Examples with SystemTestCertHolder io.strimzi.systemtest.security.SystemTestCertHolder used on opensource projects

Search in sources :

Example 11 with SystemTestCertHolder

use of io.strimzi.systemtest.security.SystemTestCertHolder in project strimzi-kafka-operator by strimzi.

the class CustomCaST method testClientsCaCertificateRenew.

@ParallelNamespaceTest
void testClientsCaCertificateRenew(ExtensionContext extensionContext) {
    final TestStorage ts = new TestStorage(extensionContext);
    final String testSuite = extensionContext.getRequiredTestClass().getSimpleName();
    final SystemTestCertHolder clientsCa = new SystemTestCertHolder("CN=" + testSuite + "ClientsCA", KafkaResources.clientsCaCertificateSecretName(ts.getClusterName()), KafkaResources.clientsCaKeySecretName(ts.getClusterName()));
    // prepare custom Ca and copy that to the related Secrets
    clientsCa.prepareCustomSecretsFromBundles(ts.getNamespaceName(), ts.getClusterName());
    final X509Certificate clientsCert = SecretUtils.getCertificateFromSecret(kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clientsCaCertificateSecretName(ts.getClusterName())), "ca.crt");
    checkCustomCaCorrectness(clientsCa, clientsCert);
    resourceManager.createResource(extensionContext, KafkaTemplates.kafkaEphemeral(ts.getClusterName(), 3).editOrNewSpec().withNewClientsCa().withRenewalDays(15).withValidityDays(20).withGenerateCertificateAuthority(false).endClientsCa().endSpec().build());
    resourceManager.createResource(extensionContext, KafkaUserTemplates.tlsUser(ts.getClusterName(), ts.getUserName()).build());
    final Map<String, String> entityPods = DeploymentUtils.depSnapshot(ts.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(ts.getClusterName()));
    // Check initial clientsCA validity days
    Secret clientsCASecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clientsCaCertificateSecretName(ts.getClusterName()));
    X509Certificate cacert = SecretUtils.getCertificateFromSecret(clientsCASecret, "ca.crt");
    final Date initialCertStartTime = cacert.getNotBefore();
    final Date initialCertEndTime = cacert.getNotAfter();
    // Check initial kafkauser validity days
    X509Certificate userCert = SecretUtils.getCertificateFromSecret(kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getUserName()), "user.crt");
    final Date initialKafkaUserCertStartTime = userCert.getNotBefore();
    final Date initialKafkaUserCertEndTime = userCert.getNotAfter();
    LOGGER.info("Change of kafka validity and renewal days - reconciliation should start.");
    final CertificateAuthority newClientsCA = new CertificateAuthority();
    newClientsCA.setRenewalDays(150);
    newClientsCA.setValidityDays(200);
    newClientsCA.setGenerateCertificateAuthority(false);
    KafkaResource.replaceKafkaResourceInSpecificNamespace(ts.getClusterName(), k -> k.getSpec().setClientsCa(newClientsCA), ts.getNamespaceName());
    // Wait for reconciliation and verify certs have been updated
    DeploymentUtils.waitTillDepHasRolled(ts.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(ts.getClusterName()), 1, entityPods);
    // Read renewed secret/certs again
    clientsCASecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clientsCaCertificateSecretName(ts.getClusterName()));
    cacert = SecretUtils.getCertificateFromSecret(clientsCASecret, "ca.crt");
    final Date changedCertStartTime = cacert.getNotBefore();
    final Date changedCertEndTime = cacert.getNotAfter();
    userCert = SecretUtils.getCertificateFromSecret(kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getUserName()), "user.crt");
    final Date changedKafkaUserCertStartTime = userCert.getNotBefore();
    final Date changedKafkaUserCertEndTime = userCert.getNotAfter();
    LOGGER.info("Initial ClientsCA cert dates: " + initialCertStartTime + " --> " + initialCertEndTime);
    LOGGER.info("Changed ClientsCA cert dates: " + changedCertStartTime + " --> " + changedCertEndTime);
    LOGGER.info("Initial userCert dates: " + initialKafkaUserCertStartTime + " --> " + initialKafkaUserCertEndTime);
    LOGGER.info("Changed userCert dates: " + changedKafkaUserCertStartTime + " --> " + changedKafkaUserCertEndTime);
    assertThat("ClientsCA cert should not have changed.", initialCertEndTime.compareTo(changedCertEndTime) == 0);
    assertThat("UserCert start date has been renewed", initialKafkaUserCertStartTime.compareTo(changedKafkaUserCertStartTime) < 0);
    assertThat("UserCert end date has been renewed", initialKafkaUserCertEndTime.compareTo(changedKafkaUserCertEndTime) < 0);
}
Also used : Secret(io.fabric8.kubernetes.api.model.Secret) TestStorage(io.strimzi.systemtest.storage.TestStorage) CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority) SystemTestCertHolder(io.strimzi.systemtest.security.SystemTestCertHolder) X509Certificate(java.security.cert.X509Certificate) Date(java.util.Date) ParallelNamespaceTest(io.strimzi.systemtest.annotations.ParallelNamespaceTest)

Example 12 with SystemTestCertHolder

use of io.strimzi.systemtest.security.SystemTestCertHolder in project strimzi-kafka-operator by strimzi.

the class CustomCaST method testCustomClusterCACertificateRenew.

@ParallelNamespaceTest
void testCustomClusterCACertificateRenew(ExtensionContext extensionContext) {
    TestStorage ts = new TestStorage(extensionContext);
    final String testSuite = extensionContext.getRequiredTestClass().getSimpleName();
    final SystemTestCertHolder clusterCa = new SystemTestCertHolder("CN=" + testSuite + "ClusterCA", KafkaResources.clusterCaCertificateSecretName(ts.getClusterName()), KafkaResources.clusterCaKeySecretName(ts.getClusterName()));
    // prepare custom Ca and copy that to the related Secrets
    clusterCa.prepareCustomSecretsFromBundles(ts.getNamespaceName(), ts.getClusterName());
    final X509Certificate clusterCert = SecretUtils.getCertificateFromSecret(kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clusterCaCertificateSecretName(ts.getClusterName())), "ca.crt");
    checkCustomCaCorrectness(clusterCa, clusterCert);
    resourceManager.createResource(extensionContext, KafkaTemplates.kafkaEphemeral(ts.getClusterName(), 3).editOrNewSpec().withNewClusterCa().withRenewalDays(15).withValidityDays(20).withGenerateCertificateAuthority(false).endClusterCa().endSpec().build());
    final Map<String, String> zkPods = PodUtils.podSnapshot(ts.getNamespaceName(), ts.getZookeeperSelector());
    final Map<String, String> kafkaPods = PodUtils.podSnapshot(ts.getNamespaceName(), ts.getKafkaSelector());
    final Map<String, String> eoPod = DeploymentUtils.depSnapshot(ts.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(ts.getClusterName()));
    Secret clusterCASecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clusterCaCertificateSecretName(ts.getClusterName()));
    X509Certificate cacert = SecretUtils.getCertificateFromSecret(clusterCASecret, "ca.crt");
    final Date initialCertStartTime = cacert.getNotBefore();
    final Date initialCertEndTime = cacert.getNotAfter();
    // Check Broker kafka certificate dates
    Secret brokerCertCreationSecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getClusterName() + "-kafka-brokers");
    X509Certificate kafkaBrokerCert = SecretUtils.getCertificateFromSecret(brokerCertCreationSecret, ts.getClusterName() + "-kafka-0.crt");
    final Date initialKafkaBrokerCertStartTime = kafkaBrokerCert.getNotBefore();
    final Date initialKafkaBrokerCertEndTime = kafkaBrokerCert.getNotAfter();
    // Check Zookeeper certificate dates
    Secret zkCertCreationSecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getClusterName() + "-zookeeper-nodes");
    X509Certificate zkBrokerCert = SecretUtils.getCertificateFromSecret(zkCertCreationSecret, ts.getClusterName() + "-zookeeper-0.crt");
    final Date initialZkCertStartTime = zkBrokerCert.getNotBefore();
    final Date initialZkCertEndTime = zkBrokerCert.getNotAfter();
    LOGGER.info("Change of kafka validity and renewal days - reconciliation should start.");
    final CertificateAuthority newClusterCA = new CertificateAuthority();
    newClusterCA.setRenewalDays(150);
    newClusterCA.setValidityDays(200);
    newClusterCA.setGenerateCertificateAuthority(false);
    KafkaResource.replaceKafkaResourceInSpecificNamespace(ts.getClusterName(), k -> k.getSpec().setClusterCa(newClusterCA), ts.getNamespaceName());
    // On the next reconciliation, the Cluster Operator performs a `rolling update`:
    // a) ZooKeeper
    // b) Kafka
    // c) and other components to trust the new Cluster CA certificate. (i.e., EntityOperator)
    RollingUpdateUtils.waitTillComponentHasRolled(ts.getNamespaceName(), ts.getZookeeperSelector(), 3, zkPods);
    RollingUpdateUtils.waitTillComponentHasRolled(ts.getNamespaceName(), ts.getKafkaSelector(), 3, kafkaPods);
    DeploymentUtils.waitTillDepHasRolled(ts.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(ts.getClusterName()), 1, eoPod);
    // Read renewed secret/certs again
    clusterCASecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clusterCaCertificateSecretName(ts.getClusterName()));
    cacert = SecretUtils.getCertificateFromSecret(clusterCASecret, "ca.crt");
    final Date changedCertStartTime = cacert.getNotBefore();
    final Date changedCertEndTime = cacert.getNotAfter();
    // Check renewed Broker kafka certificate dates
    brokerCertCreationSecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getClusterName() + "-kafka-brokers");
    kafkaBrokerCert = SecretUtils.getCertificateFromSecret(brokerCertCreationSecret, ts.getClusterName() + "-kafka-0.crt");
    final Date changedKafkaBrokerCertStartTime = kafkaBrokerCert.getNotBefore();
    final Date changedKafkaBrokerCertEndTime = kafkaBrokerCert.getNotAfter();
    // Check renewed Zookeeper certificate dates
    zkCertCreationSecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getClusterName() + "-zookeeper-nodes");
    zkBrokerCert = SecretUtils.getCertificateFromSecret(zkCertCreationSecret, ts.getClusterName() + "-zookeeper-0.crt");
    final Date changedZkCertStartTime = zkBrokerCert.getNotBefore();
    final Date changedZkCertEndTime = zkBrokerCert.getNotAfter();
    LOGGER.info("Initial ClusterCA cert dates: " + initialCertStartTime + " --> " + initialCertEndTime);
    LOGGER.info("Changed ClusterCA cert dates: " + changedCertStartTime + " --> " + changedCertEndTime);
    LOGGER.info("KafkaBroker cert creation dates: " + initialKafkaBrokerCertStartTime + " --> " + initialKafkaBrokerCertEndTime);
    LOGGER.info("KafkaBroker cert changed dates:  " + changedKafkaBrokerCertStartTime + " --> " + changedKafkaBrokerCertEndTime);
    LOGGER.info("Zookeeper cert creation dates: " + initialZkCertStartTime + " --> " + initialZkCertEndTime);
    LOGGER.info("Zookeeper cert changed dates:  " + changedZkCertStartTime + " --> " + changedZkCertEndTime);
    assertThat("ClusterCA cert should not have changed.", initialCertEndTime.compareTo(changedCertEndTime) == 0);
    assertThat("Broker certificates start dates have not been renewed.", initialKafkaBrokerCertStartTime.compareTo(changedKafkaBrokerCertStartTime) < 0);
    assertThat("Broker certificates end dates have not been renewed.", initialKafkaBrokerCertEndTime.compareTo(changedKafkaBrokerCertEndTime) < 0);
    assertThat("Zookeeper certificates start dates have not been renewed.", initialZkCertStartTime.compareTo(changedZkCertStartTime) < 0);
    assertThat("Zookeeper certificates end dates have not been renewed.", initialZkCertEndTime.compareTo(changedZkCertEndTime) < 0);
}
Also used : Secret(io.fabric8.kubernetes.api.model.Secret) TestStorage(io.strimzi.systemtest.storage.TestStorage) CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority) SystemTestCertHolder(io.strimzi.systemtest.security.SystemTestCertHolder) X509Certificate(java.security.cert.X509Certificate) Date(java.util.Date) ParallelNamespaceTest(io.strimzi.systemtest.annotations.ParallelNamespaceTest)

Aggregations

SystemTestCertHolder (io.strimzi.systemtest.security.SystemTestCertHolder)12 ParallelNamespaceTest (io.strimzi.systemtest.annotations.ParallelNamespaceTest)10 TestStorage (io.strimzi.systemtest.storage.TestStorage)10 Secret (io.fabric8.kubernetes.api.model.Secret)8 X509Certificate (java.security.cert.X509Certificate)6 CertificateAuthority (io.strimzi.api.kafka.model.CertificateAuthority)4 File (java.io.File)4 Date (java.util.Date)4 KafkaUser (io.strimzi.api.kafka.model.KafkaUser)2 KafkaClients (io.strimzi.systemtest.kafkaclients.internalClients.KafkaClients)2 KafkaClientsBuilder (io.strimzi.systemtest.kafkaclients.internalClients.KafkaClientsBuilder)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial