Example 11 with CA_KEY
use of io.strimzi.operator.cluster.model.Ca.CA_KEY in project strimzi by strimzi.
the class CertificateRenewalTest method testNewKeyGeneratedWhenInRenewalPeriodAutoWithinTimeWindow.
@Test
public void testNewKeyGeneratedWhenInRenewalPeriodAutoWithinTimeWindow(Vertx vertx, VertxTestContext context) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(2).withRenewalDays(3).withGenerateCertificateAuthority(true).withCertificateExpirationPolicy(CertificateExpirationPolicy.REPLACE_KEY).build();
Kafka kafka = new KafkaBuilder().editOrNewMetadata().withName(NAME).withNamespace(NAMESPACE).endMetadata().withNewSpec().withClusterCa(certificateAuthority).withClientsCa(certificateAuthority).withMaintenanceTimeWindows("* 10-14 * * * ? *").endSpec().build();
List<Secret> clusterCaSecrets = initialClusterCaSecrets(certificateAuthority);
Secret initialClusterCaKeySecret = clusterCaSecrets.get(0);
Secret initialClusterCaCertSecret = clusterCaSecrets.get(1);
assertThat(initialClusterCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClusterCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClusterCaCertSecret.getData()), is(true));
assertThat(initialClusterCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClusterCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
List<Secret> clientsCaSecrets = initialClientsCaSecrets(certificateAuthority);
Secret initialClientsCaKeySecret = clientsCaSecrets.get(0);
Secret initialClientsCaCertSecret = clientsCaSecrets.get(1);
assertThat(initialClientsCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClientsCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClientsCaCertSecret.getData()), is(true));
assertThat(initialClientsCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClientsCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
secrets.add(initialClusterCaCertSecret);
secrets.add(initialClusterCaKeySecret);
secrets.add(initialClientsCaCertSecret);
secrets.add(initialClientsCaKeySecret);
Checkpoint async = context.checkpoint();
reconcileCa(vertx, kafka, () -> Date.from(Instant.parse("2018-11-26T09:12:00Z"))).onComplete(context.succeeding(c -> context.verify(() -> {
assertThat(c.getAllValues(), hasSize(4));
Map<String, String> clusterCaCertData = c.getAllValues().get(0).getData();
assertThat(c.getAllValues().get(0).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION, "1"));
assertThat(clusterCaCertData, aMapWithSize(4));
X509Certificate newX509ClusterCaCertStore = getCertificateFromTrustStore(CA_CRT, clusterCaCertData);
String oldClusterCaCertKey = clusterCaCertData.keySet().stream().filter(alias -> alias.startsWith("ca-")).findAny().orElseThrow();
X509Certificate oldX509ClusterCaCertStore = getCertificateFromTrustStore(oldClusterCaCertKey, clusterCaCertData);
String newClusterCaCert = clusterCaCertData.remove(CA_CRT);
String newClusterCaCertStore = clusterCaCertData.remove(CA_STORE);
String newClusterCaCertStorePassword = clusterCaCertData.remove(CA_STORE_PASSWORD);
assertThat(newClusterCaCert, is(not(initialClusterCaCertSecret.getData().get(CA_CRT))));
assertThat(newClusterCaCertStore, is(not(initialClusterCaCertSecret.getData().get(CA_STORE))));
assertThat(newClusterCaCertStorePassword, is(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD)));
assertThat(newX509ClusterCaCertStore, is(x509Certificate(newClusterCaCert)));
Map.Entry<String, String> oldClusterCaCert = clusterCaCertData.entrySet().iterator().next();
assertThat(oldClusterCaCert.getValue(), is(initialClusterCaCertSecret.getData().get(CA_CRT)));
assertThat(oldX509ClusterCaCertStore, is(x509Certificate(String.valueOf(oldClusterCaCert.getValue()))));
assertThat(x509Certificate(newClusterCaCert).getSubjectDN().getName(), is("CN=cluster-ca v1, O=io.strimzi"));
Secret clusterCaKeySecret = c.getAllValues().get(1);
assertThat(clusterCaKeySecret.getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION, "1"));
Map<String, String> clusterCaKeyData = clusterCaKeySecret.getData();
assertThat(clusterCaKeyData.keySet(), is(singleton(CA_KEY)));
String newClusterCaKey = clusterCaKeyData.remove(CA_KEY);
assertThat(newClusterCaKey, is(notNullValue()));
assertThat(newClusterCaKey, is(not(initialClusterCaKeySecret.getData().get(CA_KEY))));
Map<String, String> clientsCaCertData = c.getAllValues().get(2).getData();
assertThat(c.getAllValues().get(2).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION, "1"));
assertThat(clientsCaCertData, aMapWithSize(4));
X509Certificate newX509ClientsCaCertStore = getCertificateFromTrustStore(CA_CRT, clientsCaCertData);
String oldClientsCaCertKey = clientsCaCertData.keySet().stream().filter(alias -> alias.startsWith("ca-")).findAny().orElseThrow();
X509Certificate oldX509ClientsCaCertStore = getCertificateFromTrustStore(oldClientsCaCertKey, clientsCaCertData);
String newClientsCaCert = clientsCaCertData.remove(CA_CRT);
String newClientsCaCertStore = clientsCaCertData.remove(CA_STORE);
String newClientsCaCertStorePassword = clientsCaCertData.remove(CA_STORE_PASSWORD);
assertThat(newClientsCaCert, is(not(initialClientsCaCertSecret.getData().get(CA_CRT))));
assertThat(newClientsCaCertStore, is(not(initialClientsCaCertSecret.getData().get(CA_STORE))));
assertThat(newClientsCaCertStorePassword, is(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD)));
assertThat(newX509ClientsCaCertStore, is(x509Certificate(newClientsCaCert)));
Map.Entry<String, String> oldClientsCaCert = clientsCaCertData.entrySet().iterator().next();
assertThat(oldClientsCaCert.getValue(), is(initialClientsCaCertSecret.getData().get(CA_CRT)));
assertThat(oldX509ClientsCaCertStore, is(x509Certificate(String.valueOf(oldClientsCaCert.getValue()))));
assertThat(x509Certificate(newClientsCaCert).getSubjectDN().getName(), is("CN=clients-ca v1, O=io.strimzi"));
Secret clientsCaKeySecret = c.getAllValues().get(3);
assertThat(clientsCaKeySecret.getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION, "1"));
Map<String, String> clientsCaKeyData = clientsCaKeySecret.getData();
assertThat(clientsCaKeyData.keySet(), is(singleton(CA_KEY)));
String newClientsCaKey = clientsCaKeyData.remove(CA_KEY);
assertThat(newClientsCaKey, is(notNullValue()));
assertThat(newClientsCaKey, is(not(initialClientsCaKeySecret.getData().get(CA_KEY))));
async.flag();
})));
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
CoreMatchers.is(org.hamcrest.CoreMatchers.is)
BeforeEach(org.junit.jupiter.api.BeforeEach)
CertificateFactory(java.security.cert.CertificateFactory)
CA_KEY(io.strimzi.operator.cluster.model.Ca.CA_KEY)
Date(java.util.Date)
ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq)
KeyStoreException(java.security.KeyStoreException)
CoreMatchers.notNullValue(org.hamcrest.CoreMatchers.notNullValue)
CoreMatchers.instanceOf(org.hamcrest.CoreMatchers.instanceOf)
ExtendWith(org.junit.jupiter.api.extension.ExtendWith)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Collections.singleton(java.util.Collections.singleton)
KafkaResources(io.strimzi.api.kafka.model.KafkaResources)
Ca(io.strimzi.operator.cluster.model.Ca)
Map(java.util.Map)
PodOperator(io.strimzi.operator.common.operator.resource.PodOperator)
ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier)
ResourceUtils(io.strimzi.operator.cluster.ResourceUtils)
Path(java.nio.file.Path)
AbstractModel(io.strimzi.operator.cluster.model.AbstractModel)
StatefulSetOperator(io.strimzi.operator.cluster.operator.resource.StatefulSetOperator)
ModelUtils(io.strimzi.operator.cluster.model.ModelUtils)
DeploymentOperator(io.strimzi.operator.common.operator.resource.DeploymentOperator)
SecretOperator(io.strimzi.operator.common.operator.resource.SecretOperator)
KeyStore(java.security.KeyStore)
VertxExtension(io.vertx.junit5.VertxExtension)
Instant(java.time.Instant)
Future(io.vertx.core.Future)
Collectors(java.util.stream.Collectors)
StandardCharsets(java.nio.charset.StandardCharsets)
Subject(io.strimzi.certs.Subject)
Test(org.junit.jupiter.api.Test)
Objects(java.util.Objects)
Base64(java.util.Base64)
List(java.util.List)
Labels(io.strimzi.operator.common.model.Labels)
PasswordGenerator(io.strimzi.operator.common.PasswordGenerator)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
CA_STORE_PASSWORD(io.strimzi.operator.cluster.model.Ca.CA_STORE_PASSWORD)
Secret(io.fabric8.kubernetes.api.model.Secret)
CA_STORE(io.strimzi.operator.cluster.model.Ca.CA_STORE)
Checkpoint(io.vertx.junit5.Checkpoint)
ClusterCa(io.strimzi.operator.cluster.model.ClusterCa)
PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability)
Mockito.mock(org.mockito.Mockito.mock)
VertxTestContext(io.vertx.junit5.VertxTestContext)
ArgumentMatchers.any(org.mockito.ArgumentMatchers.any)
Matchers.aMapWithSize(org.hamcrest.Matchers.aMapWithSize)
CoreMatchers.not(org.hamcrest.CoreMatchers.not)
OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference)
CertAndKey(io.strimzi.certs.CertAndKey)
Supplier(java.util.function.Supplier)
KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder)
ArrayList(java.util.ArrayList)
ArgumentCaptor(org.mockito.ArgumentCaptor)
ClusterOperator(io.strimzi.operator.cluster.ClusterOperator)
TestUtils(io.strimzi.test.TestUtils)
Matchers.hasSize(org.hamcrest.Matchers.hasSize)
ReconcileResult(io.strimzi.operator.common.operator.resource.ReconcileResult)
MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat)
CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy)
Matchers.hasEntry(org.hamcrest.Matchers.hasEntry)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
Files(java.nio.file.Files)
InvalidResourceException(io.strimzi.operator.cluster.model.InvalidResourceException)
Promise(io.vertx.core.Promise)
KubernetesVersion(io.strimzi.operator.KubernetesVersion)
Vertx(io.vertx.core.Vertx)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
TestUtils.set(io.strimzi.test.TestUtils.set)
Mockito.when(org.mockito.Mockito.when)
Reconciliation(io.strimzi.operator.common.Reconciliation)
CA_CRT(io.strimzi.operator.cluster.model.Ca.CA_CRT)
SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder)
Kafka(io.strimzi.api.kafka.model.Kafka)
OpenSslCertManager(io.strimzi.certs.OpenSslCertManager)
CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
Kafka(io.strimzi.api.kafka.model.Kafka)
KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder)
X509Certificate(java.security.cert.X509Certificate)
Secret(io.fabric8.kubernetes.api.model.Secret)
Checkpoint(io.vertx.junit5.Checkpoint)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
Map(java.util.Map)
Test(org.junit.jupiter.api.Test)
Example 12 with CA_KEY
use of io.strimzi.operator.cluster.model.Ca.CA_KEY in project strimzi by strimzi.
the class CertificateRenewalTest method testNewCertsGetGeneratedWhenInRenewalPeriodAuto.
@Test
public void testNewCertsGetGeneratedWhenInRenewalPeriodAuto(Vertx vertx, VertxTestContext context) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(2).withRenewalDays(3).withGenerateCertificateAuthority(true).build();
List<Secret> clusterCaSecrets = initialClusterCaSecrets(certificateAuthority);
Secret initialClusterCaKeySecret = clusterCaSecrets.get(0);
Secret initialClusterCaCertSecret = clusterCaSecrets.get(1);
assertThat(initialClusterCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClusterCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClusterCaCertSecret.getData()), is(true));
assertThat(initialClusterCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClusterCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
List<Secret> clientsCaSecrets = initialClientsCaSecrets(certificateAuthority);
Secret initialClientsCaKeySecret = clientsCaSecrets.get(0);
Secret initialClientsCaCertSecret = clientsCaSecrets.get(1);
assertThat(initialClientsCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClientsCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClientsCaCertSecret.getData()), is(true));
assertThat(initialClientsCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClientsCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
secrets.add(initialClusterCaCertSecret);
secrets.add(initialClusterCaKeySecret);
secrets.add(initialClientsCaCertSecret);
secrets.add(initialClientsCaKeySecret);
Checkpoint async = context.checkpoint();
reconcileCa(vertx, certificateAuthority, certificateAuthority).onComplete(context.succeeding(c -> context.verify(() -> {
assertThat(c.getAllValues(), hasSize(4));
Map<String, String> clusterCaCertData = c.getAllValues().get(0).getData();
assertThat(clusterCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
X509Certificate newX509ClusterCaCertStore = getCertificateFromTrustStore(CA_CRT, clusterCaCertData);
String newClusterCaCert = clusterCaCertData.remove(CA_CRT);
String newClusterCaCertStore = clusterCaCertData.remove(CA_STORE);
String newClusterCaCertStorePassword = clusterCaCertData.remove(CA_STORE_PASSWORD);
assertThat(newClusterCaCert, is(notNullValue()));
assertThat(newClusterCaCertStore, is(notNullValue()));
assertThat(newClusterCaCertStorePassword, is(notNullValue()));
assertThat(newClusterCaCert, is(not(initialClusterCaCertSecret.getData().get(CA_CRT))));
assertThat(newClusterCaCertStore, is(not(initialClusterCaCertSecret.getData().get(CA_STORE))));
assertThat(newClusterCaCertStorePassword, is(not(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD))));
assertThat(newX509ClusterCaCertStore, is(x509Certificate(newClusterCaCert)));
Map<String, String> clusterCaKeyData = c.getAllValues().get(1).getData();
assertThat(clusterCaKeyData.keySet(), is(singleton(CA_KEY)));
String newClusterCaKey = clusterCaKeyData.remove(CA_KEY);
assertThat(newClusterCaKey, is(notNullValue()));
assertThat(newClusterCaKey, is(initialClusterCaKeySecret.getData().get(CA_KEY)));
Map<String, String> clientsCaCertData = c.getAllValues().get(2).getData();
assertThat(clientsCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
X509Certificate newX509ClientsCaCertStore = getCertificateFromTrustStore(CA_CRT, clientsCaCertData);
String newClientsCaCert = clientsCaCertData.remove(CA_CRT);
String newClientsCaCertStore = clientsCaCertData.remove(CA_STORE);
String newClientsCaCertStorePassword = clientsCaCertData.remove(CA_STORE_PASSWORD);
assertThat(newClientsCaCert, is(notNullValue()));
assertThat(newClientsCaCertStore, is(notNullValue()));
assertThat(newClientsCaCertStorePassword, is(notNullValue()));
assertThat(newClientsCaCert, is(not(initialClientsCaCertSecret.getData().get(CA_CRT))));
assertThat(newClientsCaCertStore, is(not(initialClientsCaCertSecret.getData().get(CA_STORE))));
assertThat(newClientsCaCertStorePassword, is(not(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD))));
assertThat(newX509ClientsCaCertStore, is(x509Certificate(newClientsCaCert)));
Map<String, String> clientsCaKeyData = c.getAllValues().get(3).getData();
assertThat(clientsCaKeyData.keySet(), is(singleton(CA_KEY)));
String newClientsCaKey = clientsCaKeyData.remove(CA_KEY);
assertThat(newClientsCaKey, is(notNullValue()));
assertThat(newClientsCaKey, is(initialClientsCaKeySecret.getData().get(CA_KEY)));
async.flag();
})));
}
Also used :
Secret(io.fabric8.kubernetes.api.model.Secret)
X509Certificate(java.security.cert.X509Certificate)
CoreMatchers.is(org.hamcrest.CoreMatchers.is)
BeforeEach(org.junit.jupiter.api.BeforeEach)
CertificateFactory(java.security.cert.CertificateFactory)
CA_KEY(io.strimzi.operator.cluster.model.Ca.CA_KEY)
Date(java.util.Date)
ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq)
KeyStoreException(java.security.KeyStoreException)
CoreMatchers.notNullValue(org.hamcrest.CoreMatchers.notNullValue)
CoreMatchers.instanceOf(org.hamcrest.CoreMatchers.instanceOf)
ExtendWith(org.junit.jupiter.api.extension.ExtendWith)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Collections.singleton(java.util.Collections.singleton)
KafkaResources(io.strimzi.api.kafka.model.KafkaResources)
Ca(io.strimzi.operator.cluster.model.Ca)
Map(java.util.Map)
PodOperator(io.strimzi.operator.common.operator.resource.PodOperator)
ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier)
ResourceUtils(io.strimzi.operator.cluster.ResourceUtils)
Path(java.nio.file.Path)
AbstractModel(io.strimzi.operator.cluster.model.AbstractModel)
StatefulSetOperator(io.strimzi.operator.cluster.operator.resource.StatefulSetOperator)
ModelUtils(io.strimzi.operator.cluster.model.ModelUtils)
DeploymentOperator(io.strimzi.operator.common.operator.resource.DeploymentOperator)
SecretOperator(io.strimzi.operator.common.operator.resource.SecretOperator)
KeyStore(java.security.KeyStore)
VertxExtension(io.vertx.junit5.VertxExtension)
Instant(java.time.Instant)
Future(io.vertx.core.Future)
Collectors(java.util.stream.Collectors)
StandardCharsets(java.nio.charset.StandardCharsets)
Subject(io.strimzi.certs.Subject)
Test(org.junit.jupiter.api.Test)
Objects(java.util.Objects)
Base64(java.util.Base64)
List(java.util.List)
Labels(io.strimzi.operator.common.model.Labels)
PasswordGenerator(io.strimzi.operator.common.PasswordGenerator)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
CA_STORE_PASSWORD(io.strimzi.operator.cluster.model.Ca.CA_STORE_PASSWORD)
Secret(io.fabric8.kubernetes.api.model.Secret)
CA_STORE(io.strimzi.operator.cluster.model.Ca.CA_STORE)
Checkpoint(io.vertx.junit5.Checkpoint)
ClusterCa(io.strimzi.operator.cluster.model.ClusterCa)
PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability)
Mockito.mock(org.mockito.Mockito.mock)
VertxTestContext(io.vertx.junit5.VertxTestContext)
ArgumentMatchers.any(org.mockito.ArgumentMatchers.any)
Matchers.aMapWithSize(org.hamcrest.Matchers.aMapWithSize)
CoreMatchers.not(org.hamcrest.CoreMatchers.not)
OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference)
CertAndKey(io.strimzi.certs.CertAndKey)
Supplier(java.util.function.Supplier)
KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder)
ArrayList(java.util.ArrayList)
ArgumentCaptor(org.mockito.ArgumentCaptor)
ClusterOperator(io.strimzi.operator.cluster.ClusterOperator)
TestUtils(io.strimzi.test.TestUtils)
Matchers.hasSize(org.hamcrest.Matchers.hasSize)
ReconcileResult(io.strimzi.operator.common.operator.resource.ReconcileResult)
MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat)
CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy)
Matchers.hasEntry(org.hamcrest.Matchers.hasEntry)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
Files(java.nio.file.Files)
InvalidResourceException(io.strimzi.operator.cluster.model.InvalidResourceException)
Promise(io.vertx.core.Promise)
KubernetesVersion(io.strimzi.operator.KubernetesVersion)
Vertx(io.vertx.core.Vertx)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
TestUtils.set(io.strimzi.test.TestUtils.set)
Mockito.when(org.mockito.Mockito.when)
Reconciliation(io.strimzi.operator.common.Reconciliation)
CA_CRT(io.strimzi.operator.cluster.model.Ca.CA_CRT)
SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder)
Kafka(io.strimzi.api.kafka.model.Kafka)
OpenSslCertManager(io.strimzi.certs.OpenSslCertManager)
CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
Checkpoint(io.vertx.junit5.Checkpoint)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder)
X509Certificate(java.security.cert.X509Certificate)
Test(org.junit.jupiter.api.Test)
Example 13 with CA_KEY
use of io.strimzi.operator.cluster.model.Ca.CA_KEY in project strimzi by strimzi.
the class CertificateRenewalTest method testExpiredCertsGetRemovedAuto.
@Test
public void testExpiredCertsGetRemovedAuto(Vertx vertx, VertxTestContext context) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(100).withRenewalDays(10).withGenerateCertificateAuthority(true).build();
List<Secret> clusterCaSecrets = initialClusterCaSecrets(certificateAuthority);
Secret initialClusterCaKeySecret = clusterCaSecrets.get(0);
Secret initialClusterCaCertSecret = clusterCaSecrets.get(1);
assertThat(initialClusterCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClusterCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClusterCaCertSecret.getData()), is(true));
// add an expired certificate to the secret ...
String clusterCert = Objects.requireNonNull(TestUtils.readResource(getClass(), "cluster-ca.crt"));
String encodedClusterCert = Base64.getEncoder().encodeToString(clusterCert.getBytes(StandardCharsets.UTF_8));
initialClusterCaCertSecret.getData().put("ca-2018-07-01T09-00-00.crt", encodedClusterCert);
assertThat(initialClusterCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClusterCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
// ... and to the related truststore
Path certFile = Files.createTempFile("tls", "-cert");
Path trustStoreFile = Files.createTempFile("tls", "-truststore");
Files.write(certFile, Base64.getDecoder().decode(initialClusterCaCertSecret.getData().get("ca-2018-07-01T09-00-00.crt")));
Files.write(trustStoreFile, Base64.getDecoder().decode(initialClusterCaCertSecret.getData().get(CA_STORE)));
String trustStorePassword = new String(Base64.getDecoder().decode(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD)), StandardCharsets.US_ASCII);
certManager.addCertToTrustStore(certFile.toFile(), "ca-2018-07-01T09-00-00.crt", trustStoreFile.toFile(), trustStorePassword);
initialClusterCaCertSecret.getData().put(CA_STORE, Base64.getEncoder().encodeToString(Files.readAllBytes(trustStoreFile)));
assertThat(isCertInTrustStore("ca-2018-07-01T09-00-00.crt", initialClusterCaCertSecret.getData()), is(true));
List<Secret> clientsCaSecrets = initialClientsCaSecrets(certificateAuthority);
Secret initialClientsCaKeySecret = clientsCaSecrets.get(0);
Secret initialClientsCaCertSecret = clientsCaSecrets.get(1);
assertThat(initialClientsCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClientsCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClientsCaCertSecret.getData()), is(true));
// add an expired certificate to the secret ...
String clientCert = Objects.requireNonNull(TestUtils.readResource(getClass(), "clients-ca.crt"));
String encodedClientCert = Base64.getEncoder().encodeToString(clientCert.getBytes(StandardCharsets.UTF_8));
initialClientsCaCertSecret.getData().put("ca-2018-07-01T09-00-00.crt", encodedClientCert);
assertThat(initialClientsCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClientsCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
// ... and to the related truststore
certFile = Files.createTempFile("tls", "-cert");
Files.write(certFile, Base64.getDecoder().decode(initialClientsCaCertSecret.getData().get("ca-2018-07-01T09-00-00.crt")));
trustStoreFile = Files.createTempFile("tls", "-truststore");
Files.write(trustStoreFile, Base64.getDecoder().decode(initialClientsCaCertSecret.getData().get(CA_STORE)));
trustStorePassword = new String(Base64.getDecoder().decode(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD)), StandardCharsets.US_ASCII);
certManager.addCertToTrustStore(certFile.toFile(), "ca-2018-07-01T09-00-00.crt", trustStoreFile.toFile(), trustStorePassword);
initialClientsCaCertSecret.getData().put(CA_STORE, Base64.getEncoder().encodeToString(Files.readAllBytes(trustStoreFile)));
assertThat(isCertInTrustStore("ca-2018-07-01T09-00-00.crt", initialClientsCaCertSecret.getData()), is(true));
secrets.add(initialClusterCaCertSecret);
secrets.add(initialClusterCaKeySecret);
secrets.add(initialClientsCaCertSecret);
secrets.add(initialClientsCaKeySecret);
Checkpoint async = context.checkpoint();
reconcileCa(vertx, certificateAuthority, certificateAuthority).onComplete(context.succeeding(c -> context.verify(() -> {
assertThat(c.getAllValues(), hasSize(4));
Map<String, String> clusterCaCertData = c.getAllValues().get(0).getData();
assertThat(clusterCaCertData, aMapWithSize(3));
assertThat(clusterCaCertData.get(CA_CRT), is(initialClusterCaCertSecret.getData().get(CA_CRT)));
assertThat(clusterCaCertData.get(CA_STORE), is(initialClusterCaCertSecret.getData().get(CA_STORE)));
assertThat(clusterCaCertData.get(CA_STORE_PASSWORD), is(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD)));
assertThat(getCertificateFromTrustStore(CA_CRT, clusterCaCertData), is(x509Certificate(clusterCaCertData.get(CA_CRT))));
Map<String, String> clusterCaKeyData = c.getAllValues().get(1).getData();
assertThat(clusterCaKeyData.get(CA_KEY), is(initialClusterCaKeySecret.getData().get(CA_KEY)));
assertThat(isCertInTrustStore("ca-2018-07-01T09-00-00.crt", clusterCaCertData), is(false));
Map<String, String> clientsCaCertData = c.getAllValues().get(2).getData();
assertThat(clientsCaCertData, aMapWithSize(3));
assertThat(clientsCaCertData.get(CA_CRT), is(initialClientsCaCertSecret.getData().get(CA_CRT)));
assertThat(clientsCaCertData.get(CA_STORE), is(initialClientsCaCertSecret.getData().get(CA_STORE)));
assertThat(clientsCaCertData.get(CA_STORE_PASSWORD), is(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD)));
assertThat(getCertificateFromTrustStore(CA_CRT, clientsCaCertData), is(x509Certificate(clientsCaCertData.get(CA_CRT))));
Map<String, String> clientsCaKeyData = c.getAllValues().get(3).getData();
assertThat(clientsCaKeyData.get(CA_KEY), is(initialClientsCaKeySecret.getData().get(CA_KEY)));
assertThat(isCertInTrustStore("ca-2018-07-01T09-00-00.crt", clientsCaCertData), is(false));
async.flag();
})));
}
Also used :
Secret(io.fabric8.kubernetes.api.model.Secret)
Path(java.nio.file.Path)
X509Certificate(java.security.cert.X509Certificate)
CoreMatchers.is(org.hamcrest.CoreMatchers.is)
BeforeEach(org.junit.jupiter.api.BeforeEach)
CertificateFactory(java.security.cert.CertificateFactory)
CA_KEY(io.strimzi.operator.cluster.model.Ca.CA_KEY)
Date(java.util.Date)
ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq)
KeyStoreException(java.security.KeyStoreException)
CoreMatchers.notNullValue(org.hamcrest.CoreMatchers.notNullValue)
CoreMatchers.instanceOf(org.hamcrest.CoreMatchers.instanceOf)
ExtendWith(org.junit.jupiter.api.extension.ExtendWith)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Collections.singleton(java.util.Collections.singleton)
KafkaResources(io.strimzi.api.kafka.model.KafkaResources)
Ca(io.strimzi.operator.cluster.model.Ca)
Map(java.util.Map)
PodOperator(io.strimzi.operator.common.operator.resource.PodOperator)
ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier)
ResourceUtils(io.strimzi.operator.cluster.ResourceUtils)
Path(java.nio.file.Path)
AbstractModel(io.strimzi.operator.cluster.model.AbstractModel)
StatefulSetOperator(io.strimzi.operator.cluster.operator.resource.StatefulSetOperator)
ModelUtils(io.strimzi.operator.cluster.model.ModelUtils)
DeploymentOperator(io.strimzi.operator.common.operator.resource.DeploymentOperator)
SecretOperator(io.strimzi.operator.common.operator.resource.SecretOperator)
KeyStore(java.security.KeyStore)
VertxExtension(io.vertx.junit5.VertxExtension)
Instant(java.time.Instant)
Future(io.vertx.core.Future)
Collectors(java.util.stream.Collectors)
StandardCharsets(java.nio.charset.StandardCharsets)
Subject(io.strimzi.certs.Subject)
Test(org.junit.jupiter.api.Test)
Objects(java.util.Objects)
Base64(java.util.Base64)
List(java.util.List)
Labels(io.strimzi.operator.common.model.Labels)
PasswordGenerator(io.strimzi.operator.common.PasswordGenerator)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
CA_STORE_PASSWORD(io.strimzi.operator.cluster.model.Ca.CA_STORE_PASSWORD)
Secret(io.fabric8.kubernetes.api.model.Secret)
CA_STORE(io.strimzi.operator.cluster.model.Ca.CA_STORE)
Checkpoint(io.vertx.junit5.Checkpoint)
ClusterCa(io.strimzi.operator.cluster.model.ClusterCa)
PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability)
Mockito.mock(org.mockito.Mockito.mock)
VertxTestContext(io.vertx.junit5.VertxTestContext)
ArgumentMatchers.any(org.mockito.ArgumentMatchers.any)
Matchers.aMapWithSize(org.hamcrest.Matchers.aMapWithSize)
CoreMatchers.not(org.hamcrest.CoreMatchers.not)
OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference)
CertAndKey(io.strimzi.certs.CertAndKey)
Supplier(java.util.function.Supplier)
KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder)
ArrayList(java.util.ArrayList)
ArgumentCaptor(org.mockito.ArgumentCaptor)
ClusterOperator(io.strimzi.operator.cluster.ClusterOperator)
TestUtils(io.strimzi.test.TestUtils)
Matchers.hasSize(org.hamcrest.Matchers.hasSize)
ReconcileResult(io.strimzi.operator.common.operator.resource.ReconcileResult)
MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat)
CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy)
Matchers.hasEntry(org.hamcrest.Matchers.hasEntry)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
Files(java.nio.file.Files)
InvalidResourceException(io.strimzi.operator.cluster.model.InvalidResourceException)
Promise(io.vertx.core.Promise)
KubernetesVersion(io.strimzi.operator.KubernetesVersion)
Vertx(io.vertx.core.Vertx)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
TestUtils.set(io.strimzi.test.TestUtils.set)
Mockito.when(org.mockito.Mockito.when)
Reconciliation(io.strimzi.operator.common.Reconciliation)
CA_CRT(io.strimzi.operator.cluster.model.Ca.CA_CRT)
SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder)
Kafka(io.strimzi.api.kafka.model.Kafka)
OpenSslCertManager(io.strimzi.certs.OpenSslCertManager)
CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
Checkpoint(io.vertx.junit5.Checkpoint)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder)
Test(org.junit.jupiter.api.Test)
Example 14 with CA_KEY
use of io.strimzi.operator.cluster.model.Ca.CA_KEY in project strimzi by strimzi.
the class CertificateRenewalTest method testNewKeyGetGeneratedWhenInRenewalPeriodAuto.
@Test
public void testNewKeyGetGeneratedWhenInRenewalPeriodAuto(Vertx vertx, VertxTestContext context) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(2).withRenewalDays(3).withGenerateCertificateAuthority(true).withCertificateExpirationPolicy(CertificateExpirationPolicy.REPLACE_KEY).build();
List<Secret> clusterCaSecrets = initialClusterCaSecrets(certificateAuthority);
Secret initialClusterCaKeySecret = clusterCaSecrets.get(0);
Secret initialClusterCaCertSecret = clusterCaSecrets.get(1);
assertThat(initialClusterCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClusterCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClusterCaCertSecret.getData()), is(true));
assertThat(initialClusterCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClusterCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
List<Secret> clientsCaSecrets = initialClientsCaSecrets(certificateAuthority);
Secret initialClientsCaKeySecret = clientsCaSecrets.get(0);
Secret initialClientsCaCertSecret = clientsCaSecrets.get(1);
assertThat(initialClientsCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClientsCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClientsCaCertSecret.getData()), is(true));
assertThat(initialClientsCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClientsCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
secrets.add(initialClusterCaCertSecret);
secrets.add(initialClusterCaKeySecret);
secrets.add(initialClientsCaCertSecret);
secrets.add(initialClientsCaKeySecret);
Checkpoint async = context.checkpoint();
reconcileCa(vertx, certificateAuthority, certificateAuthority).onComplete(context.succeeding(c -> context.verify(() -> {
assertThat(c.getAllValues(), hasSize(4));
Map<String, String> clusterCaCertData = c.getAllValues().get(0).getData();
assertThat(clusterCaCertData, aMapWithSize(4));
X509Certificate newX509ClusterCaCertStore = getCertificateFromTrustStore(CA_CRT, clusterCaCertData);
String oldClusterCaCertKey = clusterCaCertData.keySet().stream().filter(alias -> alias.startsWith("ca-")).findAny().orElseThrow();
X509Certificate oldX509ClusterCaCertStore = getCertificateFromTrustStore(oldClusterCaCertKey, clusterCaCertData);
String newClusterCaCert = clusterCaCertData.remove(CA_CRT);
String newClusterCaCertStore = clusterCaCertData.remove(CA_STORE);
String newClusterCaCertStorePassword = clusterCaCertData.remove(CA_STORE_PASSWORD);
assertThat(newClusterCaCert, is(not(initialClusterCaCertSecret.getData().get(CA_CRT))));
assertThat(newClusterCaCertStore, is(not(initialClusterCaCertSecret.getData().get(CA_STORE))));
assertThat(newClusterCaCertStorePassword, is(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD)));
assertThat(newX509ClusterCaCertStore, is(x509Certificate(newClusterCaCert)));
Map.Entry<String, String> oldClusterCaCert = clusterCaCertData.entrySet().iterator().next();
assertThat(oldClusterCaCert.getValue(), is(initialClusterCaCertSecret.getData().get(CA_CRT)));
assertThat(oldX509ClusterCaCertStore, is(x509Certificate(String.valueOf(oldClusterCaCert.getValue()))));
assertThat(x509Certificate(newClusterCaCert).getSubjectDN().getName(), is("CN=cluster-ca v1, O=io.strimzi"));
Secret clusterCaKeySecret = c.getAllValues().get(1);
assertThat(clusterCaKeySecret.getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION, "1"));
Map<String, String> clusterCaKeyData = clusterCaKeySecret.getData();
assertThat(clusterCaKeyData.keySet(), is(singleton(CA_KEY)));
String newClusterCaKey = clusterCaKeyData.remove(CA_KEY);
assertThat(newClusterCaKey, is(notNullValue()));
assertThat(newClusterCaKey, is(not(initialClusterCaKeySecret.getData().get(CA_KEY))));
Map<String, String> clientsCaCertData = c.getAllValues().get(2).getData();
assertThat(clientsCaCertData, aMapWithSize(4));
X509Certificate newX509ClientsCaCertStore = getCertificateFromTrustStore(CA_CRT, clientsCaCertData);
String oldClientsCaCertKey = clientsCaCertData.keySet().stream().filter(alias -> alias.startsWith("ca-")).findAny().orElseThrow();
X509Certificate oldX509ClientsCaCertStore = getCertificateFromTrustStore(oldClientsCaCertKey, clientsCaCertData);
String newClientsCaCert = clientsCaCertData.remove(CA_CRT);
String newClientsCaCertStore = clientsCaCertData.remove(CA_STORE);
String newClientsCaCertStorePassword = clientsCaCertData.remove(CA_STORE_PASSWORD);
assertThat(newClientsCaCert, is(not(initialClientsCaCertSecret.getData().get(CA_CRT))));
assertThat(newClientsCaCertStore, is(not(initialClientsCaCertSecret.getData().get(CA_STORE))));
assertThat(newClientsCaCertStorePassword, is(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD)));
assertThat(newX509ClientsCaCertStore, is(x509Certificate(newClientsCaCert)));
Map.Entry<String, String> oldClientsCaCert = clientsCaCertData.entrySet().iterator().next();
assertThat(oldClientsCaCert.getValue(), is(initialClientsCaCertSecret.getData().get(CA_CRT)));
assertThat(oldX509ClientsCaCertStore, is(x509Certificate(String.valueOf(oldClientsCaCert.getValue()))));
assertThat(x509Certificate(newClientsCaCert).getSubjectDN().getName(), is("CN=clients-ca v1, O=io.strimzi"));
Secret clientsCaKeySecret = c.getAllValues().get(3);
assertThat(clientsCaKeySecret.getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION, "1"));
Map<String, String> clientsCaKeyData = clientsCaKeySecret.getData();
assertThat(clientsCaKeyData.keySet(), is(singleton(CA_KEY)));
String newClientsCaKey = clientsCaKeyData.remove(CA_KEY);
assertThat(newClientsCaKey, is(notNullValue()));
assertThat(newClientsCaKey, is(not(initialClientsCaKeySecret.getData().get(CA_KEY))));
async.flag();
})));
}
Also used :
Secret(io.fabric8.kubernetes.api.model.Secret)
X509Certificate(java.security.cert.X509Certificate)
CoreMatchers.is(org.hamcrest.CoreMatchers.is)
BeforeEach(org.junit.jupiter.api.BeforeEach)
CertificateFactory(java.security.cert.CertificateFactory)
CA_KEY(io.strimzi.operator.cluster.model.Ca.CA_KEY)
Date(java.util.Date)
ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq)
KeyStoreException(java.security.KeyStoreException)
CoreMatchers.notNullValue(org.hamcrest.CoreMatchers.notNullValue)
CoreMatchers.instanceOf(org.hamcrest.CoreMatchers.instanceOf)
ExtendWith(org.junit.jupiter.api.extension.ExtendWith)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Collections.singleton(java.util.Collections.singleton)
KafkaResources(io.strimzi.api.kafka.model.KafkaResources)
Ca(io.strimzi.operator.cluster.model.Ca)
Map(java.util.Map)
PodOperator(io.strimzi.operator.common.operator.resource.PodOperator)
ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier)
ResourceUtils(io.strimzi.operator.cluster.ResourceUtils)
Path(java.nio.file.Path)
AbstractModel(io.strimzi.operator.cluster.model.AbstractModel)
StatefulSetOperator(io.strimzi.operator.cluster.operator.resource.StatefulSetOperator)
ModelUtils(io.strimzi.operator.cluster.model.ModelUtils)
DeploymentOperator(io.strimzi.operator.common.operator.resource.DeploymentOperator)
SecretOperator(io.strimzi.operator.common.operator.resource.SecretOperator)
KeyStore(java.security.KeyStore)
VertxExtension(io.vertx.junit5.VertxExtension)
Instant(java.time.Instant)
Future(io.vertx.core.Future)
Collectors(java.util.stream.Collectors)
StandardCharsets(java.nio.charset.StandardCharsets)
Subject(io.strimzi.certs.Subject)
Test(org.junit.jupiter.api.Test)
Objects(java.util.Objects)
Base64(java.util.Base64)
List(java.util.List)
Labels(io.strimzi.operator.common.model.Labels)
PasswordGenerator(io.strimzi.operator.common.PasswordGenerator)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
CA_STORE_PASSWORD(io.strimzi.operator.cluster.model.Ca.CA_STORE_PASSWORD)
Secret(io.fabric8.kubernetes.api.model.Secret)
CA_STORE(io.strimzi.operator.cluster.model.Ca.CA_STORE)
Checkpoint(io.vertx.junit5.Checkpoint)
ClusterCa(io.strimzi.operator.cluster.model.ClusterCa)
PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability)
Mockito.mock(org.mockito.Mockito.mock)
VertxTestContext(io.vertx.junit5.VertxTestContext)
ArgumentMatchers.any(org.mockito.ArgumentMatchers.any)
Matchers.aMapWithSize(org.hamcrest.Matchers.aMapWithSize)
CoreMatchers.not(org.hamcrest.CoreMatchers.not)
OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference)
CertAndKey(io.strimzi.certs.CertAndKey)
Supplier(java.util.function.Supplier)
KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder)
ArrayList(java.util.ArrayList)
ArgumentCaptor(org.mockito.ArgumentCaptor)
ClusterOperator(io.strimzi.operator.cluster.ClusterOperator)
TestUtils(io.strimzi.test.TestUtils)
Matchers.hasSize(org.hamcrest.Matchers.hasSize)
ReconcileResult(io.strimzi.operator.common.operator.resource.ReconcileResult)
MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat)
CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy)
Matchers.hasEntry(org.hamcrest.Matchers.hasEntry)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
Files(java.nio.file.Files)
InvalidResourceException(io.strimzi.operator.cluster.model.InvalidResourceException)
Promise(io.vertx.core.Promise)
KubernetesVersion(io.strimzi.operator.KubernetesVersion)
Vertx(io.vertx.core.Vertx)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
TestUtils.set(io.strimzi.test.TestUtils.set)
Mockito.when(org.mockito.Mockito.when)
Reconciliation(io.strimzi.operator.common.Reconciliation)
CA_CRT(io.strimzi.operator.cluster.model.Ca.CA_CRT)
SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder)
Kafka(io.strimzi.api.kafka.model.Kafka)
OpenSslCertManager(io.strimzi.certs.OpenSslCertManager)
CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
Checkpoint(io.vertx.junit5.Checkpoint)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder)
Map(java.util.Map)
X509Certificate(java.security.cert.X509Certificate)
Test(org.junit.jupiter.api.Test)
Example 15 with CA_KEY
use of io.strimzi.operator.cluster.model.Ca.CA_KEY in project strimzi by strimzi.
the class CertificateRenewalTest method testNewCertsGetGeneratedWhenInRenewalPeriodAutoWithinMaintenanceWindow.
@Test
public void testNewCertsGetGeneratedWhenInRenewalPeriodAutoWithinMaintenanceWindow(Vertx vertx, VertxTestContext context) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder().withValidityDays(2).withRenewalDays(3).withGenerateCertificateAuthority(true).build();
Kafka kafka = new KafkaBuilder().editOrNewMetadata().withName(NAME).withNamespace(NAMESPACE).endMetadata().withNewSpec().withClusterCa(certificateAuthority).withClientsCa(certificateAuthority).withMaintenanceTimeWindows("* 10-14 * * * ? *").endSpec().build();
List<Secret> clusterCaSecrets = initialClusterCaSecrets(certificateAuthority);
Secret initialClusterCaKeySecret = clusterCaSecrets.get(0);
Secret initialClusterCaCertSecret = clusterCaSecrets.get(1);
assertThat(initialClusterCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClusterCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClusterCaCertSecret.getData()), is(true));
assertThat(initialClusterCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClusterCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
List<Secret> clientsCaSecrets = initialClientsCaSecrets(certificateAuthority);
Secret initialClientsCaKeySecret = clientsCaSecrets.get(0);
Secret initialClientsCaCertSecret = clientsCaSecrets.get(1);
assertThat(initialClientsCaCertSecret.getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(initialClientsCaCertSecret.getData().get(CA_CRT), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE), is(notNullValue()));
assertThat(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClientsCaCertSecret.getData()), is(true));
assertThat(initialClientsCaKeySecret.getData().keySet(), is(singleton(CA_KEY)));
assertThat(initialClientsCaKeySecret.getData().get(CA_KEY), is(notNullValue()));
secrets.add(initialClusterCaCertSecret);
secrets.add(initialClusterCaKeySecret);
secrets.add(initialClientsCaCertSecret);
secrets.add(initialClientsCaKeySecret);
Checkpoint async = context.checkpoint();
reconcileCa(vertx, kafka, () -> Date.from(Instant.parse("2018-11-26T09:12:00Z"))).onComplete(context.succeeding(c -> context.verify(() -> {
assertThat(c.getAllValues().size(), is(4));
Map<String, String> clusterCaCertData = c.getAllValues().get(0).getData();
assertThat(clusterCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
X509Certificate newX509ClusterCaCertStore = getCertificateFromTrustStore(CA_CRT, clusterCaCertData);
assertThat(c.getAllValues().get(0).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION, "1"));
String newClusterCaCert = clusterCaCertData.remove(CA_CRT);
String newClusterCaCertStore = clusterCaCertData.remove(CA_STORE);
String newClusterCaCertStorePassword = clusterCaCertData.remove(CA_STORE_PASSWORD);
assertThat(newClusterCaCert, is(notNullValue()));
assertThat(newClusterCaCertStore, is(notNullValue()));
assertThat(newClusterCaCertStorePassword, is(notNullValue()));
assertThat(newClusterCaCert, is(not(initialClusterCaCertSecret.getData().get(CA_CRT))));
assertThat(newClusterCaCertStore, is(not(initialClusterCaCertSecret.getData().get(CA_STORE))));
assertThat(newClusterCaCertStorePassword, is(not(initialClusterCaCertSecret.getData().get(CA_STORE_PASSWORD))));
assertThat(newX509ClusterCaCertStore, is(x509Certificate(newClusterCaCert)));
Map<String, String> clusterCaKeyData = c.getAllValues().get(1).getData();
assertThat(clusterCaKeyData.keySet(), is(singleton(CA_KEY)));
assertThat(c.getAllValues().get(1).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION, "0"));
String newClusterCaKey = clusterCaKeyData.remove(CA_KEY);
assertThat(newClusterCaKey, is(notNullValue()));
assertThat(newClusterCaKey, is(initialClusterCaKeySecret.getData().get(CA_KEY)));
Map<String, String> clientsCaCertData = c.getAllValues().get(2).getData();
assertThat(clientsCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
X509Certificate newX509ClientsCaCertStore = getCertificateFromTrustStore(CA_CRT, clientsCaCertData);
assertThat(c.getAllValues().get(2).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION, "1"));
String newClientsCaCert = clientsCaCertData.remove(CA_CRT);
String newClientsCaCertStore = clientsCaCertData.remove(CA_STORE);
String newClientsCaCertStorePassword = clientsCaCertData.remove(CA_STORE_PASSWORD);
assertThat(newClientsCaCert, is(notNullValue()));
assertThat(newClientsCaCertStore, is(notNullValue()));
assertThat(newClientsCaCertStorePassword, is(notNullValue()));
assertThat(newClientsCaCert, is(not(initialClientsCaCertSecret.getData().get(CA_CRT))));
assertThat(newClientsCaCertStore, is(not(initialClientsCaCertSecret.getData().get(CA_STORE))));
assertThat(newClientsCaCertStorePassword, is(not(initialClientsCaCertSecret.getData().get(CA_STORE_PASSWORD))));
assertThat(newX509ClientsCaCertStore, is(x509Certificate(newClientsCaCert)));
Map<String, String> clientsCaKeyData = c.getAllValues().get(3).getData();
assertThat(clientsCaKeyData.keySet(), is(singleton(CA_KEY)));
assertThat(c.getAllValues().get(3).getMetadata().getAnnotations(), hasEntry(Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION, "0"));
String newClientsCaKey = clientsCaKeyData.remove(CA_KEY);
assertThat(newClientsCaKey, is(notNullValue()));
assertThat(newClientsCaKey, is(initialClientsCaKeySecret.getData().get(CA_KEY)));
async.flag();
})));
}
Also used :
Secret(io.fabric8.kubernetes.api.model.Secret)
X509Certificate(java.security.cert.X509Certificate)
CoreMatchers.is(org.hamcrest.CoreMatchers.is)
BeforeEach(org.junit.jupiter.api.BeforeEach)
CertificateFactory(java.security.cert.CertificateFactory)
CA_KEY(io.strimzi.operator.cluster.model.Ca.CA_KEY)
Date(java.util.Date)
ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq)
KeyStoreException(java.security.KeyStoreException)
CoreMatchers.notNullValue(org.hamcrest.CoreMatchers.notNullValue)
CoreMatchers.instanceOf(org.hamcrest.CoreMatchers.instanceOf)
ExtendWith(org.junit.jupiter.api.extension.ExtendWith)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Collections.singleton(java.util.Collections.singleton)
KafkaResources(io.strimzi.api.kafka.model.KafkaResources)
Ca(io.strimzi.operator.cluster.model.Ca)
Map(java.util.Map)
PodOperator(io.strimzi.operator.common.operator.resource.PodOperator)
ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier)
ResourceUtils(io.strimzi.operator.cluster.ResourceUtils)
Path(java.nio.file.Path)
AbstractModel(io.strimzi.operator.cluster.model.AbstractModel)
StatefulSetOperator(io.strimzi.operator.cluster.operator.resource.StatefulSetOperator)
ModelUtils(io.strimzi.operator.cluster.model.ModelUtils)
DeploymentOperator(io.strimzi.operator.common.operator.resource.DeploymentOperator)
SecretOperator(io.strimzi.operator.common.operator.resource.SecretOperator)
KeyStore(java.security.KeyStore)
VertxExtension(io.vertx.junit5.VertxExtension)
Instant(java.time.Instant)
Future(io.vertx.core.Future)
Collectors(java.util.stream.Collectors)
StandardCharsets(java.nio.charset.StandardCharsets)
Subject(io.strimzi.certs.Subject)
Test(org.junit.jupiter.api.Test)
Objects(java.util.Objects)
Base64(java.util.Base64)
List(java.util.List)
Labels(io.strimzi.operator.common.model.Labels)
PasswordGenerator(io.strimzi.operator.common.PasswordGenerator)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
CA_STORE_PASSWORD(io.strimzi.operator.cluster.model.Ca.CA_STORE_PASSWORD)
Secret(io.fabric8.kubernetes.api.model.Secret)
CA_STORE(io.strimzi.operator.cluster.model.Ca.CA_STORE)
Checkpoint(io.vertx.junit5.Checkpoint)
ClusterCa(io.strimzi.operator.cluster.model.ClusterCa)
PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability)
Mockito.mock(org.mockito.Mockito.mock)
VertxTestContext(io.vertx.junit5.VertxTestContext)
ArgumentMatchers.any(org.mockito.ArgumentMatchers.any)
Matchers.aMapWithSize(org.hamcrest.Matchers.aMapWithSize)
CoreMatchers.not(org.hamcrest.CoreMatchers.not)
OwnerReference(io.fabric8.kubernetes.api.model.OwnerReference)
CertAndKey(io.strimzi.certs.CertAndKey)
Supplier(java.util.function.Supplier)
KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder)
ArrayList(java.util.ArrayList)
ArgumentCaptor(org.mockito.ArgumentCaptor)
ClusterOperator(io.strimzi.operator.cluster.ClusterOperator)
TestUtils(io.strimzi.test.TestUtils)
Matchers.hasSize(org.hamcrest.Matchers.hasSize)
ReconcileResult(io.strimzi.operator.common.operator.resource.ReconcileResult)
MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat)
CertificateExpirationPolicy(io.strimzi.api.kafka.model.CertificateExpirationPolicy)
Matchers.hasEntry(org.hamcrest.Matchers.hasEntry)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
Files(java.nio.file.Files)
InvalidResourceException(io.strimzi.operator.cluster.model.InvalidResourceException)
Promise(io.vertx.core.Promise)
KubernetesVersion(io.strimzi.operator.KubernetesVersion)
Vertx(io.vertx.core.Vertx)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
TestUtils.set(io.strimzi.test.TestUtils.set)
Mockito.when(org.mockito.Mockito.when)
Reconciliation(io.strimzi.operator.common.Reconciliation)
CA_CRT(io.strimzi.operator.cluster.model.Ca.CA_CRT)
SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder)
Kafka(io.strimzi.api.kafka.model.Kafka)
OpenSslCertManager(io.strimzi.certs.OpenSslCertManager)
CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
Checkpoint(io.vertx.junit5.Checkpoint)
Kafka(io.strimzi.api.kafka.model.Kafka)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
KafkaBuilder(io.strimzi.api.kafka.model.KafkaBuilder)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
CertificateAuthorityBuilder(io.strimzi.api.kafka.model.CertificateAuthorityBuilder)
X509Certificate(java.security.cert.X509Certificate)
Test(org.junit.jupiter.api.Test)
Aggregations
OwnerReference (io.fabric8.kubernetes.api.model.OwnerReference)22
Secret (io.fabric8.kubernetes.api.model.Secret)22
SecretBuilder (io.fabric8.kubernetes.api.model.SecretBuilder)22
CertificateAuthority (io.strimzi.api.kafka.model.CertificateAuthority)22
CertificateAuthorityBuilder (io.strimzi.api.kafka.model.CertificateAuthorityBuilder)22
CertificateExpirationPolicy (io.strimzi.api.kafka.model.CertificateExpirationPolicy)22
Kafka (io.strimzi.api.kafka.model.Kafka)22
KafkaBuilder (io.strimzi.api.kafka.model.KafkaBuilder)22
KafkaResources (io.strimzi.api.kafka.model.KafkaResources)22
CertAndKey (io.strimzi.certs.CertAndKey)22
OpenSslCertManager (io.strimzi.certs.OpenSslCertManager)22
Subject (io.strimzi.certs.Subject)22
KubernetesVersion (io.strimzi.operator.KubernetesVersion)22
PlatformFeaturesAvailability (io.strimzi.operator.PlatformFeaturesAvailability)22
ClusterOperator (io.strimzi.operator.cluster.ClusterOperator)22
ResourceUtils (io.strimzi.operator.cluster.ResourceUtils)22
AbstractModel (io.strimzi.operator.cluster.model.AbstractModel)22
Ca (io.strimzi.operator.cluster.model.Ca)22
CA_CRT (io.strimzi.operator.cluster.model.Ca.CA_CRT)22
CA_KEY (io.strimzi.operator.cluster.model.Ca.CA_KEY)22
