use of io.strimzi.operator.cluster.model.ClientsCa in project strimzi by strimzi.
the class KafkaUserModel method maybeGenerateCertificates.
/**
* Manage certificates generation based on those already present in the Secrets
*
* @param reconciliation The reconciliation
* @param certManager CertManager instance for handling certificates creation
* @param passwordGenerator PasswordGenerator instance for generating passwords
* @param clientsCaCertSecret The clients CA certificate Secret.
* @param clientsCaKeySecret The clients CA key Secret.
* @param userSecret Secret with the user certificate
* @param validityDays The number of days the certificate should be valid for.
* @param renewalDays The renewal days.
*/
@SuppressWarnings("checkstyle:BooleanExpressionComplexity")
public void maybeGenerateCertificates(Reconciliation reconciliation, CertManager certManager, PasswordGenerator passwordGenerator, Secret clientsCaCertSecret, Secret clientsCaKeySecret, Secret userSecret, int validityDays, int renewalDays) {
validateCACertificates(clientsCaCertSecret, clientsCaKeySecret);
ClientsCa clientsCa = new ClientsCa(reconciliation, certManager, passwordGenerator, clientsCaCertSecret.getMetadata().getName(), clientsCaCertSecret, clientsCaCertSecret.getMetadata().getName(), clientsCaKeySecret, validityDays, renewalDays, false, null);
this.caCert = clientsCa.currentCaCertBase64();
if (userSecret != null) {
// Secret already exists -> lets verify if it has keys from the same CA
String originalCaCrt = clientsCaCertSecret.getData().get("ca.crt");
String caCrt = userSecret.getData().get("ca.crt");
String userCrt = userSecret.getData().get("user.crt");
String userKey = userSecret.getData().get("user.key");
String userKeyStore = userSecret.getData().get("user.p12");
String userKeyStorePassword = userSecret.getData().get("user.password");
if (originalCaCrt != null && originalCaCrt.equals(caCrt) && userCrt != null && !userCrt.isEmpty() && userKey != null && !userKey.isEmpty() && !clientsCa.isExpiring(userSecret, "user.crt")) {
if (userKeyStore != null && !userKeyStore.isEmpty() && userKeyStorePassword != null && !userKeyStorePassword.isEmpty()) {
this.userCertAndKey = new CertAndKey(decodeFromSecret(userSecret, "user.key"), decodeFromSecret(userSecret, "user.crt"), null, decodeFromSecret(userSecret, "user.p12"), new String(decodeFromSecret(userSecret, "user.password"), StandardCharsets.US_ASCII));
} else {
// coming from an older operator version, the user secret exists but without keystore and password
try {
this.userCertAndKey = clientsCa.addKeyAndCertToKeyStore(name, decodeFromSecret(userSecret, "user.key"), decodeFromSecret(userSecret, "user.crt"));
} catch (IOException e) {
LOGGER.errorCr(reconciliation, "Error generating the keystore for user {}", name, e);
}
}
return;
}
}
try {
this.userCertAndKey = clientsCa.generateSignedCert(name);
} catch (IOException e) {
LOGGER.errorCr(reconciliation, "Error generating signed certificate for user {}", name, e);
}
}
use of io.strimzi.operator.cluster.model.ClientsCa in project strimzi-kafka-operator by strimzi.
the class KafkaAssemblyOperatorTest method testReconcile.
@SuppressWarnings("unchecked")
@ParameterizedTest
@MethodSource("data")
@Timeout(value = 2, timeUnit = TimeUnit.MINUTES)
public void testReconcile(Params params, VertxTestContext context) {
// Must create all checkpoints before flagging any, as not doing so can lead to premature test success
Checkpoint fooAsync = context.checkpoint();
Checkpoint barAsync = context.checkpoint();
Checkpoint completeTest = context.checkpoint();
setFields(params);
// create CM, Service, headless service, statefulset
ResourceOperatorSupplier supplier = ResourceUtils.supplierWithMocks(openShift);
ClusterOperatorConfig config = ResourceUtils.dummyClusterOperatorConfig(VERSIONS);
var mockKafkaOps = supplier.kafkaOperator;
StatefulSetOperator mockStsOps = supplier.stsOperations;
SecretOperator mockSecretOps = supplier.secretOperations;
String kafkaNamespace = "test";
Kafka foo = getKafkaAssembly("foo");
Kafka bar = getKafkaAssembly("bar");
when(mockKafkaOps.listAsync(eq(kafkaNamespace), any(Optional.class))).thenReturn(Future.succeededFuture(asList(foo, bar)));
// when requested Custom Resource for a specific Kafka cluster
when(mockKafkaOps.get(eq(kafkaNamespace), eq("foo"))).thenReturn(foo);
when(mockKafkaOps.get(eq(kafkaNamespace), eq("bar"))).thenReturn(bar);
when(mockKafkaOps.getAsync(eq(kafkaNamespace), eq("foo"))).thenReturn(Future.succeededFuture(foo));
when(mockKafkaOps.getAsync(eq(kafkaNamespace), eq("bar"))).thenReturn(Future.succeededFuture(bar));
when(mockKafkaOps.updateStatusAsync(any(), any(Kafka.class))).thenReturn(Future.succeededFuture());
// providing certificates Secrets for existing clusters
List<Secret> fooSecrets = ResourceUtils.createKafkaInitialSecrets(kafkaNamespace, "foo");
// ClusterCa fooCerts = ResourceUtils.createInitialClusterCa("foo", ModelUtils.findSecretWithName(fooSecrets, AbstractModel.clusterCaCertSecretName("foo")));
List<Secret> barSecrets = ResourceUtils.createKafkaSecretsWithReplicas(kafkaNamespace, "bar", bar.getSpec().getKafka().getReplicas(), bar.getSpec().getZookeeper().getReplicas());
ClusterCa barClusterCa = ResourceUtils.createInitialClusterCa(Reconciliation.DUMMY_RECONCILIATION, "bar", findSecretWithName(barSecrets, AbstractModel.clusterCaCertSecretName("bar")), findSecretWithName(barSecrets, AbstractModel.clusterCaKeySecretName("bar")));
ClientsCa barClientsCa = ResourceUtils.createInitialClientsCa(Reconciliation.DUMMY_RECONCILIATION, "bar", findSecretWithName(barSecrets, KafkaCluster.clientsCaCertSecretName("bar")), findSecretWithName(barSecrets, KafkaCluster.clientsCaKeySecretName("bar")));
// providing the list of ALL StatefulSets for all the Kafka clusters
Labels newLabels = Labels.forStrimziKind(Kafka.RESOURCE_KIND);
when(mockStsOps.list(eq(kafkaNamespace), eq(newLabels))).thenReturn(List.of(KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, bar, VERSIONS).generateStatefulSet(openShift, null, null, null)));
when(mockSecretOps.get(eq(kafkaNamespace), eq(AbstractModel.clusterCaCertSecretName(foo.getMetadata().getName())))).thenReturn(fooSecrets.get(0));
when(mockSecretOps.reconcile(any(), eq(kafkaNamespace), eq(AbstractModel.clusterCaCertSecretName(foo.getMetadata().getName())), any(Secret.class))).thenReturn(Future.succeededFuture());
// providing the list StatefulSets for already "existing" Kafka clusters
Labels barLabels = Labels.forStrimziCluster("bar");
KafkaCluster barCluster = KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, bar, VERSIONS);
when(mockStsOps.list(eq(kafkaNamespace), eq(barLabels))).thenReturn(List.of(barCluster.generateStatefulSet(openShift, null, null, null)));
when(mockSecretOps.list(eq(kafkaNamespace), eq(barLabels))).thenAnswer(invocation -> new ArrayList<>(asList(barClientsCa.caKeySecret(), barClientsCa.caCertSecret(), barCluster.generateBrokersSecret(barClusterCa, barClientsCa), barClusterCa.caCertSecret())));
when(mockSecretOps.get(eq(kafkaNamespace), eq(AbstractModel.clusterCaCertSecretName(bar.getMetadata().getName())))).thenReturn(barSecrets.get(0));
when(mockSecretOps.reconcile(any(), eq(kafkaNamespace), eq(AbstractModel.clusterCaCertSecretName(bar.getMetadata().getName())), any(Secret.class))).thenReturn(Future.succeededFuture());
KafkaAssemblyOperator ops = new KafkaAssemblyOperator(vertx, new PlatformFeaturesAvailability(openShift, kubernetesVersion), certManager, passwordGenerator, supplier, config) {
@Override
public Future<KafkaStatus> createOrUpdate(Reconciliation reconciliation, Kafka kafkaAssembly) {
String name = kafkaAssembly.getMetadata().getName();
if ("foo".equals(name)) {
fooAsync.flag();
} else if ("bar".equals(name)) {
barAsync.flag();
} else {
context.failNow(new AssertionError("Unexpected name " + name));
}
return Future.succeededFuture();
}
};
// Now try to reconcile all the Kafka clusters
ops.reconcileAll("test", kafkaNamespace, context.succeeding(v -> completeTest.flag()));
}
use of io.strimzi.operator.cluster.model.ClientsCa in project strimzi-kafka-operator by strimzi.
the class KafkaUserModel method maybeGenerateCertificates.
/**
* Manage certificates generation based on those already present in the Secrets
*
* @param reconciliation The reconciliation
* @param certManager CertManager instance for handling certificates creation
* @param passwordGenerator PasswordGenerator instance for generating passwords
* @param clientsCaCertSecret The clients CA certificate Secret.
* @param clientsCaKeySecret The clients CA key Secret.
* @param userSecret Secret with the user certificate
* @param validityDays The number of days the certificate should be valid for.
* @param renewalDays The renewal days.
*/
@SuppressWarnings("checkstyle:BooleanExpressionComplexity")
public void maybeGenerateCertificates(Reconciliation reconciliation, CertManager certManager, PasswordGenerator passwordGenerator, Secret clientsCaCertSecret, Secret clientsCaKeySecret, Secret userSecret, int validityDays, int renewalDays) {
validateCACertificates(clientsCaCertSecret, clientsCaKeySecret);
ClientsCa clientsCa = new ClientsCa(reconciliation, certManager, passwordGenerator, clientsCaCertSecret.getMetadata().getName(), clientsCaCertSecret, clientsCaCertSecret.getMetadata().getName(), clientsCaKeySecret, validityDays, renewalDays, false, null);
this.caCert = clientsCa.currentCaCertBase64();
if (userSecret != null) {
// Secret already exists -> lets verify if it has keys from the same CA
String originalCaCrt = clientsCaCertSecret.getData().get("ca.crt");
String caCrt = userSecret.getData().get("ca.crt");
String userCrt = userSecret.getData().get("user.crt");
String userKey = userSecret.getData().get("user.key");
String userKeyStore = userSecret.getData().get("user.p12");
String userKeyStorePassword = userSecret.getData().get("user.password");
if (originalCaCrt != null && originalCaCrt.equals(caCrt) && userCrt != null && !userCrt.isEmpty() && userKey != null && !userKey.isEmpty() && !clientsCa.isExpiring(userSecret, "user.crt")) {
if (userKeyStore != null && !userKeyStore.isEmpty() && userKeyStorePassword != null && !userKeyStorePassword.isEmpty()) {
this.userCertAndKey = new CertAndKey(decodeFromSecret(userSecret, "user.key"), decodeFromSecret(userSecret, "user.crt"), null, decodeFromSecret(userSecret, "user.p12"), new String(decodeFromSecret(userSecret, "user.password"), StandardCharsets.US_ASCII));
} else {
// coming from an older operator version, the user secret exists but without keystore and password
try {
this.userCertAndKey = clientsCa.addKeyAndCertToKeyStore(name, decodeFromSecret(userSecret, "user.key"), decodeFromSecret(userSecret, "user.crt"));
} catch (IOException e) {
LOGGER.errorCr(reconciliation, "Error generating the keystore for user {}", name, e);
}
}
return;
}
}
try {
this.userCertAndKey = clientsCa.generateSignedCert(name);
} catch (IOException e) {
LOGGER.errorCr(reconciliation, "Error generating signed certificate for user {}", name, e);
}
}
use of io.strimzi.operator.cluster.model.ClientsCa in project strimzi by strimzi.
the class KafkaAssemblyOperatorTest method testReconcileAllNamespaces.
@SuppressWarnings("unchecked")
@ParameterizedTest
@MethodSource("data")
@Timeout(value = 2, timeUnit = TimeUnit.MINUTES)
public void testReconcileAllNamespaces(Params params, VertxTestContext context) {
setFields(params);
// create CM, Service, headless service, statefulset
ResourceOperatorSupplier supplier = ResourceUtils.supplierWithMocks(openShift);
ClusterOperatorConfig config = ResourceUtils.dummyClusterOperatorConfig(VERSIONS);
var mockKafkaOps = supplier.kafkaOperator;
StatefulSetOperator mockStsOps = supplier.stsOperations;
SecretOperator mockSecretOps = supplier.secretOperations;
Kafka foo = getKafkaAssembly("foo");
foo.getMetadata().setNamespace("namespace1");
Kafka bar = getKafkaAssembly("bar");
bar.getMetadata().setNamespace("namespace2");
when(mockKafkaOps.listAsync(eq("*"), any(Optional.class))).thenReturn(Future.succeededFuture(asList(foo, bar)));
// when requested Custom Resource for a specific Kafka cluster
when(mockKafkaOps.get(eq("namespace1"), eq("foo"))).thenReturn(foo);
when(mockKafkaOps.get(eq("namespace2"), eq("bar"))).thenReturn(bar);
when(mockKafkaOps.getAsync(eq("namespace1"), eq("foo"))).thenReturn(Future.succeededFuture(foo));
when(mockKafkaOps.getAsync(eq("namespace2"), eq("bar"))).thenReturn(Future.succeededFuture(bar));
when(mockKafkaOps.updateStatusAsync(any(), any(Kafka.class))).thenReturn(Future.succeededFuture());
// providing certificates Secrets for existing clusters
List<Secret> barSecrets = ResourceUtils.createKafkaSecretsWithReplicas("namespace2", "bar", bar.getSpec().getKafka().getReplicas(), bar.getSpec().getZookeeper().getReplicas());
ClusterCa barClusterCa = ResourceUtils.createInitialClusterCa(Reconciliation.DUMMY_RECONCILIATION, "bar", findSecretWithName(barSecrets, AbstractModel.clusterCaCertSecretName("bar")), findSecretWithName(barSecrets, AbstractModel.clusterCaKeySecretName("bar")));
ClientsCa barClientsCa = ResourceUtils.createInitialClientsCa(Reconciliation.DUMMY_RECONCILIATION, "bar", findSecretWithName(barSecrets, KafkaCluster.clientsCaCertSecretName("bar")), findSecretWithName(barSecrets, KafkaCluster.clientsCaKeySecretName("bar")));
// providing the list of ALL StatefulSets for all the Kafka clusters
Labels newLabels = Labels.forStrimziKind(Kafka.RESOURCE_KIND);
when(mockStsOps.list(eq("*"), eq(newLabels))).thenReturn(List.of(KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, bar, VERSIONS).generateStatefulSet(openShift, null, null, null)));
// providing the list StatefulSets for already "existing" Kafka clusters
Labels barLabels = Labels.forStrimziCluster("bar");
KafkaCluster barCluster = KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, bar, VERSIONS);
when(mockStsOps.list(eq("*"), eq(barLabels))).thenReturn(List.of(barCluster.generateStatefulSet(openShift, null, null, null)));
when(mockSecretOps.list(eq("*"), eq(barLabels))).thenAnswer(invocation -> new ArrayList<>(asList(barClientsCa.caKeySecret(), barClientsCa.caCertSecret(), barCluster.generateBrokersSecret(barClusterCa, barClientsCa), barClusterCa.caCertSecret())));
Checkpoint fooAsync = context.checkpoint();
Checkpoint barAsync = context.checkpoint();
KafkaAssemblyOperator ops = new KafkaAssemblyOperator(vertx, new PlatformFeaturesAvailability(openShift, kubernetesVersion), certManager, passwordGenerator, supplier, config) {
@Override
public Future<KafkaStatus> createOrUpdate(Reconciliation reconciliation, Kafka kafkaAssembly) {
String name = kafkaAssembly.getMetadata().getName();
if ("foo".equals(name)) {
fooAsync.flag();
} else if ("bar".equals(name)) {
barAsync.flag();
} else {
context.failNow(new AssertionError("Unexpected name " + name));
}
return Future.succeededFuture();
}
};
Checkpoint async = context.checkpoint();
// Now try to reconcile all the Kafka clusters
ops.reconcileAll("test", "*", context.succeeding(v -> async.flag()));
}
use of io.strimzi.operator.cluster.model.ClientsCa in project strimzi by strimzi.
the class KafkaAssemblyOperatorTest method testReconcile.
@SuppressWarnings("unchecked")
@ParameterizedTest
@MethodSource("data")
@Timeout(value = 2, timeUnit = TimeUnit.MINUTES)
public void testReconcile(Params params, VertxTestContext context) {
// Must create all checkpoints before flagging any, as not doing so can lead to premature test success
Checkpoint fooAsync = context.checkpoint();
Checkpoint barAsync = context.checkpoint();
Checkpoint completeTest = context.checkpoint();
setFields(params);
// create CM, Service, headless service, statefulset
ResourceOperatorSupplier supplier = ResourceUtils.supplierWithMocks(openShift);
ClusterOperatorConfig config = ResourceUtils.dummyClusterOperatorConfig(VERSIONS);
var mockKafkaOps = supplier.kafkaOperator;
StatefulSetOperator mockStsOps = supplier.stsOperations;
SecretOperator mockSecretOps = supplier.secretOperations;
String kafkaNamespace = "test";
Kafka foo = getKafkaAssembly("foo");
Kafka bar = getKafkaAssembly("bar");
when(mockKafkaOps.listAsync(eq(kafkaNamespace), any(Optional.class))).thenReturn(Future.succeededFuture(asList(foo, bar)));
// when requested Custom Resource for a specific Kafka cluster
when(mockKafkaOps.get(eq(kafkaNamespace), eq("foo"))).thenReturn(foo);
when(mockKafkaOps.get(eq(kafkaNamespace), eq("bar"))).thenReturn(bar);
when(mockKafkaOps.getAsync(eq(kafkaNamespace), eq("foo"))).thenReturn(Future.succeededFuture(foo));
when(mockKafkaOps.getAsync(eq(kafkaNamespace), eq("bar"))).thenReturn(Future.succeededFuture(bar));
when(mockKafkaOps.updateStatusAsync(any(), any(Kafka.class))).thenReturn(Future.succeededFuture());
// providing certificates Secrets for existing clusters
List<Secret> fooSecrets = ResourceUtils.createKafkaInitialSecrets(kafkaNamespace, "foo");
// ClusterCa fooCerts = ResourceUtils.createInitialClusterCa("foo", ModelUtils.findSecretWithName(fooSecrets, AbstractModel.clusterCaCertSecretName("foo")));
List<Secret> barSecrets = ResourceUtils.createKafkaSecretsWithReplicas(kafkaNamespace, "bar", bar.getSpec().getKafka().getReplicas(), bar.getSpec().getZookeeper().getReplicas());
ClusterCa barClusterCa = ResourceUtils.createInitialClusterCa(Reconciliation.DUMMY_RECONCILIATION, "bar", findSecretWithName(barSecrets, AbstractModel.clusterCaCertSecretName("bar")), findSecretWithName(barSecrets, AbstractModel.clusterCaKeySecretName("bar")));
ClientsCa barClientsCa = ResourceUtils.createInitialClientsCa(Reconciliation.DUMMY_RECONCILIATION, "bar", findSecretWithName(barSecrets, KafkaCluster.clientsCaCertSecretName("bar")), findSecretWithName(barSecrets, KafkaCluster.clientsCaKeySecretName("bar")));
// providing the list of ALL StatefulSets for all the Kafka clusters
Labels newLabels = Labels.forStrimziKind(Kafka.RESOURCE_KIND);
when(mockStsOps.list(eq(kafkaNamespace), eq(newLabels))).thenReturn(List.of(KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, bar, VERSIONS).generateStatefulSet(openShift, null, null, null)));
when(mockSecretOps.get(eq(kafkaNamespace), eq(AbstractModel.clusterCaCertSecretName(foo.getMetadata().getName())))).thenReturn(fooSecrets.get(0));
when(mockSecretOps.reconcile(any(), eq(kafkaNamespace), eq(AbstractModel.clusterCaCertSecretName(foo.getMetadata().getName())), any(Secret.class))).thenReturn(Future.succeededFuture());
// providing the list StatefulSets for already "existing" Kafka clusters
Labels barLabels = Labels.forStrimziCluster("bar");
KafkaCluster barCluster = KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, bar, VERSIONS);
when(mockStsOps.list(eq(kafkaNamespace), eq(barLabels))).thenReturn(List.of(barCluster.generateStatefulSet(openShift, null, null, null)));
when(mockSecretOps.list(eq(kafkaNamespace), eq(barLabels))).thenAnswer(invocation -> new ArrayList<>(asList(barClientsCa.caKeySecret(), barClientsCa.caCertSecret(), barCluster.generateBrokersSecret(barClusterCa, barClientsCa), barClusterCa.caCertSecret())));
when(mockSecretOps.get(eq(kafkaNamespace), eq(AbstractModel.clusterCaCertSecretName(bar.getMetadata().getName())))).thenReturn(barSecrets.get(0));
when(mockSecretOps.reconcile(any(), eq(kafkaNamespace), eq(AbstractModel.clusterCaCertSecretName(bar.getMetadata().getName())), any(Secret.class))).thenReturn(Future.succeededFuture());
KafkaAssemblyOperator ops = new KafkaAssemblyOperator(vertx, new PlatformFeaturesAvailability(openShift, kubernetesVersion), certManager, passwordGenerator, supplier, config) {
@Override
public Future<KafkaStatus> createOrUpdate(Reconciliation reconciliation, Kafka kafkaAssembly) {
String name = kafkaAssembly.getMetadata().getName();
if ("foo".equals(name)) {
fooAsync.flag();
} else if ("bar".equals(name)) {
barAsync.flag();
} else {
context.failNow(new AssertionError("Unexpected name " + name));
}
return Future.succeededFuture();
}
};
// Now try to reconcile all the Kafka clusters
ops.reconcileAll("test", kafkaNamespace, context.succeeding(v -> completeTest.flag()));
}
Aggregations