Examples with ClientsCa io.strimzi.operator.cluster.model.ClientsCa used on opensource projects

Example 1 with ClientsCa

use of io.strimzi.operator.cluster.model.ClientsCa in project strimzi by strimzi.

the class KafkaUserModel method maybeGenerateCertificates.

/**
 * Manage certificates generation based on those already present in the Secrets
 *
 * @param reconciliation The reconciliation
 * @param certManager CertManager instance for handling certificates creation
 * @param passwordGenerator PasswordGenerator instance for generating passwords
 * @param clientsCaCertSecret The clients CA certificate Secret.
 * @param clientsCaKeySecret The clients CA key Secret.
 * @param userSecret Secret with the user certificate
 * @param validityDays The number of days the certificate should be valid for.
 * @param renewalDays The renewal days.
 */
@SuppressWarnings("checkstyle:BooleanExpressionComplexity")
public void maybeGenerateCertificates(Reconciliation reconciliation, CertManager certManager, PasswordGenerator passwordGenerator, Secret clientsCaCertSecret, Secret clientsCaKeySecret, Secret userSecret, int validityDays, int renewalDays) {
    validateCACertificates(clientsCaCertSecret, clientsCaKeySecret);
    ClientsCa clientsCa = new ClientsCa(reconciliation, certManager, passwordGenerator, clientsCaCertSecret.getMetadata().getName(), clientsCaCertSecret, clientsCaCertSecret.getMetadata().getName(), clientsCaKeySecret, validityDays, renewalDays, false, null);
    this.caCert = clientsCa.currentCaCertBase64();
    if (userSecret != null) {
        // Secret already exists -> lets verify if it has keys from the same CA
        String originalCaCrt = clientsCaCertSecret.getData().get("ca.crt");
        String caCrt = userSecret.getData().get("ca.crt");
        String userCrt = userSecret.getData().get("user.crt");
        String userKey = userSecret.getData().get("user.key");
        String userKeyStore = userSecret.getData().get("user.p12");
        String userKeyStorePassword = userSecret.getData().get("user.password");
        if (originalCaCrt != null && originalCaCrt.equals(caCrt) && userCrt != null && !userCrt.isEmpty() && userKey != null && !userKey.isEmpty() && !clientsCa.isExpiring(userSecret, "user.crt")) {
            if (userKeyStore != null && !userKeyStore.isEmpty() && userKeyStorePassword != null && !userKeyStorePassword.isEmpty()) {
                this.userCertAndKey = new CertAndKey(decodeFromSecret(userSecret, "user.key"), decodeFromSecret(userSecret, "user.crt"), null, decodeFromSecret(userSecret, "user.p12"), new String(decodeFromSecret(userSecret, "user.password"), StandardCharsets.US_ASCII));
            } else {
                // coming from an older operator version, the user secret exists but without keystore and password
                try {
                    this.userCertAndKey = clientsCa.addKeyAndCertToKeyStore(name, decodeFromSecret(userSecret, "user.key"), decodeFromSecret(userSecret, "user.crt"));
                } catch (IOException e) {
                    LOGGER.errorCr(reconciliation, "Error generating the keystore for user {}", name, e);
                }
            }
            return;
        }
    }
    try {
        this.userCertAndKey = clientsCa.generateSignedCert(name);
    } catch (IOException e) {
        LOGGER.errorCr(reconciliation, "Error generating signed certificate for user {}", name, e);
    }
}

Example 2 with ClientsCa

use of io.strimzi.operator.cluster.model.ClientsCa in project strimzi-kafka-operator by strimzi.

the class KafkaAssemblyOperatorTest method testReconcile.

@SuppressWarnings("unchecked")
@ParameterizedTest
@MethodSource("data")
@Timeout(value = 2, timeUnit = TimeUnit.MINUTES)
public void testReconcile(Params params, VertxTestContext context) {
    // Must create all checkpoints before flagging any, as not doing so can lead to premature test success
    Checkpoint fooAsync = context.checkpoint();
    Checkpoint barAsync = context.checkpoint();
    Checkpoint completeTest = context.checkpoint();
    setFields(params);
    // create CM, Service, headless service, statefulset
    ResourceOperatorSupplier supplier = ResourceUtils.supplierWithMocks(openShift);
    ClusterOperatorConfig config = ResourceUtils.dummyClusterOperatorConfig(VERSIONS);
    var mockKafkaOps = supplier.kafkaOperator;
    StatefulSetOperator mockStsOps = supplier.stsOperations;
    SecretOperator mockSecretOps = supplier.secretOperations;
    String kafkaNamespace = "test";
    Kafka foo = getKafkaAssembly("foo");
    Kafka bar = getKafkaAssembly("bar");
    when(mockKafkaOps.listAsync(eq(kafkaNamespace), any(Optional.class))).thenReturn(Future.succeededFuture(asList(foo, bar)));
    // when requested Custom Resource for a specific Kafka cluster
    when(mockKafkaOps.get(eq(kafkaNamespace), eq("foo"))).thenReturn(foo);
    when(mockKafkaOps.get(eq(kafkaNamespace), eq("bar"))).thenReturn(bar);
    when(mockKafkaOps.getAsync(eq(kafkaNamespace), eq("foo"))).thenReturn(Future.succeededFuture(foo));
    when(mockKafkaOps.getAsync(eq(kafkaNamespace), eq("bar"))).thenReturn(Future.succeededFuture(bar));
    when(mockKafkaOps.updateStatusAsync(any(), any(Kafka.class))).thenReturn(Future.succeededFuture());
    // providing certificates Secrets for existing clusters
    List<Secret> fooSecrets = ResourceUtils.createKafkaInitialSecrets(kafkaNamespace, "foo");
    // ClusterCa fooCerts = ResourceUtils.createInitialClusterCa("foo", ModelUtils.findSecretWithName(fooSecrets, AbstractModel.clusterCaCertSecretName("foo")));
    List<Secret> barSecrets = ResourceUtils.createKafkaSecretsWithReplicas(kafkaNamespace, "bar", bar.getSpec().getKafka().getReplicas(), bar.getSpec().getZookeeper().getReplicas());
    ClusterCa barClusterCa = ResourceUtils.createInitialClusterCa(Reconciliation.DUMMY_RECONCILIATION, "bar", findSecretWithName(barSecrets, AbstractModel.clusterCaCertSecretName("bar")), findSecretWithName(barSecrets, AbstractModel.clusterCaKeySecretName("bar")));
    ClientsCa barClientsCa = ResourceUtils.createInitialClientsCa(Reconciliation.DUMMY_RECONCILIATION, "bar", findSecretWithName(barSecrets, KafkaCluster.clientsCaCertSecretName("bar")), findSecretWithName(barSecrets, KafkaCluster.clientsCaKeySecretName("bar")));
    // providing the list of ALL StatefulSets for all the Kafka clusters
    Labels newLabels = Labels.forStrimziKind(Kafka.RESOURCE_KIND);
    when(mockStsOps.list(eq(kafkaNamespace), eq(newLabels))).thenReturn(List.of(KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, bar, VERSIONS).generateStatefulSet(openShift, null, null, null)));
    when(mockSecretOps.get(eq(kafkaNamespace), eq(AbstractModel.clusterCaCertSecretName(foo.getMetadata().getName())))).thenReturn(fooSecrets.get(0));
    when(mockSecretOps.reconcile(any(), eq(kafkaNamespace), eq(AbstractModel.clusterCaCertSecretName(foo.getMetadata().getName())), any(Secret.class))).thenReturn(Future.succeededFuture());
    // providing the list StatefulSets for already "existing" Kafka clusters
    Labels barLabels = Labels.forStrimziCluster("bar");
    KafkaCluster barCluster = KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, bar, VERSIONS);
    when(mockStsOps.list(eq(kafkaNamespace), eq(barLabels))).thenReturn(List.of(barCluster.generateStatefulSet(openShift, null, null, null)));
    when(mockSecretOps.list(eq(kafkaNamespace), eq(barLabels))).thenAnswer(invocation -> new ArrayList<>(asList(barClientsCa.caKeySecret(), barClientsCa.caCertSecret(), barCluster.generateBrokersSecret(barClusterCa, barClientsCa), barClusterCa.caCertSecret())));
    when(mockSecretOps.get(eq(kafkaNamespace), eq(AbstractModel.clusterCaCertSecretName(bar.getMetadata().getName())))).thenReturn(barSecrets.get(0));
    when(mockSecretOps.reconcile(any(), eq(kafkaNamespace), eq(AbstractModel.clusterCaCertSecretName(bar.getMetadata().getName())), any(Secret.class))).thenReturn(Future.succeededFuture());
    KafkaAssemblyOperator ops = new KafkaAssemblyOperator(vertx, new PlatformFeaturesAvailability(openShift, kubernetesVersion), certManager, passwordGenerator, supplier, config) {

        @Override
        public Future<KafkaStatus> createOrUpdate(Reconciliation reconciliation, Kafka kafkaAssembly) {
            String name = kafkaAssembly.getMetadata().getName();
            if ("foo".equals(name)) {
                fooAsync.flag();
            } else if ("bar".equals(name)) {
                barAsync.flag();
            } else {
                context.failNow(new AssertionError("Unexpected name " + name));
            }
            return Future.succeededFuture();
        }
    };
    // Now try to reconcile all the Kafka clusters
    ops.reconcileAll("test", kafkaNamespace, context.succeeding(v -> completeTest.flag()));
}

Example 3 with ClientsCa

use of io.strimzi.operator.cluster.model.ClientsCa in project strimzi-kafka-operator by strimzi.

the class KafkaUserModel method maybeGenerateCertificates.

/**
 * Manage certificates generation based on those already present in the Secrets
 *
 * @param reconciliation The reconciliation
 * @param certManager CertManager instance for handling certificates creation
 * @param passwordGenerator PasswordGenerator instance for generating passwords
 * @param clientsCaCertSecret The clients CA certificate Secret.
 * @param clientsCaKeySecret The clients CA key Secret.
 * @param userSecret Secret with the user certificate
 * @param validityDays The number of days the certificate should be valid for.
 * @param renewalDays The renewal days.
 */
@SuppressWarnings("checkstyle:BooleanExpressionComplexity")
public void maybeGenerateCertificates(Reconciliation reconciliation, CertManager certManager, PasswordGenerator passwordGenerator, Secret clientsCaCertSecret, Secret clientsCaKeySecret, Secret userSecret, int validityDays, int renewalDays) {
    validateCACertificates(clientsCaCertSecret, clientsCaKeySecret);
    ClientsCa clientsCa = new ClientsCa(reconciliation, certManager, passwordGenerator, clientsCaCertSecret.getMetadata().getName(), clientsCaCertSecret, clientsCaCertSecret.getMetadata().getName(), clientsCaKeySecret, validityDays, renewalDays, false, null);
    this.caCert = clientsCa.currentCaCertBase64();
    if (userSecret != null) {
        // Secret already exists -> lets verify if it has keys from the same CA
        String originalCaCrt = clientsCaCertSecret.getData().get("ca.crt");
        String caCrt = userSecret.getData().get("ca.crt");
        String userCrt = userSecret.getData().get("user.crt");
        String userKey = userSecret.getData().get("user.key");
        String userKeyStore = userSecret.getData().get("user.p12");
        String userKeyStorePassword = userSecret.getData().get("user.password");
        if (originalCaCrt != null && originalCaCrt.equals(caCrt) && userCrt != null && !userCrt.isEmpty() && userKey != null && !userKey.isEmpty() && !clientsCa.isExpiring(userSecret, "user.crt")) {
            if (userKeyStore != null && !userKeyStore.isEmpty() && userKeyStorePassword != null && !userKeyStorePassword.isEmpty()) {
                this.userCertAndKey = new CertAndKey(decodeFromSecret(userSecret, "user.key"), decodeFromSecret(userSecret, "user.crt"), null, decodeFromSecret(userSecret, "user.p12"), new String(decodeFromSecret(userSecret, "user.password"), StandardCharsets.US_ASCII));
            } else {
                // coming from an older operator version, the user secret exists but without keystore and password
                try {
                    this.userCertAndKey = clientsCa.addKeyAndCertToKeyStore(name, decodeFromSecret(userSecret, "user.key"), decodeFromSecret(userSecret, "user.crt"));
                } catch (IOException e) {
                    LOGGER.errorCr(reconciliation, "Error generating the keystore for user {}", name, e);
                }
            }
            return;
        }
    }
    try {
        this.userCertAndKey = clientsCa.generateSignedCert(name);
    } catch (IOException e) {
        LOGGER.errorCr(reconciliation, "Error generating signed certificate for user {}", name, e);
    }
}

Example 4 with ClientsCa

use of io.strimzi.operator.cluster.model.ClientsCa in project strimzi by strimzi.

the class KafkaAssemblyOperatorTest method testReconcileAllNamespaces.

@SuppressWarnings("unchecked")
@ParameterizedTest
@MethodSource("data")
@Timeout(value = 2, timeUnit = TimeUnit.MINUTES)
public void testReconcileAllNamespaces(Params params, VertxTestContext context) {
    setFields(params);
    // create CM, Service, headless service, statefulset
    ResourceOperatorSupplier supplier = ResourceUtils.supplierWithMocks(openShift);
    ClusterOperatorConfig config = ResourceUtils.dummyClusterOperatorConfig(VERSIONS);
    var mockKafkaOps = supplier.kafkaOperator;
    StatefulSetOperator mockStsOps = supplier.stsOperations;
    SecretOperator mockSecretOps = supplier.secretOperations;
    Kafka foo = getKafkaAssembly("foo");
    foo.getMetadata().setNamespace("namespace1");
    Kafka bar = getKafkaAssembly("bar");
    bar.getMetadata().setNamespace("namespace2");
    when(mockKafkaOps.listAsync(eq("*"), any(Optional.class))).thenReturn(Future.succeededFuture(asList(foo, bar)));
    // when requested Custom Resource for a specific Kafka cluster
    when(mockKafkaOps.get(eq("namespace1"), eq("foo"))).thenReturn(foo);
    when(mockKafkaOps.get(eq("namespace2"), eq("bar"))).thenReturn(bar);
    when(mockKafkaOps.getAsync(eq("namespace1"), eq("foo"))).thenReturn(Future.succeededFuture(foo));
    when(mockKafkaOps.getAsync(eq("namespace2"), eq("bar"))).thenReturn(Future.succeededFuture(bar));
    when(mockKafkaOps.updateStatusAsync(any(), any(Kafka.class))).thenReturn(Future.succeededFuture());
    // providing certificates Secrets for existing clusters
    List<Secret> barSecrets = ResourceUtils.createKafkaSecretsWithReplicas("namespace2", "bar", bar.getSpec().getKafka().getReplicas(), bar.getSpec().getZookeeper().getReplicas());
    ClusterCa barClusterCa = ResourceUtils.createInitialClusterCa(Reconciliation.DUMMY_RECONCILIATION, "bar", findSecretWithName(barSecrets, AbstractModel.clusterCaCertSecretName("bar")), findSecretWithName(barSecrets, AbstractModel.clusterCaKeySecretName("bar")));
    ClientsCa barClientsCa = ResourceUtils.createInitialClientsCa(Reconciliation.DUMMY_RECONCILIATION, "bar", findSecretWithName(barSecrets, KafkaCluster.clientsCaCertSecretName("bar")), findSecretWithName(barSecrets, KafkaCluster.clientsCaKeySecretName("bar")));
    // providing the list of ALL StatefulSets for all the Kafka clusters
    Labels newLabels = Labels.forStrimziKind(Kafka.RESOURCE_KIND);
    when(mockStsOps.list(eq("*"), eq(newLabels))).thenReturn(List.of(KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, bar, VERSIONS).generateStatefulSet(openShift, null, null, null)));
    // providing the list StatefulSets for already "existing" Kafka clusters
    Labels barLabels = Labels.forStrimziCluster("bar");
    KafkaCluster barCluster = KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, bar, VERSIONS);
    when(mockStsOps.list(eq("*"), eq(barLabels))).thenReturn(List.of(barCluster.generateStatefulSet(openShift, null, null, null)));
    when(mockSecretOps.list(eq("*"), eq(barLabels))).thenAnswer(invocation -> new ArrayList<>(asList(barClientsCa.caKeySecret(), barClientsCa.caCertSecret(), barCluster.generateBrokersSecret(barClusterCa, barClientsCa), barClusterCa.caCertSecret())));
    Checkpoint fooAsync = context.checkpoint();
    Checkpoint barAsync = context.checkpoint();
    KafkaAssemblyOperator ops = new KafkaAssemblyOperator(vertx, new PlatformFeaturesAvailability(openShift, kubernetesVersion), certManager, passwordGenerator, supplier, config) {

        @Override
        public Future<KafkaStatus> createOrUpdate(Reconciliation reconciliation, Kafka kafkaAssembly) {
            String name = kafkaAssembly.getMetadata().getName();
            if ("foo".equals(name)) {
                fooAsync.flag();
            } else if ("bar".equals(name)) {
                barAsync.flag();
            } else {
                context.failNow(new AssertionError("Unexpected name " + name));
            }
            return Future.succeededFuture();
        }
    };
    Checkpoint async = context.checkpoint();
    // Now try to reconcile all the Kafka clusters
    ops.reconcileAll("test", "*", context.succeeding(v -> async.flag()));
}

Example 5 with ClientsCa

use of io.strimzi.operator.cluster.model.ClientsCa in project strimzi by strimzi.

the class KafkaAssemblyOperatorTest method testReconcile.

@SuppressWarnings("unchecked")
@ParameterizedTest
@MethodSource("data")
@Timeout(value = 2, timeUnit = TimeUnit.MINUTES)
public void testReconcile(Params params, VertxTestContext context) {
    // Must create all checkpoints before flagging any, as not doing so can lead to premature test success
    Checkpoint fooAsync = context.checkpoint();
    Checkpoint barAsync = context.checkpoint();
    Checkpoint completeTest = context.checkpoint();
    setFields(params);
    // create CM, Service, headless service, statefulset
    ResourceOperatorSupplier supplier = ResourceUtils.supplierWithMocks(openShift);
    ClusterOperatorConfig config = ResourceUtils.dummyClusterOperatorConfig(VERSIONS);
    var mockKafkaOps = supplier.kafkaOperator;
    StatefulSetOperator mockStsOps = supplier.stsOperations;
    SecretOperator mockSecretOps = supplier.secretOperations;
    String kafkaNamespace = "test";
    Kafka foo = getKafkaAssembly("foo");
    Kafka bar = getKafkaAssembly("bar");
    when(mockKafkaOps.listAsync(eq(kafkaNamespace), any(Optional.class))).thenReturn(Future.succeededFuture(asList(foo, bar)));
    // when requested Custom Resource for a specific Kafka cluster
    when(mockKafkaOps.get(eq(kafkaNamespace), eq("foo"))).thenReturn(foo);
    when(mockKafkaOps.get(eq(kafkaNamespace), eq("bar"))).thenReturn(bar);
    when(mockKafkaOps.getAsync(eq(kafkaNamespace), eq("foo"))).thenReturn(Future.succeededFuture(foo));
    when(mockKafkaOps.getAsync(eq(kafkaNamespace), eq("bar"))).thenReturn(Future.succeededFuture(bar));
    when(mockKafkaOps.updateStatusAsync(any(), any(Kafka.class))).thenReturn(Future.succeededFuture());
    // providing certificates Secrets for existing clusters
    List<Secret> fooSecrets = ResourceUtils.createKafkaInitialSecrets(kafkaNamespace, "foo");
    // ClusterCa fooCerts = ResourceUtils.createInitialClusterCa("foo", ModelUtils.findSecretWithName(fooSecrets, AbstractModel.clusterCaCertSecretName("foo")));
    List<Secret> barSecrets = ResourceUtils.createKafkaSecretsWithReplicas(kafkaNamespace, "bar", bar.getSpec().getKafka().getReplicas(), bar.getSpec().getZookeeper().getReplicas());
    ClusterCa barClusterCa = ResourceUtils.createInitialClusterCa(Reconciliation.DUMMY_RECONCILIATION, "bar", findSecretWithName(barSecrets, AbstractModel.clusterCaCertSecretName("bar")), findSecretWithName(barSecrets, AbstractModel.clusterCaKeySecretName("bar")));
    ClientsCa barClientsCa = ResourceUtils.createInitialClientsCa(Reconciliation.DUMMY_RECONCILIATION, "bar", findSecretWithName(barSecrets, KafkaCluster.clientsCaCertSecretName("bar")), findSecretWithName(barSecrets, KafkaCluster.clientsCaKeySecretName("bar")));
    // providing the list of ALL StatefulSets for all the Kafka clusters
    Labels newLabels = Labels.forStrimziKind(Kafka.RESOURCE_KIND);
    when(mockStsOps.list(eq(kafkaNamespace), eq(newLabels))).thenReturn(List.of(KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, bar, VERSIONS).generateStatefulSet(openShift, null, null, null)));
    when(mockSecretOps.get(eq(kafkaNamespace), eq(AbstractModel.clusterCaCertSecretName(foo.getMetadata().getName())))).thenReturn(fooSecrets.get(0));
    when(mockSecretOps.reconcile(any(), eq(kafkaNamespace), eq(AbstractModel.clusterCaCertSecretName(foo.getMetadata().getName())), any(Secret.class))).thenReturn(Future.succeededFuture());
    // providing the list StatefulSets for already "existing" Kafka clusters
    Labels barLabels = Labels.forStrimziCluster("bar");
    KafkaCluster barCluster = KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, bar, VERSIONS);
    when(mockStsOps.list(eq(kafkaNamespace), eq(barLabels))).thenReturn(List.of(barCluster.generateStatefulSet(openShift, null, null, null)));
    when(mockSecretOps.list(eq(kafkaNamespace), eq(barLabels))).thenAnswer(invocation -> new ArrayList<>(asList(barClientsCa.caKeySecret(), barClientsCa.caCertSecret(), barCluster.generateBrokersSecret(barClusterCa, barClientsCa), barClusterCa.caCertSecret())));
    when(mockSecretOps.get(eq(kafkaNamespace), eq(AbstractModel.clusterCaCertSecretName(bar.getMetadata().getName())))).thenReturn(barSecrets.get(0));
    when(mockSecretOps.reconcile(any(), eq(kafkaNamespace), eq(AbstractModel.clusterCaCertSecretName(bar.getMetadata().getName())), any(Secret.class))).thenReturn(Future.succeededFuture());
    KafkaAssemblyOperator ops = new KafkaAssemblyOperator(vertx, new PlatformFeaturesAvailability(openShift, kubernetesVersion), certManager, passwordGenerator, supplier, config) {

        @Override
        public Future<KafkaStatus> createOrUpdate(Reconciliation reconciliation, Kafka kafkaAssembly) {
            String name = kafkaAssembly.getMetadata().getName();
            if ("foo".equals(name)) {
                fooAsync.flag();
            } else if ("bar".equals(name)) {
                barAsync.flag();
            } else {
                context.failNow(new AssertionError("Unexpected name " + name));
            }
            return Future.succeededFuture();
        }
    };
    // Now try to reconcile all the Kafka clusters
    ops.reconcileAll("test", kafkaNamespace, context.succeeding(v -> completeTest.flag()));
}