Address review comments from Paolo

tinaselenge · tinaselenge · commit ff98a7eb87cf · 2025-06-17T09:50:12.000+01:00
Signed-off-by: Gantigmaa Selenge &lt;tina.selenge@gmail.com&gt;
diff --git a/cluster-operator/src/main/java/io/strimzi/operator/cluster/operator/assembly/KafkaReconciler.java b/cluster-operator/src/main/java/io/strimzi/operator/cluster/operator/assembly/KafkaReconciler.java
@@ -874,7 +874,6 @@ protected Future<Void> authzTrustedCertsSecret() {
         Set<String> secretsToCopy = new HashSet<>();
         List<Integer> certHashes = new ArrayList<>();
 
-        // opa is deprecated?
         if (kafka.getAuthorization() instanceof KafkaAuthorizationOpa opaAuthz && opaAuthz.getTlsTrustedCertificates() != null) {
             secretsToCopy.addAll(opaAuthz.getTlsTrustedCertificates().stream().map(CertSecretSource::getSecretName).toList());
         }
diff --git a/kafka-agent/src/main/java/io/strimzi/kafka/agent/KafkaAgent.java b/kafka-agent/src/main/java/io/strimzi/kafka/agent/KafkaAgent.java
@@ -263,8 +263,9 @@ private SslContextFactory.Server getSSLContextFactory() throws GeneralSecurityEx
         SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setTrustStore(KafkaAgentUtils.jksTrustStore(caCertSecret));
 
-        sslContextFactory.setKeyStore(KafkaAgentUtils.jksKeyStore(nodeCertSecret));
-        sslContextFactory.setKeyStorePassword("changeit");
+        String password = KafkaAgentUtils.generateRandomPassword();
+        sslContextFactory.setKeyStore(KafkaAgentUtils.jksKeyStore(nodeCertSecret, password.toCharArray()));
+        sslContextFactory.setKeyStorePassword(password);
         sslContextFactory.setNeedClientAuth(true);
         return  sslContextFactory;
     }
diff --git a/kafka-agent/src/main/java/io/strimzi/kafka/agent/KafkaAgentUtils.java b/kafka-agent/src/main/java/io/strimzi/kafka/agent/KafkaAgentUtils.java
@@ -13,6 +13,7 @@
 import java.security.KeyFactory;
 import java.security.KeyStore;
 import java.security.PrivateKey;
+import java.security.SecureRandom;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
@@ -59,7 +60,7 @@ static KeyStore jksTrustStore(Secret secret) throws GeneralSecurityException, IO
      * @throws GeneralSecurityException if something goes wrong when creating the truststore
      * @throws IOException if there is an I/O or format problem with the data used to load the truststore.
      */
-    static KeyStore jksKeyStore(Secret secret) throws GeneralSecurityException, IOException {
+    static KeyStore jksKeyStore(Secret secret, char[] password) throws GeneralSecurityException, IOException {
         String secretName = secret.getMetadata().getName();
         String strippedPrivateKey = new String(decodeBase64FieldFromSecret(secret, secretName + ".key"), StandardCharsets.US_ASCII)
                 .replace("-----BEGIN PRIVATE KEY-----", "")
@@ -73,10 +74,16 @@ static KeyStore jksKeyStore(Secret secret) throws GeneralSecurityException, IOEx
         X509Certificate certificateChain = x509Certificate(decodeBase64FieldFromSecret(secret, secretName + ".crt"));
         KeyStore nodeKeyStore = KeyStore.getInstance("JKS");
         nodeKeyStore.load(null);
-        nodeKeyStore.setKeyEntry(secret.getMetadata().getName(), key, "changeit".toCharArray(), new Certificate[]{certificateChain});
+        nodeKeyStore.setKeyEntry(secret.getMetadata().getName(), key, password, new Certificate[]{certificateChain});
         return nodeKeyStore;
     }
 
+    static String generateRandomPassword() {
+        byte[] random = new byte[24];
+        new SecureRandom().nextBytes(random);
+        return Base64.getUrlEncoder().withoutPadding().encodeToString(random).substring(0, 32);
+    }
+
     /**
      * Extract all public keys (all .crt records) from a secret.
      */

Original file line number	Diff line number	Diff line change
`@@ -874,7 +874,6 @@ protected Future<Void> authzTrustedCertsSecret() {`
`874`	`874`	`Set<String> secretsToCopy = new HashSet<>();`
`875`	`875`	`List<Integer> certHashes = new ArrayList<>();`
`876`	`876`
`877`		`- // opa is deprecated?`
`878`	`877`	`if (kafka.getAuthorization() instanceof KafkaAuthorizationOpa opaAuthz && opaAuthz.getTlsTrustedCertificates() != null) {`
`879`	`878`	`secretsToCopy.addAll(opaAuthz.getTlsTrustedCertificates().stream().map(CertSecretSource::getSecretName).toList());`
`880`	`879`	`}`