Example 1 with SystemTestCertHolder
use of io.strimzi.systemtest.security.SystemTestCertHolder in project strimzi by strimzi.
the class CustomCaST method testCustomClusterCaAndClientsCaCertificates.
@ParallelNamespaceTest
void testCustomClusterCaAndClientsCaCertificates(ExtensionContext extensionContext) {
final TestStorage ts = new TestStorage(extensionContext);
final String testSuite = extensionContext.getRequiredTestClass().getSimpleName();
final SystemTestCertHolder clientsCa = new SystemTestCertHolder("CN=" + testSuite + "ClientsCA", KafkaResources.clientsCaCertificateSecretName(ts.getClusterName()), KafkaResources.clientsCaKeySecretName(ts.getClusterName()));
final SystemTestCertHolder clusterCa = new SystemTestCertHolder("CN=" + testSuite + "ClusterCA", KafkaResources.clusterCaCertificateSecretName(ts.getClusterName()), KafkaResources.clusterCaKeySecretName(ts.getClusterName()));
// prepare custom Ca and copy that to the related Secrets
clientsCa.prepareCustomSecretsFromBundles(ts.getNamespaceName(), ts.getClusterName());
clusterCa.prepareCustomSecretsFromBundles(ts.getNamespaceName(), ts.getClusterName());
final X509Certificate clientsCert = SecretUtils.getCertificateFromSecret(kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clientsCaCertificateSecretName(ts.getClusterName())), "ca.crt");
final X509Certificate clusterCert = SecretUtils.getCertificateFromSecret(kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clusterCaCertificateSecretName(ts.getClusterName())), "ca.crt");
checkCustomCaCorrectness(clientsCa, clientsCert);
checkCustomCaCorrectness(clusterCa, clusterCert);
LOGGER.info("Deploy kafka with new certs/secrets.");
resourceManager.createResource(extensionContext, KafkaTemplates.kafkaEphemeral(ts.getClusterName(), 3, 3).editSpec().withNewClusterCa().withGenerateCertificateAuthority(false).endClusterCa().withNewClientsCa().withGenerateCertificateAuthority(false).endClientsCa().endSpec().build());
LOGGER.info("Check Kafka(s) and Zookeeper(s) certificates.");
final X509Certificate kafkaCert = SecretUtils.getCertificateFromSecret(kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getClusterName() + "-kafka-brokers"), ts.getClusterName() + "-kafka-0.crt");
assertThat("KafkaCert does not have expected test Issuer: " + kafkaCert.getIssuerDN(), SystemTestCertManager.containsAllDN(kafkaCert.getIssuerX500Principal().getName(), clusterCa.getSubjectDn()));
X509Certificate zookeeperCert = SecretUtils.getCertificateFromSecret(kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getClusterName() + "-zookeeper-nodes"), ts.getClusterName() + "-zookeeper-0.crt");
assertThat("ZookeeperCert does not have expected test Subject: " + zookeeperCert.getIssuerDN(), SystemTestCertManager.containsAllDN(zookeeperCert.getIssuerX500Principal().getName(), clusterCa.getSubjectDn()));
resourceManager.createResource(extensionContext, KafkaTopicTemplates.topic(ts.getClusterName(), ts.getTopicName()).build());
LOGGER.info("Check KafkaUser certificate.");
final KafkaUser user = KafkaUserTemplates.tlsUser(ts.getClusterName(), ts.getUserName()).build();
resourceManager.createResource(extensionContext, user);
final X509Certificate userCert = SecretUtils.getCertificateFromSecret(kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getUserName()), "user.crt");
assertThat("Generated ClientsCA does not have expected test Subject: " + userCert.getIssuerDN(), SystemTestCertManager.containsAllDN(userCert.getIssuerX500Principal().getName(), clientsCa.getSubjectDn()));
LOGGER.info("Send and receive messages over TLS.");
KafkaClients kafkaClients = new KafkaClientsBuilder().withProducerName(ts.getProducerName()).withConsumerName(ts.getConsumerName()).withNamespaceName(ts.getNamespaceName()).withMessageCount(MESSAGE_COUNT).withBootstrapAddress(KafkaResources.tlsBootstrapAddress(ts.getClusterName())).withTopicName(ts.getTopicName()).withUserName(ts.getUserName()).build();
LOGGER.info("Checking produced and consumed messages via TLS");
resourceManager.createResource(extensionContext, kafkaClients.producerTlsStrimzi(ts.getClusterName()), kafkaClients.consumerTlsStrimzi(ts.getClusterName()));
ClientUtils.waitForClientsSuccess(ts.getProducerName(), ts.getConsumerName(), ts.getNamespaceName(), MESSAGE_COUNT, false);
}
Also used :
KafkaClientsBuilder(io.strimzi.systemtest.kafkaclients.internalClients.KafkaClientsBuilder)
KafkaClients(io.strimzi.systemtest.kafkaclients.internalClients.KafkaClients)
TestStorage(io.strimzi.systemtest.storage.TestStorage)
SystemTestCertHolder(io.strimzi.systemtest.security.SystemTestCertHolder)
X509Certificate(java.security.cert.X509Certificate)
KafkaUser(io.strimzi.api.kafka.model.KafkaUser)
ParallelNamespaceTest(io.strimzi.systemtest.annotations.ParallelNamespaceTest)
Example 2 with SystemTestCertHolder
use of io.strimzi.systemtest.security.SystemTestCertHolder in project strimzi-kafka-operator by strimzi.
the class CustomCaST method prepareTestCaWithBundleAndKafkaCluster.
/**
* Provides preparation for {@link #testReplacingCustomClientsKeyPairToInvokeRenewalProcess(ExtensionContext)} and
* {@link #testReplacingCustomClusterKeyPairToInvokeRenewalProcess(ExtensionContext)} test cases. This consists of
* creation of CA with bundles, deployment of Kafka cluster and eventually pausing the reconciliation for specific
* Kafka cluster to proceed with updating public or private keys.
*
* @param extensionContext context for test case
* @param certificateAuthority certificate authority of Clients or Cluster
* @param ts auxiliary resources for test case
*/
private void prepareTestCaWithBundleAndKafkaCluster(final ExtensionContext extensionContext, final SystemTestCertHolder certificateAuthority, final TestStorage ts) {
// 1. Prepare correspondent Secrets from generated custom CA certificates
// a) Cluster or Clients CA
certificateAuthority.prepareCustomSecretsFromBundles(ts.getNamespaceName(), ts.getClusterName());
// (f.e., Clients CA should not be generated, but the secrets were not found.)
if (certificateAuthority.getCaCertSecretName().equals(KafkaResources.clusterCaCertificateSecretName(ts.getClusterName())) && certificateAuthority.getCaKeySecretName().equals(KafkaResources.clusterCaKeySecretName(ts.getClusterName()))) {
final SystemTestCertHolder clientsCa = new SystemTestCertHolder("CN=" + extensionContext.getRequiredTestClass().getSimpleName() + "ClientsCA", KafkaResources.clientsCaCertificateSecretName(ts.getClusterName()), KafkaResources.clientsCaKeySecretName(ts.getClusterName()));
clientsCa.prepareCustomSecretsFromBundles(ts.getNamespaceName(), ts.getClusterName());
} else {
// otherwise we generate Cluster CA
final SystemTestCertHolder clusterCa = new SystemTestCertHolder("CN=" + extensionContext.getRequiredTestClass().getSimpleName() + "ClusterCA", KafkaResources.clusterCaCertificateSecretName(ts.getClusterName()), KafkaResources.clusterCaKeySecretName(ts.getClusterName()));
clusterCa.prepareCustomSecretsFromBundles(ts.getNamespaceName(), ts.getClusterName());
}
// 2. Create a Kafka cluster without implicit generation of CA
resourceManager.createResource(extensionContext, KafkaTemplates.kafkaPersistent(ts.getClusterName(), 3).editOrNewSpec().withNewClientsCa().withRenewalDays(5).withValidityDays(20).withGenerateCertificateAuthority(false).endClientsCa().withNewClusterCa().withRenewalDays(5).withValidityDays(20).withGenerateCertificateAuthority(false).endClusterCa().endSpec().build());
// 3. Pause the reconciliation of the Kafka custom resource
LOGGER.info("Pause the reconciliation of the Kafka custom resource ({}).", KafkaResources.kafkaStatefulSetName(ts.getClusterName()));
KafkaResource.replaceKafkaResourceInSpecificNamespace(ts.getClusterName(), kafka -> {
Map<String, String> kafkaAnnotations = kafka.getMetadata().getAnnotations();
if (kafkaAnnotations == null) {
kafkaAnnotations = new HashMap<>();
}
// adding pause annotation
kafkaAnnotations.put(Annotations.ANNO_STRIMZI_IO_PAUSE_RECONCILIATION, "true");
kafka.getMetadata().setAnnotations(kafkaAnnotations);
}, ts.getNamespaceName());
}
Also used :
SystemTestCertHolder(io.strimzi.systemtest.security.SystemTestCertHolder)
Example 3 with SystemTestCertHolder
use of io.strimzi.systemtest.security.SystemTestCertHolder in project strimzi-kafka-operator by strimzi.
the class CustomCaST method testReplacingCustomClusterKeyPairToInvokeRenewalProcess.
@ParallelNamespaceTest
void testReplacingCustomClusterKeyPairToInvokeRenewalProcess(ExtensionContext extensionContext) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
final TestStorage ts = new TestStorage(extensionContext);
// 0. Generate root and intermediate certificate authority with cluster CA
SystemTestCertHolder clusterCa = new SystemTestCertHolder("CN=" + extensionContext.getRequiredTestClass().getSimpleName() + "ClusterCA", KafkaResources.clusterCaCertificateSecretName(ts.getClusterName()), KafkaResources.clusterCaKeySecretName(ts.getClusterName()));
prepareTestCaWithBundleAndKafkaCluster(extensionContext, clusterCa, ts);
// ------- public key part
// 4. Update the Secret for the CA certificate.
// a) Edit the existing secret to add the new CA certificate and update the certificate generation annotation value.
// b) Rename the current CA certificate to retain it
final Secret clusterCaCertificateSecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clusterCaCertificateSecretName(ts.getClusterName()));
final String oldCaCertName = clusterCa.retrieveOldCertificateName(clusterCaCertificateSecret, "ca.crt");
// store the old cert
clusterCaCertificateSecret.getData().put(oldCaCertName, clusterCaCertificateSecret.getData().get("ca.crt"));
// c) Encode your new CA certificate into base64.
LOGGER.info("Generating a new custom 'Cluster certificate authority' with `Root` and `Intermediate` for Strimzi and PEM bundles.");
clusterCa = new SystemTestCertHolder("CN=" + extensionContext.getRequiredTestClass().getSimpleName() + "ClusterCAv2", KafkaResources.clusterCaCertificateSecretName(ts.getClusterName()), KafkaResources.clusterCaKeySecretName(ts.getClusterName()));
// d) Update the CA certificate.
clusterCaCertificateSecret.getData().put("ca.crt", Base64.getEncoder().encodeToString(Files.readAllBytes(Paths.get(clusterCa.getBundle().getCertPath()))));
// e) Increase the value of the CA certificate generation annotation.
// f) Save the secret with the new CA certificate and certificate generation annotation value.
SystemTestCertHolder.increaseCertGenerationCounterInSecret(clusterCaCertificateSecret, ts, Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION);
// ------- private key part
// 5. Update the Secret for the CA key used to sign your new CA certificate.
// a) Edit the existing secret to add the new CA key and update the key generation annotation value.
final Secret clusterCaKeySecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clusterCaKeySecretName(ts.getClusterName()));
// b) Encode the CA key into base64.
// c) Update the CA key.
final File strimziKeyPKCS8 = SystemTestCertManager.convertPrivateKeyToPKCS8File(clusterCa.getSystemTestCa().getPrivateKey());
clusterCaKeySecret.getData().put("ca.key", Base64.getEncoder().encodeToString(Files.readAllBytes(Paths.get(strimziKeyPKCS8.getAbsolutePath()))));
// d) Increase the value of the CA key generation annotation.
// 6. Save the secret with the new CA key and key generation annotation value.
SystemTestCertHolder.increaseCertGenerationCounterInSecret(clusterCaKeySecret, ts, Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION);
// --- verification phase (Rolling Update of components)
// 7. save the current state of the Kafka, ZooKeeper and EntityOperator pods
Map<String, String> kafkaPods = PodUtils.podSnapshot(ts.getNamespaceName(), ts.getKafkaSelector());
Map<String, String> zkPods = PodUtils.podSnapshot(ts.getNamespaceName(), ts.getZookeeperSelector());
Map<String, String> eoPod = DeploymentUtils.depSnapshot(ts.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(ts.getClusterName()));
// 8. Resume reconciliation from the pause.
LOGGER.info("Resume the reconciliation of the Kafka custom resource ({}).", KafkaResources.kafkaStatefulSetName(ts.getClusterName()));
KafkaResource.replaceKafkaResourceInSpecificNamespace(ts.getClusterName(), kafka -> {
kafka.getMetadata().getAnnotations().remove(Annotations.ANNO_STRIMZI_IO_PAUSE_RECONCILIATION);
}, ts.getNamespaceName());
// 9. On the next reconciliation, the Cluster Operator performs a `rolling update`:
// a) ZooKeeper
// b) Kafka
// c) and other components to trust the new CA certificate. (i.e., EntityOperator)
// When the rolling update is complete, the Cluster Operator
// will start a new one to generate new server certificates signed by the new CA key.
zkPods = RollingUpdateUtils.waitTillComponentHasRolledAndPodsReady(ts.getNamespaceName(), ts.getZookeeperSelector(), 3, zkPods);
kafkaPods = RollingUpdateUtils.waitTillComponentHasRolledAndPodsReady(ts.getNamespaceName(), ts.getKafkaSelector(), 3, kafkaPods);
eoPod = DeploymentUtils.waitTillDepHasRolled(ts.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(ts.getClusterName()), 1, eoPod);
// second Rolling update to generate new server certificates signed by the new CA key.
RollingUpdateUtils.waitTillComponentHasRolledAndPodsReady(ts.getNamespaceName(), ts.getZookeeperSelector(), 3, zkPods);
RollingUpdateUtils.waitTillComponentHasRolledAndPodsReady(ts.getNamespaceName(), ts.getKafkaSelector(), 3, kafkaPods);
DeploymentUtils.waitTillDepHasRolled(ts.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(ts.getClusterName()), 1, eoPod);
// 10. Try to produce messages
producerMessages(extensionContext, ts);
}
Also used :
Secret(io.fabric8.kubernetes.api.model.Secret)
TestStorage(io.strimzi.systemtest.storage.TestStorage)
SystemTestCertHolder(io.strimzi.systemtest.security.SystemTestCertHolder)
File(java.io.File)
ParallelNamespaceTest(io.strimzi.systemtest.annotations.ParallelNamespaceTest)
Example 4 with SystemTestCertHolder
use of io.strimzi.systemtest.security.SystemTestCertHolder in project strimzi by strimzi.
the class CustomCaST method testCustomClusterCACertificateRenew.
@ParallelNamespaceTest
void testCustomClusterCACertificateRenew(ExtensionContext extensionContext) {
TestStorage ts = new TestStorage(extensionContext);
final String testSuite = extensionContext.getRequiredTestClass().getSimpleName();
final SystemTestCertHolder clusterCa = new SystemTestCertHolder("CN=" + testSuite + "ClusterCA", KafkaResources.clusterCaCertificateSecretName(ts.getClusterName()), KafkaResources.clusterCaKeySecretName(ts.getClusterName()));
// prepare custom Ca and copy that to the related Secrets
clusterCa.prepareCustomSecretsFromBundles(ts.getNamespaceName(), ts.getClusterName());
final X509Certificate clusterCert = SecretUtils.getCertificateFromSecret(kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clusterCaCertificateSecretName(ts.getClusterName())), "ca.crt");
checkCustomCaCorrectness(clusterCa, clusterCert);
resourceManager.createResource(extensionContext, KafkaTemplates.kafkaEphemeral(ts.getClusterName(), 3).editOrNewSpec().withNewClusterCa().withRenewalDays(15).withValidityDays(20).withGenerateCertificateAuthority(false).endClusterCa().endSpec().build());
final Map<String, String> zkPods = PodUtils.podSnapshot(ts.getNamespaceName(), ts.getZookeeperSelector());
final Map<String, String> kafkaPods = PodUtils.podSnapshot(ts.getNamespaceName(), ts.getKafkaSelector());
final Map<String, String> eoPod = DeploymentUtils.depSnapshot(ts.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(ts.getClusterName()));
Secret clusterCASecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clusterCaCertificateSecretName(ts.getClusterName()));
X509Certificate cacert = SecretUtils.getCertificateFromSecret(clusterCASecret, "ca.crt");
final Date initialCertStartTime = cacert.getNotBefore();
final Date initialCertEndTime = cacert.getNotAfter();
// Check Broker kafka certificate dates
Secret brokerCertCreationSecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getClusterName() + "-kafka-brokers");
X509Certificate kafkaBrokerCert = SecretUtils.getCertificateFromSecret(brokerCertCreationSecret, ts.getClusterName() + "-kafka-0.crt");
final Date initialKafkaBrokerCertStartTime = kafkaBrokerCert.getNotBefore();
final Date initialKafkaBrokerCertEndTime = kafkaBrokerCert.getNotAfter();
// Check Zookeeper certificate dates
Secret zkCertCreationSecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getClusterName() + "-zookeeper-nodes");
X509Certificate zkBrokerCert = SecretUtils.getCertificateFromSecret(zkCertCreationSecret, ts.getClusterName() + "-zookeeper-0.crt");
final Date initialZkCertStartTime = zkBrokerCert.getNotBefore();
final Date initialZkCertEndTime = zkBrokerCert.getNotAfter();
LOGGER.info("Change of kafka validity and renewal days - reconciliation should start.");
final CertificateAuthority newClusterCA = new CertificateAuthority();
newClusterCA.setRenewalDays(150);
newClusterCA.setValidityDays(200);
newClusterCA.setGenerateCertificateAuthority(false);
KafkaResource.replaceKafkaResourceInSpecificNamespace(ts.getClusterName(), k -> k.getSpec().setClusterCa(newClusterCA), ts.getNamespaceName());
// On the next reconciliation, the Cluster Operator performs a `rolling update`:
// a) ZooKeeper
// b) Kafka
// c) and other components to trust the new Cluster CA certificate. (i.e., EntityOperator)
RollingUpdateUtils.waitTillComponentHasRolled(ts.getNamespaceName(), ts.getZookeeperSelector(), 3, zkPods);
RollingUpdateUtils.waitTillComponentHasRolled(ts.getNamespaceName(), ts.getKafkaSelector(), 3, kafkaPods);
DeploymentUtils.waitTillDepHasRolled(ts.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(ts.getClusterName()), 1, eoPod);
// Read renewed secret/certs again
clusterCASecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clusterCaCertificateSecretName(ts.getClusterName()));
cacert = SecretUtils.getCertificateFromSecret(clusterCASecret, "ca.crt");
final Date changedCertStartTime = cacert.getNotBefore();
final Date changedCertEndTime = cacert.getNotAfter();
// Check renewed Broker kafka certificate dates
brokerCertCreationSecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getClusterName() + "-kafka-brokers");
kafkaBrokerCert = SecretUtils.getCertificateFromSecret(brokerCertCreationSecret, ts.getClusterName() + "-kafka-0.crt");
final Date changedKafkaBrokerCertStartTime = kafkaBrokerCert.getNotBefore();
final Date changedKafkaBrokerCertEndTime = kafkaBrokerCert.getNotAfter();
// Check renewed Zookeeper certificate dates
zkCertCreationSecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getClusterName() + "-zookeeper-nodes");
zkBrokerCert = SecretUtils.getCertificateFromSecret(zkCertCreationSecret, ts.getClusterName() + "-zookeeper-0.crt");
final Date changedZkCertStartTime = zkBrokerCert.getNotBefore();
final Date changedZkCertEndTime = zkBrokerCert.getNotAfter();
LOGGER.info("Initial ClusterCA cert dates: " + initialCertStartTime + " --> " + initialCertEndTime);
LOGGER.info("Changed ClusterCA cert dates: " + changedCertStartTime + " --> " + changedCertEndTime);
LOGGER.info("KafkaBroker cert creation dates: " + initialKafkaBrokerCertStartTime + " --> " + initialKafkaBrokerCertEndTime);
LOGGER.info("KafkaBroker cert changed dates: " + changedKafkaBrokerCertStartTime + " --> " + changedKafkaBrokerCertEndTime);
LOGGER.info("Zookeeper cert creation dates: " + initialZkCertStartTime + " --> " + initialZkCertEndTime);
LOGGER.info("Zookeeper cert changed dates: " + changedZkCertStartTime + " --> " + changedZkCertEndTime);
assertThat("ClusterCA cert should not have changed.", initialCertEndTime.compareTo(changedCertEndTime) == 0);
assertThat("Broker certificates start dates have not been renewed.", initialKafkaBrokerCertStartTime.compareTo(changedKafkaBrokerCertStartTime) < 0);
assertThat("Broker certificates end dates have not been renewed.", initialKafkaBrokerCertEndTime.compareTo(changedKafkaBrokerCertEndTime) < 0);
assertThat("Zookeeper certificates start dates have not been renewed.", initialZkCertStartTime.compareTo(changedZkCertStartTime) < 0);
assertThat("Zookeeper certificates end dates have not been renewed.", initialZkCertEndTime.compareTo(changedZkCertEndTime) < 0);
}
Also used :
Secret(io.fabric8.kubernetes.api.model.Secret)
TestStorage(io.strimzi.systemtest.storage.TestStorage)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
SystemTestCertHolder(io.strimzi.systemtest.security.SystemTestCertHolder)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
ParallelNamespaceTest(io.strimzi.systemtest.annotations.ParallelNamespaceTest)
Example 5 with SystemTestCertHolder
use of io.strimzi.systemtest.security.SystemTestCertHolder in project strimzi by strimzi.
the class CustomCaST method testClientsCaCertificateRenew.
@ParallelNamespaceTest
void testClientsCaCertificateRenew(ExtensionContext extensionContext) {
final TestStorage ts = new TestStorage(extensionContext);
final String testSuite = extensionContext.getRequiredTestClass().getSimpleName();
final SystemTestCertHolder clientsCa = new SystemTestCertHolder("CN=" + testSuite + "ClientsCA", KafkaResources.clientsCaCertificateSecretName(ts.getClusterName()), KafkaResources.clientsCaKeySecretName(ts.getClusterName()));
// prepare custom Ca and copy that to the related Secrets
clientsCa.prepareCustomSecretsFromBundles(ts.getNamespaceName(), ts.getClusterName());
final X509Certificate clientsCert = SecretUtils.getCertificateFromSecret(kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clientsCaCertificateSecretName(ts.getClusterName())), "ca.crt");
checkCustomCaCorrectness(clientsCa, clientsCert);
resourceManager.createResource(extensionContext, KafkaTemplates.kafkaEphemeral(ts.getClusterName(), 3).editOrNewSpec().withNewClientsCa().withRenewalDays(15).withValidityDays(20).withGenerateCertificateAuthority(false).endClientsCa().endSpec().build());
resourceManager.createResource(extensionContext, KafkaUserTemplates.tlsUser(ts.getClusterName(), ts.getUserName()).build());
final Map<String, String> entityPods = DeploymentUtils.depSnapshot(ts.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(ts.getClusterName()));
// Check initial clientsCA validity days
Secret clientsCASecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clientsCaCertificateSecretName(ts.getClusterName()));
X509Certificate cacert = SecretUtils.getCertificateFromSecret(clientsCASecret, "ca.crt");
final Date initialCertStartTime = cacert.getNotBefore();
final Date initialCertEndTime = cacert.getNotAfter();
// Check initial kafkauser validity days
X509Certificate userCert = SecretUtils.getCertificateFromSecret(kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getUserName()), "user.crt");
final Date initialKafkaUserCertStartTime = userCert.getNotBefore();
final Date initialKafkaUserCertEndTime = userCert.getNotAfter();
LOGGER.info("Change of kafka validity and renewal days - reconciliation should start.");
final CertificateAuthority newClientsCA = new CertificateAuthority();
newClientsCA.setRenewalDays(150);
newClientsCA.setValidityDays(200);
newClientsCA.setGenerateCertificateAuthority(false);
KafkaResource.replaceKafkaResourceInSpecificNamespace(ts.getClusterName(), k -> k.getSpec().setClientsCa(newClientsCA), ts.getNamespaceName());
// Wait for reconciliation and verify certs have been updated
DeploymentUtils.waitTillDepHasRolled(ts.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(ts.getClusterName()), 1, entityPods);
// Read renewed secret/certs again
clientsCASecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clientsCaCertificateSecretName(ts.getClusterName()));
cacert = SecretUtils.getCertificateFromSecret(clientsCASecret, "ca.crt");
final Date changedCertStartTime = cacert.getNotBefore();
final Date changedCertEndTime = cacert.getNotAfter();
userCert = SecretUtils.getCertificateFromSecret(kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getUserName()), "user.crt");
final Date changedKafkaUserCertStartTime = userCert.getNotBefore();
final Date changedKafkaUserCertEndTime = userCert.getNotAfter();
LOGGER.info("Initial ClientsCA cert dates: " + initialCertStartTime + " --> " + initialCertEndTime);
LOGGER.info("Changed ClientsCA cert dates: " + changedCertStartTime + " --> " + changedCertEndTime);
LOGGER.info("Initial userCert dates: " + initialKafkaUserCertStartTime + " --> " + initialKafkaUserCertEndTime);
LOGGER.info("Changed userCert dates: " + changedKafkaUserCertStartTime + " --> " + changedKafkaUserCertEndTime);
assertThat("ClientsCA cert should not have changed.", initialCertEndTime.compareTo(changedCertEndTime) == 0);
assertThat("UserCert start date has been renewed", initialKafkaUserCertStartTime.compareTo(changedKafkaUserCertStartTime) < 0);
assertThat("UserCert end date has been renewed", initialKafkaUserCertEndTime.compareTo(changedKafkaUserCertEndTime) < 0);
}
Also used :
Secret(io.fabric8.kubernetes.api.model.Secret)
TestStorage(io.strimzi.systemtest.storage.TestStorage)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
SystemTestCertHolder(io.strimzi.systemtest.security.SystemTestCertHolder)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
ParallelNamespaceTest(io.strimzi.systemtest.annotations.ParallelNamespaceTest)
Aggregations
SystemTestCertHolder (io.strimzi.systemtest.security.SystemTestCertHolder)12
ParallelNamespaceTest (io.strimzi.systemtest.annotations.ParallelNamespaceTest)10
TestStorage (io.strimzi.systemtest.storage.TestStorage)10
Secret (io.fabric8.kubernetes.api.model.Secret)8
X509Certificate (java.security.cert.X509Certificate)6
CertificateAuthority (io.strimzi.api.kafka.model.CertificateAuthority)4
File (java.io.File)4
Date (java.util.Date)4
KafkaUser (io.strimzi.api.kafka.model.KafkaUser)2
KafkaClients (io.strimzi.systemtest.kafkaclients.internalClients.KafkaClients)2
KafkaClientsBuilder (io.strimzi.systemtest.kafkaclients.internalClients.KafkaClientsBuilder)2
