Example 6 with SystemTestCertHolder
use of io.strimzi.systemtest.security.SystemTestCertHolder in project strimzi by strimzi.
the class CustomCaST method testReplacingCustomClusterKeyPairToInvokeRenewalProcess.
@ParallelNamespaceTest
void testReplacingCustomClusterKeyPairToInvokeRenewalProcess(ExtensionContext extensionContext) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
final TestStorage ts = new TestStorage(extensionContext);
// 0. Generate root and intermediate certificate authority with cluster CA
SystemTestCertHolder clusterCa = new SystemTestCertHolder("CN=" + extensionContext.getRequiredTestClass().getSimpleName() + "ClusterCA", KafkaResources.clusterCaCertificateSecretName(ts.getClusterName()), KafkaResources.clusterCaKeySecretName(ts.getClusterName()));
prepareTestCaWithBundleAndKafkaCluster(extensionContext, clusterCa, ts);
// ------- public key part
// 4. Update the Secret for the CA certificate.
// a) Edit the existing secret to add the new CA certificate and update the certificate generation annotation value.
// b) Rename the current CA certificate to retain it
final Secret clusterCaCertificateSecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clusterCaCertificateSecretName(ts.getClusterName()));
final String oldCaCertName = clusterCa.retrieveOldCertificateName(clusterCaCertificateSecret, "ca.crt");
// store the old cert
clusterCaCertificateSecret.getData().put(oldCaCertName, clusterCaCertificateSecret.getData().get("ca.crt"));
// c) Encode your new CA certificate into base64.
LOGGER.info("Generating a new custom 'Cluster certificate authority' with `Root` and `Intermediate` for Strimzi and PEM bundles.");
clusterCa = new SystemTestCertHolder("CN=" + extensionContext.getRequiredTestClass().getSimpleName() + "ClusterCAv2", KafkaResources.clusterCaCertificateSecretName(ts.getClusterName()), KafkaResources.clusterCaKeySecretName(ts.getClusterName()));
// d) Update the CA certificate.
clusterCaCertificateSecret.getData().put("ca.crt", Base64.getEncoder().encodeToString(Files.readAllBytes(Paths.get(clusterCa.getBundle().getCertPath()))));
// e) Increase the value of the CA certificate generation annotation.
// f) Save the secret with the new CA certificate and certificate generation annotation value.
SystemTestCertHolder.increaseCertGenerationCounterInSecret(clusterCaCertificateSecret, ts, Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION);
// ------- private key part
// 5. Update the Secret for the CA key used to sign your new CA certificate.
// a) Edit the existing secret to add the new CA key and update the key generation annotation value.
final Secret clusterCaKeySecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clusterCaKeySecretName(ts.getClusterName()));
// b) Encode the CA key into base64.
// c) Update the CA key.
final File strimziKeyPKCS8 = SystemTestCertManager.convertPrivateKeyToPKCS8File(clusterCa.getSystemTestCa().getPrivateKey());
clusterCaKeySecret.getData().put("ca.key", Base64.getEncoder().encodeToString(Files.readAllBytes(Paths.get(strimziKeyPKCS8.getAbsolutePath()))));
// d) Increase the value of the CA key generation annotation.
// 6. Save the secret with the new CA key and key generation annotation value.
SystemTestCertHolder.increaseCertGenerationCounterInSecret(clusterCaKeySecret, ts, Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION);
// --- verification phase (Rolling Update of components)
// 7. save the current state of the Kafka, ZooKeeper and EntityOperator pods
Map<String, String> kafkaPods = PodUtils.podSnapshot(ts.getNamespaceName(), ts.getKafkaSelector());
Map<String, String> zkPods = PodUtils.podSnapshot(ts.getNamespaceName(), ts.getZookeeperSelector());
Map<String, String> eoPod = DeploymentUtils.depSnapshot(ts.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(ts.getClusterName()));
// 8. Resume reconciliation from the pause.
LOGGER.info("Resume the reconciliation of the Kafka custom resource ({}).", KafkaResources.kafkaStatefulSetName(ts.getClusterName()));
KafkaResource.replaceKafkaResourceInSpecificNamespace(ts.getClusterName(), kafka -> {
kafka.getMetadata().getAnnotations().remove(Annotations.ANNO_STRIMZI_IO_PAUSE_RECONCILIATION);
}, ts.getNamespaceName());
// 9. On the next reconciliation, the Cluster Operator performs a `rolling update`:
// a) ZooKeeper
// b) Kafka
// c) and other components to trust the new CA certificate. (i.e., EntityOperator)
// When the rolling update is complete, the Cluster Operator
// will start a new one to generate new server certificates signed by the new CA key.
zkPods = RollingUpdateUtils.waitTillComponentHasRolledAndPodsReady(ts.getNamespaceName(), ts.getZookeeperSelector(), 3, zkPods);
kafkaPods = RollingUpdateUtils.waitTillComponentHasRolledAndPodsReady(ts.getNamespaceName(), ts.getKafkaSelector(), 3, kafkaPods);
eoPod = DeploymentUtils.waitTillDepHasRolled(ts.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(ts.getClusterName()), 1, eoPod);
// second Rolling update to generate new server certificates signed by the new CA key.
RollingUpdateUtils.waitTillComponentHasRolledAndPodsReady(ts.getNamespaceName(), ts.getZookeeperSelector(), 3, zkPods);
RollingUpdateUtils.waitTillComponentHasRolledAndPodsReady(ts.getNamespaceName(), ts.getKafkaSelector(), 3, kafkaPods);
DeploymentUtils.waitTillDepHasRolled(ts.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(ts.getClusterName()), 1, eoPod);
// 10. Try to produce messages
producerMessages(extensionContext, ts);
}
Also used :
Secret(io.fabric8.kubernetes.api.model.Secret)
TestStorage(io.strimzi.systemtest.storage.TestStorage)
SystemTestCertHolder(io.strimzi.systemtest.security.SystemTestCertHolder)
File(java.io.File)
ParallelNamespaceTest(io.strimzi.systemtest.annotations.ParallelNamespaceTest)
Example 7 with SystemTestCertHolder
use of io.strimzi.systemtest.security.SystemTestCertHolder in project strimzi by strimzi.
the class CustomCaST method testReplacingCustomClientsKeyPairToInvokeRenewalProcess.
@ParallelNamespaceTest
void testReplacingCustomClientsKeyPairToInvokeRenewalProcess(ExtensionContext extensionContext) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
final TestStorage ts = new TestStorage(extensionContext);
// 0. Generate root and intermediate certificate authority with clients CA
SystemTestCertHolder clientsCa = new SystemTestCertHolder("CN=" + extensionContext.getRequiredTestClass().getSimpleName() + "ClientsCA", KafkaResources.clientsCaCertificateSecretName(ts.getClusterName()), KafkaResources.clientsCaKeySecretName(ts.getClusterName()));
prepareTestCaWithBundleAndKafkaCluster(extensionContext, clientsCa, ts);
// ------- public key part
// 4. Update the Secret for the CA certificate.
// a) Edit the existing secret to add the new CA certificate and update the certificate generation annotation value.
// b) Rename the current CA certificate to retain it
final Secret clientsCaCertificateSecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clientsCaCertificateSecretName(ts.getClusterName()));
final String oldCaCertName = clientsCa.retrieveOldCertificateName(clientsCaCertificateSecret, "ca.crt");
// store the old cert
clientsCaCertificateSecret.getData().put(oldCaCertName, clientsCaCertificateSecret.getData().get("ca.crt"));
// c) Encode your new CA certificate into base64.
LOGGER.info("Generating a new custom 'User certificate authority' with `Root` and `Intermediate` for Strimzi and PEM bundles.");
clientsCa = new SystemTestCertHolder("CN=" + extensionContext.getRequiredTestClass().getSimpleName() + "ClientsCAv2", KafkaResources.clientsCaCertificateSecretName(ts.getClusterName()), KafkaResources.clientsCaKeySecretName(ts.getClusterName()));
// d) Update the CA certificate.
clientsCaCertificateSecret.getData().put("ca.crt", Base64.getEncoder().encodeToString(Files.readAllBytes(Paths.get(clientsCa.getBundle().getCertPath()))));
// e) Increase the value of the CA certificate generation annotation.
// f) Save the secret with the new CA certificate and certificate generation annotation value.
SystemTestCertHolder.increaseCertGenerationCounterInSecret(clientsCaCertificateSecret, ts, Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION);
// ------- private key part
// 5. Update the Secret for the CA key used to sign your new CA certificate.
// a) Edit the existing secret to add the new CA key and update the key generation annotation value.
final Secret clientsCaKeySecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clientsCaKeySecretName(ts.getClusterName()));
// b) Encode the CA key into base64.
// c) Update the CA key.
final File strimziKeyPKCS8 = SystemTestCertManager.convertPrivateKeyToPKCS8File(clientsCa.getSystemTestCa().getPrivateKey());
clientsCaKeySecret.getData().put("ca.key", Base64.getEncoder().encodeToString(Files.readAllBytes(Paths.get(strimziKeyPKCS8.getAbsolutePath()))));
// d) Increase the value of the CA key generation annotation.
// 6. Save the secret with the new CA key and key generation annotation value.
SystemTestCertHolder.increaseCertGenerationCounterInSecret(clientsCaKeySecret, ts, Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION);
// --- verification phase (Rolling Update of components)
// 7. save the current state of the Kafka, ZooKeeper and EntityOperator pods
final Map<String, String> kafkaPods = PodUtils.podSnapshot(ts.getNamespaceName(), ts.getKafkaSelector());
final Map<String, String> zkPods = PodUtils.podSnapshot(ts.getNamespaceName(), ts.getZookeeperSelector());
final Map<String, String> eoPod = DeploymentUtils.depSnapshot(ts.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(ts.getClusterName()));
// 8. Resume reconciliation from the pause.
LOGGER.info("Resume the reconciliation of the Kafka custom resource ({}).", KafkaResources.kafkaStatefulSetName(ts.getClusterName()));
KafkaResource.replaceKafkaResourceInSpecificNamespace(ts.getClusterName(), kafka -> {
kafka.getMetadata().getAnnotations().remove(Annotations.ANNO_STRIMZI_IO_PAUSE_RECONCILIATION);
}, ts.getNamespaceName());
// 9. On the next reconciliation, the Cluster Operator performs a `rolling update` only for the
// `Kafka pods`. When the rolling update is complete, the Cluster Operator will start a new one to
// generate new server certificates signed by the new CA key.
// a) ZooKeeper must not roll
RollingUpdateUtils.waitForNoRollingUpdate(ts.getNamespaceName(), ts.getZookeeperSelector(), zkPods);
assertThat(RollingUpdateUtils.componentHasRolled(ts.getNamespaceName(), ts.getZookeeperSelector(), zkPods), is(Boolean.FALSE));
// b) Kafka has to roll
RollingUpdateUtils.waitTillComponentHasRolledAndPodsReady(ts.getNamespaceName(), ts.getKafkaSelector(), 3, kafkaPods);
// c) EO must not roll
DeploymentUtils.waitForNoRollingUpdate(ts.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(ts.getClusterName()), eoPod);
// 10. Try to produce messages
producerMessages(extensionContext, ts);
}
Also used :
Secret(io.fabric8.kubernetes.api.model.Secret)
TestStorage(io.strimzi.systemtest.storage.TestStorage)
SystemTestCertHolder(io.strimzi.systemtest.security.SystemTestCertHolder)
File(java.io.File)
ParallelNamespaceTest(io.strimzi.systemtest.annotations.ParallelNamespaceTest)
Example 8 with SystemTestCertHolder
use of io.strimzi.systemtest.security.SystemTestCertHolder in project strimzi by strimzi.
the class CustomCaST method prepareTestCaWithBundleAndKafkaCluster.
/**
* Provides preparation for {@link #testReplacingCustomClientsKeyPairToInvokeRenewalProcess(ExtensionContext)} and
* {@link #testReplacingCustomClusterKeyPairToInvokeRenewalProcess(ExtensionContext)} test cases. This consists of
* creation of CA with bundles, deployment of Kafka cluster and eventually pausing the reconciliation for specific
* Kafka cluster to proceed with updating public or private keys.
*
* @param extensionContext context for test case
* @param certificateAuthority certificate authority of Clients or Cluster
* @param ts auxiliary resources for test case
*/
private void prepareTestCaWithBundleAndKafkaCluster(final ExtensionContext extensionContext, final SystemTestCertHolder certificateAuthority, final TestStorage ts) {
// 1. Prepare correspondent Secrets from generated custom CA certificates
// a) Cluster or Clients CA
certificateAuthority.prepareCustomSecretsFromBundles(ts.getNamespaceName(), ts.getClusterName());
// (f.e., Clients CA should not be generated, but the secrets were not found.)
if (certificateAuthority.getCaCertSecretName().equals(KafkaResources.clusterCaCertificateSecretName(ts.getClusterName())) && certificateAuthority.getCaKeySecretName().equals(KafkaResources.clusterCaKeySecretName(ts.getClusterName()))) {
final SystemTestCertHolder clientsCa = new SystemTestCertHolder("CN=" + extensionContext.getRequiredTestClass().getSimpleName() + "ClientsCA", KafkaResources.clientsCaCertificateSecretName(ts.getClusterName()), KafkaResources.clientsCaKeySecretName(ts.getClusterName()));
clientsCa.prepareCustomSecretsFromBundles(ts.getNamespaceName(), ts.getClusterName());
} else {
// otherwise we generate Cluster CA
final SystemTestCertHolder clusterCa = new SystemTestCertHolder("CN=" + extensionContext.getRequiredTestClass().getSimpleName() + "ClusterCA", KafkaResources.clusterCaCertificateSecretName(ts.getClusterName()), KafkaResources.clusterCaKeySecretName(ts.getClusterName()));
clusterCa.prepareCustomSecretsFromBundles(ts.getNamespaceName(), ts.getClusterName());
}
// 2. Create a Kafka cluster without implicit generation of CA
resourceManager.createResource(extensionContext, KafkaTemplates.kafkaPersistent(ts.getClusterName(), 3).editOrNewSpec().withNewClientsCa().withRenewalDays(5).withValidityDays(20).withGenerateCertificateAuthority(false).endClientsCa().withNewClusterCa().withRenewalDays(5).withValidityDays(20).withGenerateCertificateAuthority(false).endClusterCa().endSpec().build());
// 3. Pause the reconciliation of the Kafka custom resource
LOGGER.info("Pause the reconciliation of the Kafka custom resource ({}).", KafkaResources.kafkaStatefulSetName(ts.getClusterName()));
KafkaResource.replaceKafkaResourceInSpecificNamespace(ts.getClusterName(), kafka -> {
Map<String, String> kafkaAnnotations = kafka.getMetadata().getAnnotations();
if (kafkaAnnotations == null) {
kafkaAnnotations = new HashMap<>();
}
// adding pause annotation
kafkaAnnotations.put(Annotations.ANNO_STRIMZI_IO_PAUSE_RECONCILIATION, "true");
kafka.getMetadata().setAnnotations(kafkaAnnotations);
}, ts.getNamespaceName());
}
Also used :
SystemTestCertHolder(io.strimzi.systemtest.security.SystemTestCertHolder)
Example 9 with SystemTestCertHolder
use of io.strimzi.systemtest.security.SystemTestCertHolder in project strimzi-kafka-operator by strimzi.
the class CustomCaST method testReplacingCustomClientsKeyPairToInvokeRenewalProcess.
@ParallelNamespaceTest
void testReplacingCustomClientsKeyPairToInvokeRenewalProcess(ExtensionContext extensionContext) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
final TestStorage ts = new TestStorage(extensionContext);
// 0. Generate root and intermediate certificate authority with clients CA
SystemTestCertHolder clientsCa = new SystemTestCertHolder("CN=" + extensionContext.getRequiredTestClass().getSimpleName() + "ClientsCA", KafkaResources.clientsCaCertificateSecretName(ts.getClusterName()), KafkaResources.clientsCaKeySecretName(ts.getClusterName()));
prepareTestCaWithBundleAndKafkaCluster(extensionContext, clientsCa, ts);
// ------- public key part
// 4. Update the Secret for the CA certificate.
// a) Edit the existing secret to add the new CA certificate and update the certificate generation annotation value.
// b) Rename the current CA certificate to retain it
final Secret clientsCaCertificateSecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clientsCaCertificateSecretName(ts.getClusterName()));
final String oldCaCertName = clientsCa.retrieveOldCertificateName(clientsCaCertificateSecret, "ca.crt");
// store the old cert
clientsCaCertificateSecret.getData().put(oldCaCertName, clientsCaCertificateSecret.getData().get("ca.crt"));
// c) Encode your new CA certificate into base64.
LOGGER.info("Generating a new custom 'User certificate authority' with `Root` and `Intermediate` for Strimzi and PEM bundles.");
clientsCa = new SystemTestCertHolder("CN=" + extensionContext.getRequiredTestClass().getSimpleName() + "ClientsCAv2", KafkaResources.clientsCaCertificateSecretName(ts.getClusterName()), KafkaResources.clientsCaKeySecretName(ts.getClusterName()));
// d) Update the CA certificate.
clientsCaCertificateSecret.getData().put("ca.crt", Base64.getEncoder().encodeToString(Files.readAllBytes(Paths.get(clientsCa.getBundle().getCertPath()))));
// e) Increase the value of the CA certificate generation annotation.
// f) Save the secret with the new CA certificate and certificate generation annotation value.
SystemTestCertHolder.increaseCertGenerationCounterInSecret(clientsCaCertificateSecret, ts, Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION);
// ------- private key part
// 5. Update the Secret for the CA key used to sign your new CA certificate.
// a) Edit the existing secret to add the new CA key and update the key generation annotation value.
final Secret clientsCaKeySecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clientsCaKeySecretName(ts.getClusterName()));
// b) Encode the CA key into base64.
// c) Update the CA key.
final File strimziKeyPKCS8 = SystemTestCertManager.convertPrivateKeyToPKCS8File(clientsCa.getSystemTestCa().getPrivateKey());
clientsCaKeySecret.getData().put("ca.key", Base64.getEncoder().encodeToString(Files.readAllBytes(Paths.get(strimziKeyPKCS8.getAbsolutePath()))));
// d) Increase the value of the CA key generation annotation.
// 6. Save the secret with the new CA key and key generation annotation value.
SystemTestCertHolder.increaseCertGenerationCounterInSecret(clientsCaKeySecret, ts, Ca.ANNO_STRIMZI_IO_CA_KEY_GENERATION);
// --- verification phase (Rolling Update of components)
// 7. save the current state of the Kafka, ZooKeeper and EntityOperator pods
final Map<String, String> kafkaPods = PodUtils.podSnapshot(ts.getNamespaceName(), ts.getKafkaSelector());
final Map<String, String> zkPods = PodUtils.podSnapshot(ts.getNamespaceName(), ts.getZookeeperSelector());
final Map<String, String> eoPod = DeploymentUtils.depSnapshot(ts.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(ts.getClusterName()));
// 8. Resume reconciliation from the pause.
LOGGER.info("Resume the reconciliation of the Kafka custom resource ({}).", KafkaResources.kafkaStatefulSetName(ts.getClusterName()));
KafkaResource.replaceKafkaResourceInSpecificNamespace(ts.getClusterName(), kafka -> {
kafka.getMetadata().getAnnotations().remove(Annotations.ANNO_STRIMZI_IO_PAUSE_RECONCILIATION);
}, ts.getNamespaceName());
// 9. On the next reconciliation, the Cluster Operator performs a `rolling update` only for the
// `Kafka pods`. When the rolling update is complete, the Cluster Operator will start a new one to
// generate new server certificates signed by the new CA key.
// a) ZooKeeper must not roll
RollingUpdateUtils.waitForNoRollingUpdate(ts.getNamespaceName(), ts.getZookeeperSelector(), zkPods);
assertThat(RollingUpdateUtils.componentHasRolled(ts.getNamespaceName(), ts.getZookeeperSelector(), zkPods), is(Boolean.FALSE));
// b) Kafka has to roll
RollingUpdateUtils.waitTillComponentHasRolledAndPodsReady(ts.getNamespaceName(), ts.getKafkaSelector(), 3, kafkaPods);
// c) EO must not roll
DeploymentUtils.waitForNoRollingUpdate(ts.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(ts.getClusterName()), eoPod);
// 10. Try to produce messages
producerMessages(extensionContext, ts);
}
Also used :
Secret(io.fabric8.kubernetes.api.model.Secret)
TestStorage(io.strimzi.systemtest.storage.TestStorage)
SystemTestCertHolder(io.strimzi.systemtest.security.SystemTestCertHolder)
File(java.io.File)
ParallelNamespaceTest(io.strimzi.systemtest.annotations.ParallelNamespaceTest)
Example 10 with SystemTestCertHolder
use of io.strimzi.systemtest.security.SystemTestCertHolder in project strimzi-kafka-operator by strimzi.
the class CustomCaST method testCustomClusterCaAndClientsCaCertificates.
@ParallelNamespaceTest
void testCustomClusterCaAndClientsCaCertificates(ExtensionContext extensionContext) {
final TestStorage ts = new TestStorage(extensionContext);
final String testSuite = extensionContext.getRequiredTestClass().getSimpleName();
final SystemTestCertHolder clientsCa = new SystemTestCertHolder("CN=" + testSuite + "ClientsCA", KafkaResources.clientsCaCertificateSecretName(ts.getClusterName()), KafkaResources.clientsCaKeySecretName(ts.getClusterName()));
final SystemTestCertHolder clusterCa = new SystemTestCertHolder("CN=" + testSuite + "ClusterCA", KafkaResources.clusterCaCertificateSecretName(ts.getClusterName()), KafkaResources.clusterCaKeySecretName(ts.getClusterName()));
// prepare custom Ca and copy that to the related Secrets
clientsCa.prepareCustomSecretsFromBundles(ts.getNamespaceName(), ts.getClusterName());
clusterCa.prepareCustomSecretsFromBundles(ts.getNamespaceName(), ts.getClusterName());
final X509Certificate clientsCert = SecretUtils.getCertificateFromSecret(kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clientsCaCertificateSecretName(ts.getClusterName())), "ca.crt");
final X509Certificate clusterCert = SecretUtils.getCertificateFromSecret(kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clusterCaCertificateSecretName(ts.getClusterName())), "ca.crt");
checkCustomCaCorrectness(clientsCa, clientsCert);
checkCustomCaCorrectness(clusterCa, clusterCert);
LOGGER.info("Deploy kafka with new certs/secrets.");
resourceManager.createResource(extensionContext, KafkaTemplates.kafkaEphemeral(ts.getClusterName(), 3, 3).editSpec().withNewClusterCa().withGenerateCertificateAuthority(false).endClusterCa().withNewClientsCa().withGenerateCertificateAuthority(false).endClientsCa().endSpec().build());
LOGGER.info("Check Kafka(s) and Zookeeper(s) certificates.");
final X509Certificate kafkaCert = SecretUtils.getCertificateFromSecret(kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getClusterName() + "-kafka-brokers"), ts.getClusterName() + "-kafka-0.crt");
assertThat("KafkaCert does not have expected test Issuer: " + kafkaCert.getIssuerDN(), SystemTestCertManager.containsAllDN(kafkaCert.getIssuerX500Principal().getName(), clusterCa.getSubjectDn()));
X509Certificate zookeeperCert = SecretUtils.getCertificateFromSecret(kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getClusterName() + "-zookeeper-nodes"), ts.getClusterName() + "-zookeeper-0.crt");
assertThat("ZookeeperCert does not have expected test Subject: " + zookeeperCert.getIssuerDN(), SystemTestCertManager.containsAllDN(zookeeperCert.getIssuerX500Principal().getName(), clusterCa.getSubjectDn()));
resourceManager.createResource(extensionContext, KafkaTopicTemplates.topic(ts.getClusterName(), ts.getTopicName()).build());
LOGGER.info("Check KafkaUser certificate.");
final KafkaUser user = KafkaUserTemplates.tlsUser(ts.getClusterName(), ts.getUserName()).build();
resourceManager.createResource(extensionContext, user);
final X509Certificate userCert = SecretUtils.getCertificateFromSecret(kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getUserName()), "user.crt");
assertThat("Generated ClientsCA does not have expected test Subject: " + userCert.getIssuerDN(), SystemTestCertManager.containsAllDN(userCert.getIssuerX500Principal().getName(), clientsCa.getSubjectDn()));
LOGGER.info("Send and receive messages over TLS.");
KafkaClients kafkaClients = new KafkaClientsBuilder().withProducerName(ts.getProducerName()).withConsumerName(ts.getConsumerName()).withNamespaceName(ts.getNamespaceName()).withMessageCount(MESSAGE_COUNT).withBootstrapAddress(KafkaResources.tlsBootstrapAddress(ts.getClusterName())).withTopicName(ts.getTopicName()).withUserName(ts.getUserName()).build();
LOGGER.info("Checking produced and consumed messages via TLS");
resourceManager.createResource(extensionContext, kafkaClients.producerTlsStrimzi(ts.getClusterName()), kafkaClients.consumerTlsStrimzi(ts.getClusterName()));
ClientUtils.waitForClientsSuccess(ts.getProducerName(), ts.getConsumerName(), ts.getNamespaceName(), MESSAGE_COUNT, false);
}
Also used :
KafkaClientsBuilder(io.strimzi.systemtest.kafkaclients.internalClients.KafkaClientsBuilder)
KafkaClients(io.strimzi.systemtest.kafkaclients.internalClients.KafkaClients)
TestStorage(io.strimzi.systemtest.storage.TestStorage)
SystemTestCertHolder(io.strimzi.systemtest.security.SystemTestCertHolder)
X509Certificate(java.security.cert.X509Certificate)
KafkaUser(io.strimzi.api.kafka.model.KafkaUser)
ParallelNamespaceTest(io.strimzi.systemtest.annotations.ParallelNamespaceTest)
Aggregations
SystemTestCertHolder (io.strimzi.systemtest.security.SystemTestCertHolder)12
ParallelNamespaceTest (io.strimzi.systemtest.annotations.ParallelNamespaceTest)10
TestStorage (io.strimzi.systemtest.storage.TestStorage)10
Secret (io.fabric8.kubernetes.api.model.Secret)8
X509Certificate (java.security.cert.X509Certificate)6
CertificateAuthority (io.strimzi.api.kafka.model.CertificateAuthority)4
File (java.io.File)4
Date (java.util.Date)4
KafkaUser (io.strimzi.api.kafka.model.KafkaUser)2
KafkaClients (io.strimzi.systemtest.kafkaclients.internalClients.KafkaClients)2
KafkaClientsBuilder (io.strimzi.systemtest.kafkaclients.internalClients.KafkaClientsBuilder)2
