Example 91 with TestStorage
use of io.strimzi.systemtest.storage.TestStorage in project strimzi by strimzi.
the class SecurityST method autoRenewSomeCaCertsTriggeredByAnno.
@SuppressWarnings({ "checkstyle:MethodLength", "checkstyle:NPathComplexity" })
void autoRenewSomeCaCertsTriggeredByAnno(ExtensionContext extensionContext, boolean zkShouldRoll, boolean kafkaShouldRoll, boolean eoShouldRoll, boolean keAndCCShouldRoll) {
final TestStorage testStorage = new TestStorage(extensionContext, namespace);
createKafkaCluster(extensionContext, testStorage.getClusterName());
List<String> secrets;
// to make it parallel we need decision maker...
if (extensionContext.getTags().contains("ClusterCaCerts")) {
secrets = Arrays.asList(clusterCaCertificateSecretName(testStorage.getClusterName()));
} else if (extensionContext.getTags().contains("ClientsCaCerts")) {
secrets = Arrays.asList(clientsCaCertificateSecretName(testStorage.getClusterName()));
} else {
// AllCaKeys
secrets = Arrays.asList(clusterCaCertificateSecretName(testStorage.getClusterName()), clientsCaCertificateSecretName(testStorage.getClusterName()));
}
resourceManager.createResource(extensionContext, KafkaUserTemplates.tlsUser(testStorage.getClusterName(), testStorage.getUserName()).build(), KafkaTopicTemplates.topic(testStorage.getClusterName(), testStorage.getTopicName()).build());
KafkaClients kafkaClients = new KafkaClientsBuilder().withTopicName(testStorage.getTopicName()).withMessageCount(MESSAGE_COUNT).withBootstrapAddress(KafkaResources.tlsBootstrapAddress(testStorage.getClusterName())).withProducerName(testStorage.getProducerName()).withConsumerName(testStorage.getConsumerName()).withNamespaceName(testStorage.getNamespaceName()).withUserName(testStorage.getUserName()).build();
resourceManager.createResource(extensionContext, kafkaClients.producerTlsStrimzi(testStorage.getClusterName()), kafkaClients.consumerTlsStrimzi(testStorage.getClusterName()));
ClientUtils.waitForClientsSuccess(testStorage.getProducerName(), testStorage.getConsumerName(), testStorage.getNamespaceName(), MESSAGE_COUNT);
// Get all pods, and their resource versions
Map<String, String> zkPods = PodUtils.podSnapshot(testStorage.getNamespaceName(), testStorage.getZookeeperSelector());
Map<String, String> kafkaPods = PodUtils.podSnapshot(testStorage.getNamespaceName(), testStorage.getKafkaSelector());
Map<String, String> eoPod = DeploymentUtils.depSnapshot(testStorage.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(testStorage.getClusterName()));
Map<String, String> ccPod = DeploymentUtils.depSnapshot(testStorage.getNamespaceName(), CruiseControlResources.deploymentName(testStorage.getClusterName()));
Map<String, String> kePod = DeploymentUtils.depSnapshot(testStorage.getNamespaceName(), KafkaExporterResources.deploymentName(testStorage.getClusterName()));
LOGGER.info("Triggering CA cert renewal by adding the annotation");
Map<String, String> initialCaCerts = new HashMap<>();
for (String secretName : secrets) {
Secret secret = kubeClient().getSecret(testStorage.getNamespaceName(), secretName);
String value = secret.getData().get("ca.crt");
assertThat("ca.crt in " + secretName + " should not be null", value, is(notNullValue()));
initialCaCerts.put(secretName, value);
Secret annotated = new SecretBuilder(secret).editMetadata().addToAnnotations(Ca.ANNO_STRIMZI_IO_FORCE_RENEW, "true").endMetadata().build();
LOGGER.info("Patching secret {} with {}", secretName, Ca.ANNO_STRIMZI_IO_FORCE_RENEW);
kubeClient().patchSecret(testStorage.getNamespaceName(), secretName, annotated);
}
if (zkShouldRoll) {
LOGGER.info("Wait for zk to rolling restart ...");
RollingUpdateUtils.waitTillComponentHasRolledAndPodsReady(testStorage.getNamespaceName(), testStorage.getZookeeperSelector(), 3, zkPods);
}
if (kafkaShouldRoll) {
LOGGER.info("Wait for kafka to rolling restart ...");
RollingUpdateUtils.waitTillComponentHasRolledAndPodsReady(testStorage.getNamespaceName(), testStorage.getKafkaSelector(), 3, kafkaPods);
}
if (eoShouldRoll) {
LOGGER.info("Wait for EO to rolling restart ...");
eoPod = DeploymentUtils.waitTillDepHasRolled(testStorage.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(testStorage.getClusterName()), 1, eoPod);
}
if (keAndCCShouldRoll) {
LOGGER.info("Wait for CC and KE to rolling restart ...");
kePod = DeploymentUtils.waitTillDepHasRolled(testStorage.getNamespaceName(), KafkaExporterResources.deploymentName(testStorage.getClusterName()), 1, kePod);
ccPod = DeploymentUtils.waitTillDepHasRolled(testStorage.getNamespaceName(), CruiseControlResources.deploymentName(testStorage.getClusterName()), 1, ccPod);
}
LOGGER.info("Checking the certificates have been replaced");
for (String secretName : secrets) {
Secret secret = kubeClient().getSecret(testStorage.getNamespaceName(), secretName);
assertThat("Secret " + secretName + " should exist", secret, is(notNullValue()));
assertThat("CA cert in " + secretName + " should have non-null 'data'", is(notNullValue()));
String value = secret.getData().get("ca.crt");
assertThat("CA cert in " + secretName + " should have changed", value, is(not(initialCaCerts.get(secretName))));
}
kafkaClients = new KafkaClientsBuilder(kafkaClients).withConsumerGroup(ClientUtils.generateRandomConsumerGroup()).build();
resourceManager.createResource(extensionContext, kafkaClients.consumerTlsStrimzi(testStorage.getClusterName()));
ClientUtils.waitForClientSuccess(testStorage.getConsumerName(), testStorage.getNamespaceName(), MESSAGE_COUNT);
// Check a new client (signed by new client key) can consume
String bobUserName = "bob-" + testStorage.getUserName();
resourceManager.createResource(extensionContext, KafkaUserTemplates.tlsUser(testStorage.getClusterName(), bobUserName).build());
kafkaClients = new KafkaClientsBuilder(kafkaClients).withConsumerGroup(ClientUtils.generateRandomConsumerGroup()).withBootstrapAddress(KafkaResources.tlsBootstrapAddress(testStorage.getClusterName())).withUserName(bobUserName).build();
resourceManager.createResource(extensionContext, kafkaClients.consumerTlsStrimzi(testStorage.getClusterName()));
ClientUtils.waitForClientSuccess(testStorage.getConsumerName(), testStorage.getNamespaceName(), MESSAGE_COUNT);
if (!zkShouldRoll) {
assertThat("ZK pods should not roll, but did.", PodUtils.podSnapshot(testStorage.getNamespaceName(), testStorage.getZookeeperSelector()), is(zkPods));
}
if (!kafkaShouldRoll) {
assertThat("Kafka pods should not roll, but did.", PodUtils.podSnapshot(testStorage.getNamespaceName(), testStorage.getKafkaSelector()), is(kafkaPods));
}
if (!eoShouldRoll) {
assertThat("EO pod should not roll, but did.", DeploymentUtils.depSnapshot(testStorage.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(testStorage.getClusterName())), is(eoPod));
}
if (!keAndCCShouldRoll) {
assertThat("CC pod should not roll, but did.", DeploymentUtils.depSnapshot(testStorage.getNamespaceName(), CruiseControlResources.deploymentName(testStorage.getClusterName())), is(ccPod));
assertThat("KE pod should not roll, but did.", DeploymentUtils.depSnapshot(testStorage.getNamespaceName(), KafkaExporterResources.deploymentName(testStorage.getClusterName())), is(kePod));
}
}
Also used :
KafkaClientsBuilder(io.strimzi.systemtest.kafkaclients.internalClients.KafkaClientsBuilder)
Secret(io.fabric8.kubernetes.api.model.Secret)
SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder)
KafkaClients(io.strimzi.systemtest.kafkaclients.internalClients.KafkaClients)
HashMap(java.util.HashMap)
TestStorage(io.strimzi.systemtest.storage.TestStorage)
Matchers.containsString(org.hamcrest.Matchers.containsString)
Example 92 with TestStorage
use of io.strimzi.systemtest.storage.TestStorage in project strimzi by strimzi.
the class SecurityST method testCertRenewalInMaintenanceTimeWindow.
@ParallelNamespaceTest
@Tag(INTERNAL_CLIENTS_USED)
@KRaftNotSupported("UserOperator is not supported by KRaft mode and is used in this test case")
void testCertRenewalInMaintenanceTimeWindow(ExtensionContext extensionContext) {
final TestStorage testStorage = new TestStorage(extensionContext, namespace);
final String clusterSecretName = KafkaResources.clusterCaCertificateSecretName(testStorage.getClusterName());
final String clientsSecretName = KafkaResources.clientsCaCertificateSecretName(testStorage.getClusterName());
LocalDateTime maintenanceWindowStart = LocalDateTime.now().withSecond(0);
long maintenanceWindowDuration = 14;
maintenanceWindowStart = maintenanceWindowStart.plusMinutes(15);
final long windowStartMin = maintenanceWindowStart.getMinute();
final long windowStopMin = windowStartMin + maintenanceWindowDuration > 59 ? windowStartMin + maintenanceWindowDuration - 60 : windowStartMin + maintenanceWindowDuration;
String maintenanceWindowCron = "* " + windowStartMin + "-" + windowStopMin + " * * * ? *";
LOGGER.info("Initial maintenanceTimeWindow is: {}", maintenanceWindowCron);
resourceManager.createResource(extensionContext, KafkaTemplates.kafkaPersistent(testStorage.getClusterName(), 3, 1).editSpec().addToMaintenanceTimeWindows(maintenanceWindowCron).editKafka().withListeners(new GenericKafkaListenerBuilder().withName(Constants.TLS_LISTENER_DEFAULT_NAME).withPort(9093).withType(KafkaListenerType.INTERNAL).withTls(true).withAuth(new KafkaListenerAuthenticationTls()).build()).endKafka().withNewClusterCa().withRenewalDays(15).withValidityDays(20).endClusterCa().withNewClientsCa().withRenewalDays(15).withValidityDays(20).endClientsCa().endSpec().build());
resourceManager.createResource(extensionContext, KafkaUserTemplates.tlsUser(testStorage.getClusterName(), testStorage.getUserName()).build(), KafkaTopicTemplates.topic(testStorage.getClusterName(), testStorage.getTopicName()).build());
Secret kafkaUserSecret = kubeClient(testStorage.getNamespaceName()).getSecret(testStorage.getNamespaceName(), testStorage.getUserName());
KafkaClients kafkaClients = new KafkaClientsBuilder().withTopicName(testStorage.getTopicName()).withMessageCount(MESSAGE_COUNT).withBootstrapAddress(KafkaResources.tlsBootstrapAddress(testStorage.getClusterName())).withProducerName(testStorage.getProducerName()).withConsumerName(testStorage.getConsumerName()).withNamespaceName(testStorage.getNamespaceName()).withUserName(testStorage.getUserName()).build();
Map<String, String> kafkaPods = PodUtils.podSnapshot(testStorage.getNamespaceName(), testStorage.getKafkaSelector());
CertificateAuthority newCAValidity = new CertificateAuthority();
newCAValidity.setRenewalDays(150);
newCAValidity.setValidityDays(200);
KafkaResource.replaceKafkaResourceInSpecificNamespace(testStorage.getClusterName(), k -> {
k.getSpec().setClusterCa(newCAValidity);
k.getSpec().setClientsCa(newCAValidity);
}, testStorage.getNamespaceName());
KafkaUtils.waitForKafkaStatusUpdate(testStorage.getNamespaceName(), testStorage.getClusterName());
Secret secretCaCluster = kubeClient(testStorage.getNamespaceName()).getSecret(testStorage.getNamespaceName(), clusterSecretName);
Secret secretCaClients = kubeClient(testStorage.getNamespaceName()).getSecret(testStorage.getNamespaceName(), clientsSecretName);
assertThat("Cluster CA certificate has been renewed outside of maintenanceTimeWindows", secretCaCluster.getMetadata().getAnnotations().get(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION), is("0"));
assertThat("Clients CA certificate has been renewed outside of maintenanceTimeWindows", secretCaClients.getMetadata().getAnnotations().get(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION), is("0"));
assertThat("Rolling update was performed outside of maintenanceTimeWindows", kafkaPods, is(PodUtils.podSnapshot(testStorage.getNamespaceName(), testStorage.getKafkaSelector())));
maintenanceWindowCron = "* " + LocalDateTime.now().getMinute() + "-" + windowStopMin + " * * * ? *";
LOGGER.info("Set maintenanceTimeWindow to start now to save time: {}", maintenanceWindowCron);
List<String> maintenanceTimeWindows = KafkaResource.kafkaClient().inNamespace(testStorage.getNamespaceName()).withName(testStorage.getClusterName()).get().getSpec().getMaintenanceTimeWindows();
maintenanceTimeWindows.add(maintenanceWindowCron);
KafkaResource.replaceKafkaResourceInSpecificNamespace(testStorage.getClusterName(), kafka -> kafka.getSpec().setMaintenanceTimeWindows(maintenanceTimeWindows), testStorage.getNamespaceName());
resourceManager.createResource(extensionContext, KafkaTemplates.kafkaPersistent(testStorage.getClusterName(), 3, 1).editSpec().addToMaintenanceTimeWindows(maintenanceWindowCron).endSpec().build());
LOGGER.info("Wait until rolling update is triggered during maintenanceTimeWindows");
RollingUpdateUtils.waitTillComponentHasRolled(testStorage.getNamespaceName(), testStorage.getKafkaSelector(), 3, kafkaPods);
Secret kafkaUserSecretRolled = kubeClient(testStorage.getNamespaceName()).getSecret(testStorage.getNamespaceName(), testStorage.getUserName());
secretCaCluster = kubeClient(testStorage.getNamespaceName()).getSecret(testStorage.getNamespaceName(), clusterSecretName);
secretCaClients = kubeClient(testStorage.getNamespaceName()).getSecret(testStorage.getNamespaceName(), clientsSecretName);
assertThat("Cluster CA certificate has not been renewed within maintenanceTimeWindows", secretCaCluster.getMetadata().getAnnotations().get(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION), is("1"));
assertThat("Clients CA certificate has not been renewed within maintenanceTimeWindows", secretCaClients.getMetadata().getAnnotations().get(Ca.ANNO_STRIMZI_IO_CA_CERT_GENERATION), is("1"));
assertThat("KafkaUser certificate has not been renewed within maintenanceTimeWindows", kafkaUserSecret, not(sameInstance(kafkaUserSecretRolled)));
resourceManager.createResource(extensionContext, kafkaClients.producerTlsStrimzi(testStorage.getClusterName()), kafkaClients.consumerTlsStrimzi(testStorage.getClusterName()));
ClientUtils.waitForClientsSuccess(testStorage.getProducerName(), testStorage.getConsumerName(), testStorage.getNamespaceName(), MESSAGE_COUNT);
}
Also used :
LocalDateTime(java.time.LocalDateTime)
Secret(io.fabric8.kubernetes.api.model.Secret)
KafkaClientsBuilder(io.strimzi.systemtest.kafkaclients.internalClients.KafkaClientsBuilder)
KafkaListenerAuthenticationTls(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationTls)
KafkaClients(io.strimzi.systemtest.kafkaclients.internalClients.KafkaClients)
GenericKafkaListenerBuilder(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder)
TestStorage(io.strimzi.systemtest.storage.TestStorage)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
Matchers.containsString(org.hamcrest.Matchers.containsString)
KRaftNotSupported(io.strimzi.systemtest.annotations.KRaftNotSupported)
ParallelNamespaceTest(io.strimzi.systemtest.annotations.ParallelNamespaceTest)
Tag(org.junit.jupiter.api.Tag)
Example 93 with TestStorage
use of io.strimzi.systemtest.storage.TestStorage in project strimzi by strimzi.
the class SecurityST method testClientsCACertRenew.
@ParallelNamespaceTest
@KRaftNotSupported("UserOperator is not supported by KRaft mode and is used in this test case")
void testClientsCACertRenew(ExtensionContext extensionContext) {
final TestStorage ts = new TestStorage(extensionContext, namespace);
resourceManager.createResource(extensionContext, KafkaTemplates.kafkaEphemeral(ts.getClusterName(), 3).editOrNewSpec().withNewClientsCa().withRenewalDays(15).withValidityDays(20).endClientsCa().endSpec().build());
String username = "strimzi-tls-user-" + new Random().nextInt(Integer.MAX_VALUE);
resourceManager.createResource(extensionContext, KafkaUserTemplates.tlsUser(ts.getClusterName(), username).build());
final Map<String, String> zkPods = PodUtils.podSnapshot(ts.getNamespaceName(), ts.getZookeeperSelector());
final Map<String, String> kafkaPods = PodUtils.podSnapshot(ts.getNamespaceName(), ts.getKafkaSelector());
final Map<String, String> eoPod = DeploymentUtils.depSnapshot(ts.getNamespaceName(), ts.getEoDeploymentName());
// Check initial clientsCA validity days
Secret clientsCASecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clientsCaCertificateSecretName(ts.getClusterName()));
X509Certificate cacert = SecretUtils.getCertificateFromSecret(clientsCASecret, "ca.crt");
Date initialCertStartTime = cacert.getNotBefore();
Date initialCertEndTime = cacert.getNotAfter();
// Check initial kafkauser validity days
X509Certificate userCert = SecretUtils.getCertificateFromSecret(kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), username), "user.crt");
Date initialKafkaUserCertStartTime = userCert.getNotBefore();
Date initialKafkaUserCertEndTime = userCert.getNotAfter();
LOGGER.info("Change of kafka validity and renewal days - reconciliation should start.");
CertificateAuthority newClientsCA = new CertificateAuthority();
newClientsCA.setRenewalDays(150);
newClientsCA.setValidityDays(200);
KafkaResource.replaceKafkaResourceInSpecificNamespace(ts.getClusterName(), k -> k.getSpec().setClientsCa(newClientsCA), ts.getNamespaceName());
// On the next reconciliation, the Cluster Operator performs a `rolling update` only for the
// `Kafka pods`.
// a) ZooKeeper must not roll
RollingUpdateUtils.waitForNoRollingUpdate(ts.getNamespaceName(), ts.getZookeeperSelector(), zkPods);
// b) Kafka has to roll
RollingUpdateUtils.waitTillComponentHasRolledAndPodsReady(ts.getNamespaceName(), ts.getKafkaSelector(), 3, kafkaPods);
// c) EO must roll (because User Operator uses Clients CA for issuing user certificates)
DeploymentUtils.waitTillDepHasRolled(ts.getNamespaceName(), ts.getEoDeploymentName(), 1, eoPod);
// Read renewed secret/certs again
clientsCASecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clientsCaCertificateSecretName(ts.getClusterName()));
cacert = SecretUtils.getCertificateFromSecret(clientsCASecret, "ca.crt");
Date changedCertStartTime = cacert.getNotBefore();
Date changedCertEndTime = cacert.getNotAfter();
userCert = SecretUtils.getCertificateFromSecret(kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), username), "user.crt");
Date changedKafkaUserCertStartTime = userCert.getNotBefore();
Date changedKafkaUserCertEndTime = userCert.getNotAfter();
LOGGER.info("Initial ClientsCA cert dates: " + initialCertStartTime + " --> " + initialCertEndTime);
LOGGER.info("Changed ClientsCA cert dates: " + changedCertStartTime + " --> " + changedCertEndTime);
LOGGER.info("Initial userCert dates: " + initialKafkaUserCertStartTime + " --> " + initialKafkaUserCertEndTime);
LOGGER.info("Changed userCert dates: " + changedKafkaUserCertStartTime + " --> " + changedKafkaUserCertEndTime);
String msg = "Error: original cert-end date: '" + initialCertEndTime + "' ends sooner than changed (prolonged) cert date '" + changedCertEndTime + "'";
assertThat(msg, initialCertEndTime.compareTo(changedCertEndTime) < 0);
assertThat("UserCert start date has been renewed", initialKafkaUserCertStartTime.compareTo(changedKafkaUserCertStartTime) < 0);
assertThat("UserCert end date has been renewed", initialKafkaUserCertEndTime.compareTo(changedKafkaUserCertEndTime) < 0);
}
Also used :
Secret(io.fabric8.kubernetes.api.model.Secret)
Random(java.util.Random)
TestStorage(io.strimzi.systemtest.storage.TestStorage)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
Matchers.containsString(org.hamcrest.Matchers.containsString)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
KRaftNotSupported(io.strimzi.systemtest.annotations.KRaftNotSupported)
ParallelNamespaceTest(io.strimzi.systemtest.annotations.ParallelNamespaceTest)
Example 94 with TestStorage
use of io.strimzi.systemtest.storage.TestStorage in project strimzi by strimzi.
the class CustomAuthorizerST method testAclRuleReadAndWrite.
@ParallelTest
@Tag(INTERNAL_CLIENTS_USED)
void testAclRuleReadAndWrite(ExtensionContext extensionContext) throws UnexpectedException {
final TestStorage testStorage = new TestStorage(extensionContext, namespace);
final String kafkaUserWrite = "kafka-user-write";
final String kafkaUserRead = "kafka-user-read";
final String consumerGroupName = "consumer-group-name-1";
resourceManager.createResource(extensionContext, KafkaTopicTemplates.topic(CLUSTER_NAME, testStorage.getTopicName(), namespace).build());
KafkaUser writeUser = KafkaUserTemplates.tlsUser(namespace, CLUSTER_NAME, kafkaUserWrite).editSpec().withNewKafkaUserAuthorizationSimple().addNewAcl().withNewAclRuleTopicResource().withName(testStorage.getTopicName()).endAclRuleTopicResource().withOperation(AclOperation.WRITE).endAcl().addNewAcl().withNewAclRuleTopicResource().withName(testStorage.getTopicName()).endAclRuleTopicResource().withOperation(AclOperation.DESCRIBE).endAcl().endKafkaUserAuthorizationSimple().endSpec().build();
KafkaUser readUser = KafkaUserTemplates.tlsUser(namespace, CLUSTER_NAME, kafkaUserRead).editSpec().withNewKafkaUserAuthorizationSimple().addNewAcl().withNewAclRuleTopicResource().withName(testStorage.getTopicName()).endAclRuleTopicResource().withOperation(AclOperation.READ).endAcl().addNewAcl().withNewAclRuleGroupResource().withName(consumerGroupName).endAclRuleGroupResource().withOperation(AclOperation.READ).endAcl().addNewAcl().withNewAclRuleTopicResource().withName(testStorage.getTopicName()).endAclRuleTopicResource().withOperation(AclOperation.DESCRIBE).endAcl().endKafkaUserAuthorizationSimple().endSpec().build();
resourceManager.createResource(extensionContext, writeUser);
resourceManager.createResource(extensionContext, readUser);
LOGGER.info("Checking KafkaUser {} that is able to send messages to topic '{}'", kafkaUserWrite, testStorage.getTopicName());
KafkaClients kafkaClients = new KafkaClientsBuilder().withProducerName(testStorage.getProducerName()).withConsumerName(testStorage.getConsumerName()).withNamespaceName(testStorage.getNamespaceName()).withMessageCount(MESSAGE_COUNT).withBootstrapAddress(KafkaResources.tlsBootstrapAddress(CLUSTER_NAME)).withTopicName(testStorage.getTopicName()).withUserName(kafkaUserWrite).withConsumerGroup(consumerGroupName).build();
resourceManager.createResource(extensionContext, kafkaClients.producerTlsStrimzi(CLUSTER_NAME));
ClientUtils.waitForClientSuccess(testStorage.getProducerName(), testStorage.getNamespaceName(), MESSAGE_COUNT);
resourceManager.createResource(extensionContext, kafkaClients.consumerTlsStrimzi(CLUSTER_NAME));
ClientUtils.waitForClientTimeout(testStorage.getConsumerName(), testStorage.getNamespaceName(), MESSAGE_COUNT);
kafkaClients = new KafkaClientsBuilder(kafkaClients).withUserName(kafkaUserRead).build();
resourceManager.createResource(extensionContext, kafkaClients.consumerTlsStrimzi(CLUSTER_NAME));
ClientUtils.waitForClientSuccess(testStorage.getConsumerName(), testStorage.getNamespaceName(), MESSAGE_COUNT);
LOGGER.info("Checking KafkaUser {} that is not able to send messages to topic '{}'", kafkaUserRead, testStorage.getTopicName());
resourceManager.createResource(extensionContext, kafkaClients.producerTlsStrimzi(CLUSTER_NAME));
ClientUtils.waitForClientTimeout(testStorage.getProducerName(), testStorage.getNamespaceName(), MESSAGE_COUNT);
}
Also used :
KafkaClientsBuilder(io.strimzi.systemtest.kafkaclients.internalClients.KafkaClientsBuilder)
KafkaClients(io.strimzi.systemtest.kafkaclients.internalClients.KafkaClients)
TestStorage(io.strimzi.systemtest.storage.TestStorage)
KafkaUser(io.strimzi.api.kafka.model.KafkaUser)
ParallelTest(io.strimzi.systemtest.annotations.ParallelTest)
Tag(org.junit.jupiter.api.Tag)
Example 95 with TestStorage
use of io.strimzi.systemtest.storage.TestStorage in project strimzi by strimzi.
the class CustomCaST method testCustomClusterCACertificateRenew.
@ParallelNamespaceTest
void testCustomClusterCACertificateRenew(ExtensionContext extensionContext) {
TestStorage ts = new TestStorage(extensionContext);
final String testSuite = extensionContext.getRequiredTestClass().getSimpleName();
final SystemTestCertHolder clusterCa = new SystemTestCertHolder("CN=" + testSuite + "ClusterCA", KafkaResources.clusterCaCertificateSecretName(ts.getClusterName()), KafkaResources.clusterCaKeySecretName(ts.getClusterName()));
// prepare custom Ca and copy that to the related Secrets
clusterCa.prepareCustomSecretsFromBundles(ts.getNamespaceName(), ts.getClusterName());
final X509Certificate clusterCert = SecretUtils.getCertificateFromSecret(kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clusterCaCertificateSecretName(ts.getClusterName())), "ca.crt");
checkCustomCaCorrectness(clusterCa, clusterCert);
resourceManager.createResource(extensionContext, KafkaTemplates.kafkaEphemeral(ts.getClusterName(), 3).editOrNewSpec().withNewClusterCa().withRenewalDays(15).withValidityDays(20).withGenerateCertificateAuthority(false).endClusterCa().endSpec().build());
final Map<String, String> zkPods = PodUtils.podSnapshot(ts.getNamespaceName(), ts.getZookeeperSelector());
final Map<String, String> kafkaPods = PodUtils.podSnapshot(ts.getNamespaceName(), ts.getKafkaSelector());
final Map<String, String> eoPod = DeploymentUtils.depSnapshot(ts.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(ts.getClusterName()));
Secret clusterCASecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clusterCaCertificateSecretName(ts.getClusterName()));
X509Certificate cacert = SecretUtils.getCertificateFromSecret(clusterCASecret, "ca.crt");
final Date initialCertStartTime = cacert.getNotBefore();
final Date initialCertEndTime = cacert.getNotAfter();
// Check Broker kafka certificate dates
Secret brokerCertCreationSecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getClusterName() + "-kafka-brokers");
X509Certificate kafkaBrokerCert = SecretUtils.getCertificateFromSecret(brokerCertCreationSecret, ts.getClusterName() + "-kafka-0.crt");
final Date initialKafkaBrokerCertStartTime = kafkaBrokerCert.getNotBefore();
final Date initialKafkaBrokerCertEndTime = kafkaBrokerCert.getNotAfter();
// Check Zookeeper certificate dates
Secret zkCertCreationSecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getClusterName() + "-zookeeper-nodes");
X509Certificate zkBrokerCert = SecretUtils.getCertificateFromSecret(zkCertCreationSecret, ts.getClusterName() + "-zookeeper-0.crt");
final Date initialZkCertStartTime = zkBrokerCert.getNotBefore();
final Date initialZkCertEndTime = zkBrokerCert.getNotAfter();
LOGGER.info("Change of kafka validity and renewal days - reconciliation should start.");
final CertificateAuthority newClusterCA = new CertificateAuthority();
newClusterCA.setRenewalDays(150);
newClusterCA.setValidityDays(200);
newClusterCA.setGenerateCertificateAuthority(false);
KafkaResource.replaceKafkaResourceInSpecificNamespace(ts.getClusterName(), k -> k.getSpec().setClusterCa(newClusterCA), ts.getNamespaceName());
// On the next reconciliation, the Cluster Operator performs a `rolling update`:
// a) ZooKeeper
// b) Kafka
// c) and other components to trust the new Cluster CA certificate. (i.e., EntityOperator)
RollingUpdateUtils.waitTillComponentHasRolled(ts.getNamespaceName(), ts.getZookeeperSelector(), 3, zkPods);
RollingUpdateUtils.waitTillComponentHasRolled(ts.getNamespaceName(), ts.getKafkaSelector(), 3, kafkaPods);
DeploymentUtils.waitTillDepHasRolled(ts.getNamespaceName(), KafkaResources.entityOperatorDeploymentName(ts.getClusterName()), 1, eoPod);
// Read renewed secret/certs again
clusterCASecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), KafkaResources.clusterCaCertificateSecretName(ts.getClusterName()));
cacert = SecretUtils.getCertificateFromSecret(clusterCASecret, "ca.crt");
final Date changedCertStartTime = cacert.getNotBefore();
final Date changedCertEndTime = cacert.getNotAfter();
// Check renewed Broker kafka certificate dates
brokerCertCreationSecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getClusterName() + "-kafka-brokers");
kafkaBrokerCert = SecretUtils.getCertificateFromSecret(brokerCertCreationSecret, ts.getClusterName() + "-kafka-0.crt");
final Date changedKafkaBrokerCertStartTime = kafkaBrokerCert.getNotBefore();
final Date changedKafkaBrokerCertEndTime = kafkaBrokerCert.getNotAfter();
// Check renewed Zookeeper certificate dates
zkCertCreationSecret = kubeClient(ts.getNamespaceName()).getSecret(ts.getNamespaceName(), ts.getClusterName() + "-zookeeper-nodes");
zkBrokerCert = SecretUtils.getCertificateFromSecret(zkCertCreationSecret, ts.getClusterName() + "-zookeeper-0.crt");
final Date changedZkCertStartTime = zkBrokerCert.getNotBefore();
final Date changedZkCertEndTime = zkBrokerCert.getNotAfter();
LOGGER.info("Initial ClusterCA cert dates: " + initialCertStartTime + " --> " + initialCertEndTime);
LOGGER.info("Changed ClusterCA cert dates: " + changedCertStartTime + " --> " + changedCertEndTime);
LOGGER.info("KafkaBroker cert creation dates: " + initialKafkaBrokerCertStartTime + " --> " + initialKafkaBrokerCertEndTime);
LOGGER.info("KafkaBroker cert changed dates: " + changedKafkaBrokerCertStartTime + " --> " + changedKafkaBrokerCertEndTime);
LOGGER.info("Zookeeper cert creation dates: " + initialZkCertStartTime + " --> " + initialZkCertEndTime);
LOGGER.info("Zookeeper cert changed dates: " + changedZkCertStartTime + " --> " + changedZkCertEndTime);
assertThat("ClusterCA cert should not have changed.", initialCertEndTime.compareTo(changedCertEndTime) == 0);
assertThat("Broker certificates start dates have not been renewed.", initialKafkaBrokerCertStartTime.compareTo(changedKafkaBrokerCertStartTime) < 0);
assertThat("Broker certificates end dates have not been renewed.", initialKafkaBrokerCertEndTime.compareTo(changedKafkaBrokerCertEndTime) < 0);
assertThat("Zookeeper certificates start dates have not been renewed.", initialZkCertStartTime.compareTo(changedZkCertStartTime) < 0);
assertThat("Zookeeper certificates end dates have not been renewed.", initialZkCertEndTime.compareTo(changedZkCertEndTime) < 0);
}
Also used :
Secret(io.fabric8.kubernetes.api.model.Secret)
TestStorage(io.strimzi.systemtest.storage.TestStorage)
CertificateAuthority(io.strimzi.api.kafka.model.CertificateAuthority)
SystemTestCertHolder(io.strimzi.systemtest.security.SystemTestCertHolder)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
ParallelNamespaceTest(io.strimzi.systemtest.annotations.ParallelNamespaceTest)
Aggregations
TestStorage (io.strimzi.systemtest.storage.TestStorage)210
KafkaClientsBuilder (io.strimzi.systemtest.kafkaclients.internalClients.KafkaClientsBuilder)152
ParallelNamespaceTest (io.strimzi.systemtest.annotations.ParallelNamespaceTest)150
KafkaClients (io.strimzi.systemtest.kafkaclients.internalClients.KafkaClients)150
Tag (org.junit.jupiter.api.Tag)128
KRaftNotSupported (io.strimzi.systemtest.annotations.KRaftNotSupported)94
GenericKafkaListenerBuilder (io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerBuilder)72
Matchers.containsString (org.hamcrest.Matchers.containsString)70
HashMap (java.util.HashMap)54
Secret (io.fabric8.kubernetes.api.model.Secret)46
CoreMatchers.containsString (org.hamcrest.CoreMatchers.containsString)46
Map (java.util.Map)34
KafkaResources (io.strimzi.api.kafka.model.KafkaResources)32
AbstractST (io.strimzi.systemtest.AbstractST)32
Constants (io.strimzi.systemtest.Constants)32
REGRESSION (io.strimzi.systemtest.Constants.REGRESSION)32
Environment (io.strimzi.systemtest.Environment)32
KafkaTemplates (io.strimzi.systemtest.templates.crd.KafkaTemplates)32
KafkaTopicTemplates (io.strimzi.systemtest.templates.crd.KafkaTopicTemplates)32
ClientUtils (io.strimzi.systemtest.utils.ClientUtils)32
