplier(java.util.function.Supplier) KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder) ArrayList(java.util.ArrayList) ArgumentCaptor(org.mockito.ArgumentCaptor) ClusterOperator(io.strimzi.operator.cluster.ClusterOperator) TestUtils(io.strimzi.test.TestUtils) Matchers.hasSize(org.hamcrest.Matchers.hasSize) ReconcileResult(io.strimzi.operator.common.operator.resource.ReconcileResult) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy) Matchers.hasEntry(org.hamcrest.Matchers.hasEntry) CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority) Files(java.nio.file.Files) InvalidResourceException(io.strimzi.operator.cluster.model.InvalidResourceException) Promise(io.vertx.core.Promise) KubernetesVersion(io.strimzi.operator.KubernetesVersion) Vertx(io.vertx.core.Vertx) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) TestUtils.set(io.strimzi.test.TestUtils.set) Mockito.when(org.mockito.Mockito.when) Reconciliation(io.strimzi.operator.common.Reconciliation) CA_CRT(io.strimzi.operator.cluster.model.Ca.CA_CRT) SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder) Kafka(io.strimzi.api.kafka.model.Kafka) OpenSslCertManager(io.strimzi.certs.OpenSslCertManager) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) Kafka(io.strimzi.api.kafka.model.Kafka) KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) X509Certificate(java.security.cert.X509Certificate) Secret(io.fabric8.kubernetes.api.model.Secret) Checkpoint(io.vertx.junit5.Checkpoint) CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority) Map(java.util.Map) Test(org.junit.jupiter.api.Test)

Example 12 with CA_KEY

use of io.strimzi.operator.cluster.model.Ca.CA_KEY in project strimzi by strimzi.

the class CertificateRenewalTest method testNewCertsGetGeneratedWhenInRenewalPeriodAuto.

@Test
public void testNewCertsGetGeneratedWhenInRenewalPeriodAuto(Vertx vertx, VertxTestContext context) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
    CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(2).withRenewalDays(3).withGenerateCertificateAuthority(true).build();
    List<Secret> clusterCaSecrets = initialClusterCaSecrets(certificateAuthority);
    Secret initialClusterCaKeySecret = clusterCaSecrets.get(0);
    Secret initialClusterCaCertSecret = clusterCaSecrets.get(1);
    assertThat(initialClusterCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
    assertThat(initialClusterCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
    assertThat(initialClusterCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
    assertThat(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
    assertThat(isCertInTrustStore(CA_CRT, initialClusterCaCertSecret.getData()), is(true));
    assertThat(initialClusterCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
    assertThat(initialClusterCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
    List<Secret> clientsCaSecrets = initialClientsCaSecrets(certificateAuthority);
    Secret initialClientsCaKeySecret = clientsCaSecrets.get(0);
    Secret initialClientsCaCertSecret = clientsCaSecrets.get(1);
    assertThat(initialClientsCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
    assertThat(initialClientsCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
    assertThat(initialClientsCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
    assertThat(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
    assertThat(isCertInTrustStore(CA_CRT, initialClientsCaCertSecret.getData()), is(true));
    assertThat(initialClientsCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
    assertThat(initialClientsCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
    secrets.add(initialClusterCaCertSecret);
    secrets.add(initialClusterCaKeySecret);
    secrets.add(initialClientsCaCertSecret);
    secrets.add(initialClientsCaKeySecret);
    Checkpoint async = context.checkpoint();
    reconcileCa(vertx, certificateAuthority, certificateAuthority).onComplete(context.succeeding(c -> context.verify(() -> {
        assertThat(c.getAllValues(), hasSize(4));
        Map<String, String> clusterCaCertData = c.getAllValues().get(0).getData();
        assertThat(clusterCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
        X509Certificate newX509ClusterCaCertStore = getCertificateFromTrustStore(CA_CRT, clusterCaCertData);
        String newClusterCaCert = clusterCaCertData.remove(CA_CRT);
        String newClusterCaCertStore = clusterCaCertData.remove(CA_STORE);
        String newClusterCaCertStorePassword = clusterCaCertData.remove(CA_STORE_PASSWORD);
        assertThat(newClusterCaCert, is(notNullValue()));
        assertThat(newClusterCaCertStore, is(notNullValue()));
        assertThat(newClusterCaCertStorePassword, is(notNullValue()));
        assertThat(newClusterCaCert, is(not(initialClusterCaCertSecret.getData().get(CA_CRT))));
        assertThat(newClusterCaCertStore, is(not(initialClusterCaCertSecret.getData().get(CA_STORE))));
        assertThat(newClusterCaCertStorePassword, is(not(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD))));
        assertThat(newX509ClusterCaCertStore, is(x509Certificate(newClusterCaCert)));
        Map<String, String> clusterCaKeyData = c.getAllValues().get(1).getData();
        assertThat(clusterCaKeyData.keySet(), is(singleton(CA_KEY)));
        String newClusterCaKey = clusterCaKeyData.remove(CA_KEY);
        assertThat(newClusterCaKey, is(notNullValue()));
        assertThat(newClusterCaKey, is(initialClusterCaKeySecret.getData().get(CA_KEY)));
        Map<String, String> clientsCaCertData = c.getAllValues().get(2).getData();
        assertThat(clientsCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
        X509Certificate newX509ClientsCaCertStore = getCertificateFromTrustStore(CA_CRT, clientsCaCertData);
        String newClientsCaCert = clientsCaCertData.remove(CA_CRT);
        String newClientsCaCertStore = clientsCaCertData.remove(CA_STORE);
        String newClientsCaCertStorePassword = clientsCaCertData.remove(CA_STORE_PASSWORD);
        assertThat(newClientsCaCert, is(notNullValue()));
        assertThat(newClientsCaCertStore, is(notNullValue()));
        assertThat(newClientsCaCertStorePassword, is(notNullValue()));
        assertThat(newClientsCaCert, is(not(initialClientsCaCertSecret.getData().get(CA_CRT))));
        assertThat(newClientsCaCertStore, is(not(initialClientsCaCertSecret.getData().get(CA_STORE))));
        assertThat(newClientsCaCertStorePassword, is(not(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD))));
        assertThat(newX509ClientsCaCertStore, is(x509Certificate(newClientsCaCert)));
        Map<String, String> clientsCaKeyData = c.getAllValues().get(3).getData();
        assertThat(clientsCaKeyData.keySet(), is(singleton(CA_KEY)));
        String newClientsCaKey = clientsCaKeyData.remove(CA_KEY);
        assertThat(newClientsCaKey, is(notNullValue()));
        assertThat(newClientsCaKey, is(initialClientsCaKeySecret.getData().get(CA_KEY)));
        async.flag();
    })));
}
Also used : Secret(io.fabric8.kubernetes.api.model.Secret) X509Certificate(java.security.cert.X509Certificate) CoreMatchers.is(org.hamcrest.CoreMatchers.is) BeforeEach(org.junit.jupiter.api.BeforeEach) CertificateFactory(java.security.cert.CertificateFactory) CA_KEY(io.strimzi.operator.cluster.model.Ca.CA_KEY) Date(java.util.Date) ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq) KeyStoreException(java.security.KeyStoreException) CoreMatchers.notNullValue(org.hamcrest.CoreMatchers.notNullValue) CoreMatchers.instanceOf(org.hamcrest.CoreMatchers.instanceOf) ExtendWith(org.junit.jupiter.api.extension.ExtendWith) ByteArrayInputStream(java.io.ByteArrayInputStream) Collections.singleton(java.util.Collections.singleton) KafkaResources(io.strimzi.api.kafka.model.KafkaResources) Ca(io.strimzi.operator.cluster.model.Ca) Map(java.util.Map) PodOperator(io.strimzi.operator.common.operator.resource.PodOperator) ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier) ResourceUtils(io.strimzi.operator.cluster.ResourceUtils) Path(java.nio.file.Path) AbstractModel(io.strimzi.operator.cluster.model.AbstractModel) StatefulSetOperator(io.strimzi.operator.cluster.operator.resource.StatefulSetOperator) ModelUtils(io.strimzi.operator.cluster.model.ModelUtils) DeploymentOperator(io.strimzi.operator.common.operator.resource.DeploymentOperator) SecretOperator(io.strimzi.operator.common.operator.resource.SecretOperator) KeyStore(java.security.KeyStore) VertxExtension(io.vertx.junit5.VertxExtension) Instant(java.time.Instant) Future(io.vertx.core.Future) Collectors(java.util.stream.Collectors) StandardCharsets(java.nio.charset.StandardCharsets) Subject(io.strimzi.certs.Subject) Test(org.junit.jupiter.api.Test) Objects(java.util.Objects) Base64(java.util.Base64) List(java.util.List) Labels(io.strimzi.operator.common.model.Labels) PasswordGenerator(io.strimzi.operator.common.PasswordGenerator) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) CA_STORE_PASSWORD(io.strimzi.operator.cluster.model.Ca.CA_STORE_PASSWORD) Secret(io.fabric8.kubernetes.api.model.Secret) CA_STORE(io.strimzi.operator.cluster.model.Ca.CA_STORE) Checkpoint(io.vertx.junit5.Checkpoint) ClusterCa(io.strimzi.operator.cluster.model.ClusterCa) PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability) Mockito.mock(org.mockito.Mockito.mock) VertxTestContext(io.vertx.junit5.VertxTestContext) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) Matchers.aMapWithSize(org.hamcrest.Matchers.aMapWithSize) CoreMatchers.not(org.hamcrest.CoreMatchers.not) OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference) CertAndKey(io.strimzi.certs.CertAndKey) Supplier(java.util.function.Supplier) KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder) ArrayList(java.util.ArrayList) ArgumentCaptor(org.mockito.ArgumentCaptor) ClusterOperator(io.strimzi.operator.cluster.ClusterOperator) TestUtils(io.strimzi.test.TestUtils) Matchers.hasSize(org.hamcrest.Matchers.hasSize) ReconcileResult(io.strimzi.operator.common.operator.resource.ReconcileResult) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy) Matchers.hasEntry(org.hamcrest.Matchers.hasEntry) CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority) Files(java.nio.file.Files) InvalidResourceException(io.strimzi.operator.cluster.model.InvalidResourceException) Promise(io.vertx.core.Promise) KubernetesVersion(io.strimzi.operator.KubernetesVersion) Vertx(io.vertx.core.Vertx) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) TestUtils.set(io.strimzi.test.TestUtils.set) Mockito.when(org.mockito.Mockito.when) Reconciliation(io.strimzi.operator.common.Reconciliation) CA_CRT(io.strimzi.operator.cluster.model.Ca.CA_CRT) SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder) Kafka(io.strimzi.api.kafka.model.Kafka) OpenSslCertManager(io.strimzi.certs.OpenSslCertManager) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) Checkpoint(io.vertx.junit5.Checkpoint) CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.jupiter.api.Test)

Example 13 with CA_KEY

use of io.strimzi.operator.cluster.model.Ca.CA_KEY in project strimzi by strimzi.

the class CertificateRenewalTest method testExpiredCertsGetRemovedAuto.

@Test
public void testExpiredCertsGetRemovedAuto(Vertx vertx, VertxTestContext context) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
    CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(100).withRenewalDays(10).withGenerateCertificateAuthority(true).build();
    List<Secret> clusterCaSecrets = initialClusterCaSecrets(certificateAuthority);
    Secret initialClusterCaKeySecret = clusterCaSecrets.get(0);
    Secret initialClusterCaCertSecret = clusterCaSecrets.get(1);
    assertThat(initialClusterCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
    assertThat(initialClusterCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
    assertThat(initialClusterCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
    assertThat(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
    assertThat(isCertInTrustStore(CA_CRT, initialClusterCaCertSecret.getData()), is(true));
    // add an expired certificate to the secret ...
    String clusterCert = Objects.requireNonNull(TestUtils.readResource(getClass(), "cluster-ca.crt"));
    String encodedClusterCert = Base64.getEncoder().encodeToString(clusterCert.getBytes(StandardCharsets.UTF_8));
    initialClusterCaCertSecret.getData().put("ca-2018-07-01T09-00-00.crt", encodedClusterCert);
    assertThat(initialClusterCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
    assertThat(initialClusterCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
    // ... and to the related truststore
    Path certFile = Files.createTempFile("tls", "-cert");
    Path trustStoreFile = Files.createTempFile("tls", "-truststore");
    Files.write(certFile, Base64.getDecoder().decode(initialClusterCaCertSecret.getData().get("ca-2018-07-01T09-00-00.crt")));
    Files.write(trustStoreFile, Base64.getDecoder().decode(initialClusterCaCertSecret.getData().get(CA_STORE)));
    String trustStorePassword = new String(Base64.getDecoder().decode(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD)), StandardCharsets.US_ASCII);
    certManager.addCertToTrustStore(certFile.toFile(), "ca-2018-07-01T09-00-00.crt", trustStoreFile.toFile(), trustStorePassword);
    initialClusterCaCertSecret.getData().put(CA_STORE, Base64.getEncoder().encodeToString(Files.readAllBytes(trustStoreFile)));
    assertThat(isCertInTrustStore("ca-2018-07-01T09-00-00.crt", initialClusterCaCertSecret.getData()), is(true));
    List<Secret> clientsCaSecrets = initialClientsCaSecrets(certificateAuthority);
    Secret initialClientsCaKeySecret = clientsCaSecrets.get(0);
    Secret initialClientsCaCertSecret = clientsCaSecrets.get(1);
    assertThat(initialClientsCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
    assertThat(initialClientsCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
    assertThat(initialClientsCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
    assertThat(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
    assertThat(isCertInTrustStore(CA_CRT, initialClientsCaCertSecret.getData()), is(true));
    // add an expired certificate to the secret ...
    String clientCert = Objects.requireNonNull(TestUtils.readResource(getClass(), "clients-ca.crt"));
    String encodedClientCert = Base64.getEncoder().encodeToString(clientCert.getBytes(StandardCharsets.UTF_8));
    initialClientsCaCertSecret.getData().put("ca-2018-07-01T09-00-00.crt", encodedClientCert);
    assertThat(initialClientsCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
    assertThat(initialClientsCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
    // ... and to the related truststore
    certFile = Files.createTempFile("tls", "-cert");
    Files.write(certFile, Base64.getDecoder().decode(initialClientsCaCertSecret.getData().get("ca-2018-07-01T09-00-00.crt")));
    trustStoreFile = Files.createTempFile("tls", "-truststore");
    Files.write(trustStoreFile, Base64.getDecoder().decode(initialClientsCaCertSecret.getData().get(CA_STORE)));
    trustStorePassword = new String(Base64.getDecoder().decode(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD)), StandardCharsets.US_ASCII);
    certManager.addCertToTrustStore(certFile.toFile(), "ca-2018-07-01T09-00-00.crt", trustStoreFile.toFile(), trustStorePassword);
    initialClientsCaCertSecret.getData().put(CA_STORE, Base64.getEncoder().encodeToString(Files.readAllBytes(trustStoreFile)));
    assertThat(isCertInTrustStore("ca-2018-07-01T09-00-00.crt", initialClientsCaCertSecret.getData()), is(true));
    secrets.add(initialClusterCaCertSecret);
    secrets.add(initialClusterCaKeySecret);
    secrets.add(initialClientsCaCertSecret);
    secrets.add(initialClientsCaKeySecret);
    Checkpoint async = context.checkpoint();
    reconcileCa(vertx, certificateAuthority, certificateAuthority).onComplete(context.succeeding(c -> context.verify(() -> {
        assertThat(c.getAllValues(), hasSize(4));
        Map<String, String> clusterCaCertData = c.getAllValues().get(0).getData();
        assertThat(clusterCaCertData, aMapWithSize(3));
        assertThat(clusterCaCertData.get(CA_CRT), is(initialClusterCaCertSecret.getData().get(CA_CRT)));
        assertThat(clusterCaCertData.get(CA_STORE), is(initialClusterCaCertSecret.getData().get(CA_STORE)));
        assertThat(clusterCaCertData.get(CA_STORE_PASSWORD), is(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD)));
        assertThat(getCertificateFromTrustStore(CA_CRT, clusterCaCertData), is(x509Certificate(clusterCaCertData.get(CA_CRT))));
        Map<String, String> clusterCaKeyData = c.getAllValues().get(1).getData();
        assertThat(clusterCaKeyData.get(CA_KEY), is(initialClusterCaKeySecret.getData().get(CA_KEY)));
        assertThat(isCertInTrustStore("ca-2018-07-01T09-00-00.crt", clusterCaCertData), is(false));
        Map<String, String> clientsCaCertData = c.getAllValues().get(2).getData();
        assertThat(clientsCaCertData, aMapWithSize(3));
        assertThat(clientsCaCertData.get(CA_CRT), is(initialClientsCaCertSecret.getData().get(CA_CRT)));
        assertThat(clientsCaCertData.get(CA_STORE), is(initialClientsCaCertSecret.getData().get(CA_STORE)));
        assertThat(clientsCaCertData.get(CA_STORE_PASSWORD), is(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD)));
        assertThat(getCertificateFromTrustStore(CA_CRT, clientsCaCertData), is(x509Certificate(clientsCaCertData.get(CA_CRT))));
        Map<String, String> clientsCaKeyData = c.getAllValues().get(3).getData();
        assertThat(clientsCaKeyData.get(CA_KEY), is(initialClientsCaKeySecret.getData().get(CA_KEY)));
        assertThat(isCertInTrustStore("ca-2018-07-01T09-00-00.crt", clientsCaCertData), is(false));
        async.flag();
    })));
}
Also used : Secret(io.fabric8.kubernetes.api.model.Secret) Path(java.nio.file.Path) X509Certificate(java.security.cert.X509Certificate) CoreMatchers.is(org.hamcrest.CoreMatchers.is) BeforeEach(org.junit.jupiter.api.BeforeEach) CertificateFactory(java.security.cert.CertificateFactory) CA_KEY(io.strimzi.operator.cluster.model.Ca.CA_KEY) Date(java.util.Date) ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq) KeyStoreException(java.security.KeyStoreException) CoreMatchers.notNullValue(org.hamcrest.CoreMatchers.notNullValue) CoreMatchers.instanceOf(org.hamcrest.CoreMatchers.instanceOf) ExtendWith(org.junit.jupiter.api.extension.ExtendWith) ByteArrayInputStream(java.io.ByteArrayInputStream) Collections.singleton(java.util.Collections.singleton) KafkaResources(io.strimzi.api.kafka.model.KafkaResources) Ca(io.strimzi.operator.cluster.model.Ca) Map(java.util.Map) PodOperator(io.strimzi.operator.common.operator.resource.PodOperator) ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier) ResourceUtils(io.strimzi.operator.cluster.ResourceUtils) Path(java.nio.file.Path) AbstractModel(io.strimzi.operator.cluster.model.AbstractModel) StatefulSetOperator(io.strimzi.operator.cluster.operator.resource.StatefulSetOperator) ModelUtils(io.strimzi.operator.cluster.model.ModelUtils) DeploymentOperator(io.strimzi.operator.common.operator.resource.DeploymentOperator) SecretOperator(io.strimzi.operator.common.operator.resource.SecretOperator) KeyStore(java.security.KeyStore) VertxExtension(io.vertx.junit5.VertxExtension) Instant(java.time.Instant) Future(io.vertx.core.Future) Collectors(java.util.stream.Collectors) StandardCharsets(java.nio.charset.StandardCharsets) Subject(io.strimzi.certs.Subject) Test(org.junit.jupiter.api.Test) Objects(java.util.Objects) Base64(java.util.Base64) List(java.util.List) Labels(io.strimzi.operator.common.model.Labels) PasswordGenerator(io.strimzi.operator.common.PasswordGenerator) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) CA_STORE_PASSWORD(io.strimzi.operator.cluster.model.Ca.CA_STORE_PASSWORD) Secret(io.fabric8.kubernetes.api.model.Secret) CA_STORE(io.strimzi.operator.cluster.model.Ca.CA_STORE) Checkpoint(io.vertx.junit5.Checkpoint) ClusterCa(io.strimzi.operator.cluster.model.ClusterCa) PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability) Mockito.mock(org.mockito.Mockito.mock) VertxTestContext(io.vertx.junit5.VertxTestContext) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) Matchers.aMapWithSize(org.hamcrest.Matchers.aMapWithSize) CoreMatchers.not(org.hamcrest.CoreMatchers.not) OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference) CertAndKey(io.strimzi.certs.CertAndKey) Supplier(java.util.function.Supplier) KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder) ArrayList(java.util.ArrayList) ArgumentCaptor(org.mockito.ArgumentCaptor) ClusterOperator(io.strimzi.operator.cluster.ClusterOperator) TestUtils(io.strimzi.test.TestUtils) Matchers.hasSize(org.hamcrest.Matchers.hasSize) ReconcileResult(io.strimzi.operator.common.operator.resource.ReconcileResult) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy) Matchers.hasEntry(org.hamcrest.Matchers.hasEntry) CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority) Files(java.nio.file.Files) InvalidResourceException(io.strimzi.operator.cluster.model.InvalidResourceException) Promise(io.vertx.core.Promise) KubernetesVersion(io.strimzi.operator.KubernetesVersion) Vertx(io.vertx.core.Vertx) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) TestUtils.set(io.strimzi.test.TestUtils.set) Mockito.when(org.mockito.Mockito.when) Reconciliation(io.strimzi.operator.common.Reconciliation) CA_CRT(io.strimzi.operator.cluster.model.Ca.CA_CRT) SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder) Kafka(io.strimzi.api.kafka.model.Kafka) OpenSslCertManager(io.strimzi.certs.OpenSslCertManager) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) Checkpoint(io.vertx.junit5.Checkpoint) CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) Test(org.junit.jupiter.api.Test)

Example 14 with CA_KEY

use of io.strimzi.operator.cluster.model.Ca.CA_KEY in project strimzi by strimzi.

the class CertificateRenewalTest method testNewKeyGetGeneratedWhenInRenewalPeriodAuto.

@Test
public void testNewKeyGetGeneratedWhenInRenewalPeriodAuto(Vertx vertx, VertxTestContext context) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
    CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(2).withRenewalDays(3).withGenerateCertificateAuthority(true).withCertificateExpirationPolicy(CertificateExpirationPolicy.REPLACE_KEY).build();
    List<Secret> clusterCaSecrets = initialClusterCaSecrets(certificateAuthority);
    Secret initialClusterCaKeySecret = clusterCaSecrets.get(0);
    Secret initialClusterCaCertSecret = clusterCaSecrets.get(1);
    assertThat(initialClusterCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
    assertThat(initialClusterCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
    assertThat(initialClusterCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
    assertThat(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
    assertThat(isCertInTrustStore(CA_CRT, initialClusterCaCertSecret.getData()), is(true));
    assertThat(initialClusterCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
    assertThat(initialClusterCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
    List<Secret> clientsCaSecrets = initialClientsCaSecrets(certificateAuthority);
    Secret initialClientsCaKeySecret = clientsCaSecrets.get(0);
    Secret initialClientsCaCertSecret = clientsCaSecrets.get(1);
    assertThat(initialClientsCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
    assertThat(initialClientsCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
    assertThat(initialClientsCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
    assertThat(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
    assertThat(isCertInTrustStore(CA_CRT, initialClientsCaCertSecret.getData()), is(true));
    assertThat(initialClientsCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
    assertThat(initialClientsCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
    secrets.add(initialClusterCaCertSecret);
    secrets.add(initialClusterCaKeySecret);
    secrets.add(initialClientsCaCertSecret);
    secrets.add(initialClientsCaKeySecret);
    Checkpoint async = context.checkpoint();
    reconcileCa(vertx, certificateAuthority, certificateAuthority).onComplete(context.succeeding(c -> context.verify(() -> {
        assertThat(c.getAllValues(), hasSize(4));
        Map<String, String> clusterCaCertData = c.getAllValues().get(0).getData();
        assertThat(clusterCaCertData, aMapWithSize(4));
        X509Certificate newX509ClusterCaCertStore = getCertificateFromTrustStore(CA_CRT, clusterCaCertData);
        String oldClusterCaCertKey = clusterCaCertData.keySet().stream().filter(alias -> alias.startsWith("ca-")).findAny().orElseThrow();
        X509Certificate oldX509ClusterCaCertStore = getCertificateFromTrustStore(oldClusterCaCertKey, clusterCaCertData);
        String newClusterCaCert = clusterCaCertData.remove(CA_CRT);
        String newClusterCaCertStore = clusterCaCertData.remove(CA_STORE);
        String newClusterCaCertStorePassword = clusterCaCertData.remove(CA_STORE_PASSWORD);
        assertThat(newClusterCaCert, is(not(initialClusterCaCertSecret.getData().get(CA_CRT))));
        assertThat(newClusterCaCertStore, is(not(initialClusterCaCertSecret.getData().get(CA_STORE))));
        assertThat(newClusterCaCertStorePassword, is(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD)));
        assertThat(newX509ClusterCaCertStore, is(x509Certificate(newClusterCaCert)));
        Map.Entry<String, String> oldClusterCaCert = clusterCaCertData.entrySet().iterator().next();
        assertThat(oldClusterCaCert.getValue(), is(initialClusterCaCertSecret.getData().get(CA_CRT)));
        assertThat(oldX509ClusterCaCertStore, is(x509Certificate(String.valueOf(oldClusterCaCert.getValue()))));
        assertThat(x509Certificate(newClusterCaCert).getSubjectDN().getName(), is("CN=cluster-ca v1, O=io.strimzi"));
        Secret clusterCaKeySecret = c.getAllValues().get(1);
        assertThat(clusterCaKeySecret.getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION, "1"));
        Map<String, String> clusterCaKeyData = clusterCaKeySecret.getData();
        assertThat(clusterCaKeyData.keySet(), is(singleton(CA_KEY)));
        String newClusterCaKey = clusterCaKeyData.remove(CA_KEY);
        assertThat(newClusterCaKey, is(notNullValue()));
        assertThat(newClusterCaKey, is(not(initialClusterCaKeySecret.getData().get(CA_KEY))));
        Map<String, String> clientsCaCertData = c.getAllValues().get(2).getData();
        assertThat(clientsCaCertData, aMapWithSize(4));
        X509Certificate newX509ClientsCaCertStore = getCertificateFromTrustStore(CA_CRT, clientsCaCertData);
        String oldClientsCaCertKey = clientsCaCertData.keySet().stream().filter(alias -> alias.startsWith("ca-")).findAny().orElseThrow();
        X509Certificate oldX509ClientsCaCertStore = getCertificateFromTrustStore(oldClientsCaCertKey, clientsCaCertData);
        String newClientsCaCert = clientsCaCertData.remove(CA_CRT);
        String newClientsCaCertStore = clientsCaCertData.remove(CA_STORE);
        String newClientsCaCertStorePassword = clientsCaCertData.remove(CA_STORE_PASSWORD);
        assertThat(newClientsCaCert, is(not(initialClientsCaCertSecret.getData().get(CA_CRT))));
        assertThat(newClientsCaCertStore, is(not(initialClientsCaCertSecret.getData().get(CA_STORE))));
        assertThat(newClientsCaCertStorePassword, is(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD)));
        assertThat(newX509ClientsCaCertStore, is(x509Certificate(newClientsCaCert)));
        Map.Entry<String, String> oldClientsCaCert = clientsCaCertData.entrySet().iterator().next();
        assertThat(oldClientsCaCert.getValue(), is(initialClientsCaCertSecret.getData().get(CA_CRT)));
        assertThat(oldX509ClientsCaCertStore, is(x509Certificate(String.valueOf(oldClientsCaCert.getValue()))));
        assertThat(x509Certificate(newClientsCaCert).getSubjectDN().getName(), is("CN=clients-ca v1, O=io.strimzi"));
        Secret clientsCaKeySecret = c.getAllValues().get(3);
        assertThat(clientsCaKeySecret.getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION, "1"));
        Map<String, String> clientsCaKeyData = clientsCaKeySecret.getData();
        assertThat(clientsCaKeyData.keySet(), is(singleton(CA_KEY)));
        String newClientsCaKey = clientsCaKeyData.remove(CA_KEY);
        assertThat(newClientsCaKey, is(notNullValue()));
        assertThat(newClientsCaKey, is(not(initialClientsCaKeySecret.getData().get(CA_KEY))));
        async.flag();
    })));
}
Also used : Secret(io.fabric8.kubernetes.api.model.Secret) X509Certificate(java.security.cert.X509Certificate) CoreMatchers.is(org.hamcrest.CoreMatchers.is) BeforeEach(org.junit.jupiter.api.BeforeEach) CertificateFactory(java.security.cert.CertificateFactory) CA_KEY(io.strimzi.operator.cluster.model.Ca.CA_KEY) Date(java.util.Date) ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq) KeyStoreException(java.security.KeyStoreException) CoreMatchers.notNullValue(org.hamcrest.CoreMatchers.notNullValue) CoreMatchers.instanceOf(org.hamcrest.CoreMatchers.instanceOf) ExtendWith(org.junit.jupiter.api.extension.ExtendWith) ByteArrayInputStream(java.io.ByteArrayInputStream) Collections.singleton(java.util.Collections.singleton) KafkaResources(io.strimzi.api.kafka.model.KafkaResources) Ca(io.strimzi.operator.cluster.model.Ca) Map(java.util.Map) PodOperator(io.strimzi.operator.common.operator.resource.PodOperator) ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier) ResourceUtils(io.strimzi.operator.cluster.ResourceUtils) Path(java.nio.file.Path) AbstractModel(io.strimzi.operator.cluster.model.AbstractModel) StatefulSetOperator(io.strimzi.operator.cluster.operator.resource.StatefulSetOperator) ModelUtils(io.strimzi.operator.cluster.model.ModelUtils) DeploymentOperator(io.strimzi.operator.common.operator.resource.DeploymentOperator) SecretOperator(io.strimzi.operator.common.operator.resource.SecretOperator) KeyStore(java.security.KeyStore) VertxExtension(io.vertx.junit5.VertxExtension) Instant(java.time.Instant) Future(io.vertx.core.Future) Collectors(java.util.stream.Collectors) StandardCharsets(java.nio.charset.StandardCharsets) Subject(io.strimzi.certs.Subject) Test(org.junit.jupiter.api.Test) Objects(java.util.Objects) Base64(java.util.Base64) List(java.util.List) Labels(io.strimzi.operator.common.model.Labels) PasswordGenerator(io.strimzi.operator.common.PasswordGenerator) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) CA_STORE_PASSWORD(io.strimzi.operator.cluster.model.Ca.CA_STORE_PASSWORD) Secret(io.fabric8.kubernetes.api.model.Secret) CA_STORE(io.strimzi.operator.cluster.model.Ca.CA_STORE) Checkpoint(io.vertx.junit5.Checkpoint) ClusterCa(io.strimzi.operator.cluster.model.ClusterCa) PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability) Mockito.mock(org.mockito.Mockito.mock) VertxTestContext(io.vertx.junit5.VertxTestContext) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) Matchers.aMapWithSize(org.hamcrest.Matchers.aMapWithSize) CoreMatchers.not(org.hamcrest.CoreMatchers.not) OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference) CertAndKey(io.strimzi.certs.CertAndKey) Supplier(java.util.function.Supplier) KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder) ArrayList(java.util.ArrayList) ArgumentCaptor(org.mockito.ArgumentCaptor) ClusterOperator(io.strimzi.operator.cluster.ClusterOperator) TestUtils(io.strimzi.test.TestUtils) Matchers.hasSize(org.hamcrest.Matchers.hasSize) ReconcileResult(io.strimzi.operator.common.operator.resource.ReconcileResult) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy) Matchers.hasEntry(org.hamcrest.Matchers.hasEntry) CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority) Files(java.nio.file.Files) InvalidResourceException(io.strimzi.operator.cluster.model.InvalidResourceException) Promise(io.vertx.core.Promise) KubernetesVersion(io.strimzi.operator.KubernetesVersion) Vertx(io.vertx.core.Vertx) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) TestUtils.set(io.strimzi.test.TestUtils.set) Mockito.when(org.mockito.Mockito.when) Reconciliation(io.strimzi.operator.common.Reconciliation) CA_CRT(io.strimzi.operator.cluster.model.Ca.CA_CRT) SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder) Kafka(io.strimzi.api.kafka.model.Kafka) OpenSslCertManager(io.strimzi.certs.OpenSslCertManager) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) Checkpoint(io.vertx.junit5.Checkpoint) CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) Map(java.util.Map) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.jupiter.api.Test)

Example 15 with CA_KEY

use of io.strimzi.operator.cluster.model.Ca.CA_KEY in project strimzi by strimzi.

the class CertificateRenewalTest method testNewCertsGetGeneratedWhenInRenewalPeriodAutoWithinMaintenanceWindow.

@Test
public void testNewCertsGetGeneratedWhenInRenewalPeriodAutoWithinMaintenanceWindow(Vertx vertx, VertxTestContext context) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
    CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(2).withRenewalDays(3).withGenerateCertificateAuthority(true).build();
    Kafka kafka = new KafkaBuilder().editOrNewMetadata().withName(NAME).withNamespace(NAMESPACE).endMetadata().withNewSpec().withClusterCa(certificateAuthority).withClientsCa(certificateAuthority).withMaintenanceTimeWindows("* 10-14 * * * ? *").endSpec().build();
    List<Secret> clusterCaSecrets = initialClusterCaSecrets(certificateAuthority);
    Secret initialClusterCaKeySecret = clusterCaSecrets.get(0);
    Secret initialClusterCaCertSecret = clusterCaSecrets.get(1);
    assertThat(initialClusterCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
    assertThat(initialClusterCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
    assertThat(initialClusterCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
    assertThat(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
    assertThat(isCertInTrustStore(CA_CRT, initialClusterCaCertSecret.getData()), is(true));
    assertThat(initialClusterCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
    assertThat(initialClusterCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
    List<Secret> clientsCaSecrets = initialClientsCaSecrets(certificateAuthority);
    Secret initialClientsCaKeySecret = clientsCaSecrets.get(0);
    Secret initialClientsCaCertSecret = clientsCaSecrets.get(1);
    assertThat(initialClientsCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
    assertThat(initialClientsCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
    assertThat(initialClientsCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
    assertThat(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
    assertThat(isCertInTrustStore(CA_CRT, initialClientsCaCertSecret.getData()), is(true));
    assertThat(initialClientsCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
    assertThat(initialClientsCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
    secrets.add(initialClusterCaCertSecret);
    secrets.add(initialClusterCaKeySecret);
    secrets.add(initialClientsCaCertSecret);
    secrets.add(initialClientsCaKeySecret);
    Checkpoint async = context.checkpoint();
    reconcileCa(vertx, kafka, () -> Date.from(Instant.parse("2018-11-26T09:12:00Z"))).onComplete(context.succeeding(c -> context.verify(() -> {
        assertThat(c.getAllValues().size(), is(4));
        Map<String, String> clusterCaCertData = c.getAllValues().get(0).getData();
        assertThat(clusterCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
        X509Certificate newX509ClusterCaCertStore = getCertificateFromTrustStore(CA_CRT, clusterCaCertData);
        assertThat(c.getAllValues().get(0).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION, "1"));
        String newClusterCaCert = clusterCaCertData.remove(CA_CRT);
        String newClusterCaCertStore = clusterCaCertData.remove(CA_STORE);
        String newClusterCaCertStorePassword = clusterCaCertData.remove(CA_STORE_PASSWORD);
        assertThat(newClusterCaCert, is(notNullValue()));
        assertThat(newClusterCaCertStore, is(notNullValue()));
        assertThat(newClusterCaCertStorePassword, is(notNullValue()));
        assertThat(newClusterCaCert, is(not(initialClusterCaCertSecret.getData().get(CA_CRT))));
        assertThat(newClusterCaCertStore, is(not(initialClusterCaCertSecret.getData().get(CA_STORE))));
        assertThat(newClusterCaCertStorePassword, is(not(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD))));
        assertThat(newX509ClusterCaCertStore, is(x509Certificate(newClusterCaCert)));
        Map<String, String> clusterCaKeyData = c.getAllValues().get(1).getData();
        assertThat(clusterCaKeyData.keySet(), is(singleton(CA_KEY)));
        assertThat(c.getAllValues().get(1).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION, "0"));
        String newClusterCaKey = clusterCaKeyData.remove(CA_KEY);
        assertThat(newClusterCaKey, is(notNullValue()));
        assertThat(newClusterCaKey, is(initialClusterCaKeySecret.getData().get(CA_KEY)));
        Map<String, String> clientsCaCertData = c.getAllValues().get(2).getData();
        assertThat(clientsCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
        X509Certificate newX509ClientsCaCertStore = getCertificateFromTrustStore(CA_CRT, clientsCaCertData);
        assertThat(c.getAllValues().get(2).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION, "1"));
        String newClientsCaCert = clientsCaCertData.remove(CA_CRT);
        String newClientsCaCertStore = clientsCaCertData.remove(CA_STORE);
        String newClientsCaCertStorePassword = clientsCaCertData.remove(CA_STORE_PASSWORD);
        assertThat(newClientsCaCert, is(notNullValue()));
        assertThat(newClientsCaCertStore, is(notNullValue()));
        assertThat(newClientsCaCertStorePassword, is(notNullValue()));
        assertThat(newClientsCaCert, is(not(initialClientsCaCertSecret.getData().get(CA_CRT))));
        assertThat(newClientsCaCertStore, is(not(initialClientsCaCertSecret.getData().get(CA_STORE))));
        assertThat(newClientsCaCertStorePassword, is(not(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD))));
        assertThat(newX509ClientsCaCertStore, is(x509Certificate(newClientsCaCert)));
        Map<String, String> clientsCaKeyData = c.getAllValues().get(3).getData();
        assertThat(clientsCaKeyData.keySet(), is(singleton(CA_KEY)));
        assertThat(c.getAllValues().get(3).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION, "0"));
        String newClientsCaKey = clientsCaKeyData.remove(CA_KEY);
        assertThat(newClientsCaKey, is(notNullValue()));
        assertThat(newClientsCaKey, is(initialClientsCaKeySecret.getData().get(CA_KEY)));
        async.flag();
    })));
}
Also used : Secret(io.fabric8.kubernetes.api.model.Secret) X509Certificate(java.security.cert.X509Certificate) CoreMatchers.is(org.hamcrest.CoreMatchers.is) BeforeEach(org.junit.jupiter.api.BeforeEach) CertificateFactory(java.security.cert.CertificateFactory) CA_KEY(io.strimzi.operator.cluster.model.Ca.CA_KEY) Date(java.util.Date) ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq) KeyStoreException(java.security.KeyStoreException) CoreMatchers.notNullValue(org.hamcrest.CoreMatchers.notNullValue) CoreMatchers.instanceOf(org.hamcrest.CoreMatchers.instanceOf) ExtendWith(org.junit.jupiter.api.extension.ExtendWith) ByteArrayInputStream(java.io.ByteArrayInputStream) Collections.singleton(java.util.Collections.singleton) KafkaResources(io.strimzi.api.kafka.model.KafkaResources) Ca(io.strimzi.operator.cluster.model.Ca) Map(java.util.Map) PodOperator(io.strimzi.operator.common.operator.resource.PodOperator) ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier) ResourceUtils(io.strimzi.operator.cluster.ResourceUtils) Path(java.nio.file.Path) AbstractModel(io.strimzi.operator.cluster.model.AbstractModel) StatefulSetOperator(io.strimzi.operator.cluster.operator.resource.StatefulSetOperator) ModelUtils(io.strimzi.operator.cluster.model.ModelUtils) DeploymentOperator(io.strimzi.operator.common.operator.resource.DeploymentOperator) SecretOperator(io.strimzi.operator.common.operator.resource.SecretOperator) KeyStore(java.security.KeyStore) VertxExtension(io.vertx.junit5.VertxExtension) Instant(java.time.Instant) Future(io.vertx.core.Future) Collectors(java.util.stream.Collectors) StandardCharsets(java.nio.charset.StandardCharsets) Subject(io.strimzi.certs.Subject) Test(org.junit.jupiter.api.Test) Objects(java.util.Objects) Base64(java.util.Base64) List(java.util.List) Labels(io.strimzi.operator.common.model.Labels) PasswordGenerator(io.strimzi.operator.common.PasswordGenerator) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) CA_STORE_PASSWORD(io.strimzi.operator.cluster.model.Ca.CA_STORE_PASSWORD) Secret(io.fabric8.kubernetes.api.model.Secret) CA_STORE(io.strimzi.operator.cluster.model.Ca.CA_STORE) Checkpoint(io.vertx.junit5.Checkpoint) ClusterCa(io.strimzi.operator.cluster.model.ClusterCa) PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability) Mockito.mock(org.mockito.Mockito.mock) VertxTestContext(io.vertx.junit5.VertxTestContext) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) Matchers.aMapWithSize(org.hamcrest.Matchers.aMapWithSize) CoreMatchers.not(org.hamcrest.CoreMatchers.not) OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference) CertAndKey(io.strimzi.certs.CertAndKey) Supplier(java.util.function.Supplier) KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder) ArrayList(java.util.ArrayList) ArgumentCaptor(org.mockito.ArgumentCaptor) ClusterOperator(io.strimzi.operator.cluster.ClusterOperator) TestUtils(io.strimzi.test.TestUtils) Matchers.hasSize(org.hamcrest.Matchers.hasSize) ReconcileResult(io.strimzi.operator.common.operator.resource.ReconcileResult) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy) Matchers.hasEntry(org.hamcrest.Matchers.hasEntry) CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority) Files(java.nio.file.Files) InvalidResourceException(io.strimzi.operator.cluster.model.InvalidResourceException) Promise(io.vertx.core.Promise) KubernetesVersion(io.strimzi.operator.KubernetesVersion) Vertx(io.vertx.core.Vertx) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) TestUtils.set(io.strimzi.test.TestUtils.set) Mockito.when(org.mockito.Mockito.when) Reconciliation(io.strimzi.operator.common.Reconciliation) CA_CRT(io.strimzi.operator.cluster.model.Ca.CA_CRT) SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder) Kafka(io.strimzi.api.kafka.model.Kafka) OpenSslCertManager(io.strimzi.certs.OpenSslCertManager) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) Checkpoint(io.vertx.junit5.Checkpoint) Kafka(io.strimzi.api.kafka.model.Kafka) CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority) KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.jupiter.api.Test)

Aggregations

OwnerReference (io.fabric8.kubernetes.api.model.OwnerReference)22 Secret (io.fabric8.kubernetes.api.model.Secret)22 SecretBuilder (io.fabric8.kubernetes.api.model.SecretBuilder)22 CertificateAuthority (io.strimzi.api.kafka.model.CertificateAuthority)22 CertificateAuthorityBuilder (io.strimzi.api.kafka.model.CertificateAuthorityBuilder)22 CertificateExpirationPolicy (io.strimzi.api.kafka.model.CertificateExpirationPolicy)22 Kafka (io.strimzi.api.kafka.model.Kafka)22 KafkaBuilder (io.strimzi.api.kafka.model.KafkaBuilder)22 KafkaResources (io.strimzi.api.kafka.model.KafkaResources)22 CertAndKey (io.strimzi.certs.CertAndKey)22 OpenSslCertManager (io.strimzi.certs.OpenSslCertManager)22 Subject (io.strimzi.certs.Subject)22 KubernetesVersion (io.strimzi.operator.KubernetesVersion)22 PlatformFeaturesAvailability (io.strimzi.operator.PlatformFeaturesAvailability)22 ClusterOperator (io.strimzi.operator.cluster.ClusterOperator)22 ResourceUtils (io.strimzi.operator.cluster.ResourceUtils)22 AbstractModel (io.strimzi.operator.cluster.model.AbstractModel)22 Ca (io.strimzi.operator.cluster.model.Ca)22 CA_CRT (io.strimzi.operator.cluster.model.Ca.CA_CRT)22 CA_KEY (io.strimzi.operator.cluster.model.Ca.CA_KEY)22