diff --git a/CHANGELOG.md b/CHANGELOG.md index 95ca965b70f..dd1f91902e9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -42,6 +42,8 @@ * Additional OAuth configuration options have been added for 'oauth' authentication on the listener and the client. On the listener `clientGrantType` has been added. On the client `grantType` has been added. +* Kafka nodes are now configured with PEM certificates instead of P12/JKS for keystore and truststore. + ### Major changes, deprecations and removals * Fix RBAC naming for `KafkaMirrorMaker2` to avoid `RoleBinding` collisions when a `KafkaConnect` with the same name exists in the same namespace. `KafkaMirrorMaker2` now uses dedicated `RoleBinding` names. diff --git a/api/src/main/java/io/strimzi/api/kafka/model/kafka/KafkaResources.java b/api/src/main/java/io/strimzi/api/kafka/model/kafka/KafkaResources.java index 19794af4e6b..50c135fe744 100644 --- a/api/src/main/java/io/strimzi/api/kafka/model/kafka/KafkaResources.java +++ b/api/src/main/java/io/strimzi/api/kafka/model/kafka/KafkaResources.java @@ -49,6 +49,17 @@ public static String clientsCaKeySecretName(String clusterName) { return clusterName + "-clients-ca"; } + /** + * Get the name of the Kafka role binding given the name of the {@code cluster}. + * + * @param clusterName The cluster name. + * + * @return The name of Kafka role binding. + */ + public static String kafkaRoleBindingName(String clusterName) { + return kafkaComponentName(clusterName) + "-role"; + } + //////// // Kafka methods //////// diff --git a/cluster-operator/src/main/java/io/strimzi/operator/cluster/model/KafkaBrokerConfigurationBuilder.java b/cluster-operator/src/main/java/io/strimzi/operator/cluster/model/KafkaBrokerConfigurationBuilder.java index fef6817fe93..2ca2aa3c876 100644 --- a/cluster-operator/src/main/java/io/strimzi/operator/cluster/model/KafkaBrokerConfigurationBuilder.java +++ b/cluster-operator/src/main/java/io/strimzi/operator/cluster/model/KafkaBrokerConfigurationBuilder.java @@ -64,6 +64,8 @@ public class KafkaBrokerConfigurationBuilder { private final static String REPLICATION_LISTENER_NAME = "REPLICATION-9091"; // Names of environment variables expanded through config providers inside the Kafka node private final static String PLACEHOLDER_CERT_STORE_PASSWORD_CONFIG_PROVIDER_ENV_VAR = "${strimzienv:CERTS_STORE_PASSWORD}"; + // the secrets file template: /: + private static final String PLACEHOLDER_SECRET_TEMPLATE_KUBE_CONFIG_PROVIDER = "${strimzisecrets:%s/%s:%s}"; private final static String PLACEHOLDER_OAUTH_CLIENT_SECRET_TEMPLATE_CONFIG_PROVIDER_ENV_VAR = "${strimzienv:STRIMZI_%s_OAUTH_CLIENT_SECRET}"; private final StringWriter stringWriter = new StringWriter(); @@ -114,12 +116,11 @@ public KafkaBrokerConfigurationBuilder withCruiseControl(String clusterName, Cru // to the pods behind the bootstrap one when they are not ready during startup. writer.println(CruiseControlConfigurationParameters.METRICS_REPORTER_BOOTSTRAP_SERVERS + "=" + KafkaResources.brokersServiceName(clusterName) + ":9091"); writer.println(CruiseControlConfigurationParameters.METRICS_REPORTER_SECURITY_PROTOCOL + "=SSL"); - writer.println(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_TYPE + "=PKCS12"); - writer.println(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_LOCATION + "=/tmp/kafka/cluster.keystore.p12"); - writer.println(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_PASSWORD + "=" + PLACEHOLDER_CERT_STORE_PASSWORD_CONFIG_PROVIDER_ENV_VAR); - writer.println(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_TRUSTSTORE_TYPE + "=PKCS12"); - writer.println(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_TRUSTSTORE_LOCATION + "=/tmp/kafka/cluster.truststore.p12"); - writer.println(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_TRUSTSTORE_PASSWORD + "=" + PLACEHOLDER_CERT_STORE_PASSWORD_CONFIG_PROVIDER_ENV_VAR); + writer.println(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_TYPE + "=PEM"); + writer.println(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_CERTIFICATE_CHAIN + "=" + String.format(PLACEHOLDER_SECRET_TEMPLATE_KUBE_CONFIG_PROVIDER, reconciliation.namespace(), node.podName(), node.podName() + ".crt")); + writer.println(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_KEY + "=" + String.format(PLACEHOLDER_SECRET_TEMPLATE_KUBE_CONFIG_PROVIDER, reconciliation.namespace(), node.podName(), node.podName() + ".key")); + writer.println(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_TRUSTSTORE_TYPE + "=PEM"); + writer.println(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_TRUSTSTORE_CERTIFICATES + "=" + String.format(PLACEHOLDER_SECRET_TEMPLATE_KUBE_CONFIG_PROVIDER, reconciliation.namespace(), AbstractModel.clusterCaCertSecretName(clusterName), "*.crt")); writer.println(CruiseControlConfigurationParameters.METRICS_TOPIC_AUTO_CREATE + "=true"); if (ccMetricsReporter.numPartitions() != null) { @@ -219,7 +220,6 @@ public KafkaBrokerConfigurationBuilder withKRaft(String clusterName, String name * generate the per-broker configuration which uses actual broker IDs and addresses instead of just placeholders. * * @param clusterName Name of the cluster (important for the advertised hostnames) - * @param kafkaVersion Kafka version of the cluster * @param namespace Namespace (important for generating the advertised hostname) * @param kafkaListeners The listeners configuration from the Kafka CR * @param advertisedHostnameProvider Lambda method which provides the advertised hostname for given listener and @@ -230,7 +230,6 @@ public KafkaBrokerConfigurationBuilder withKRaft(String clusterName, String name */ public KafkaBrokerConfigurationBuilder withListeners( String clusterName, - KafkaVersion kafkaVersion, String namespace, List kafkaListeners, Function advertisedHostnameProvider, @@ -247,7 +246,7 @@ public KafkaBrokerConfigurationBuilder withListeners( // Control plane listener is configured for all nodes. Even brokers need to connect and talk to controllers, so // they need to know what is the security protocol and security configuration securityProtocol.add(CONTROL_PLANE_LISTENER_NAME + ":SSL"); - configureControlPlaneListener(); + configureControlPlaneListener(clusterName); //////////////////// // Listeners for nodes with controller role @@ -275,7 +274,7 @@ public KafkaBrokerConfigurationBuilder withListeners( // Pod name constructed to be templatable for each individual ordinal DnsNameGenerator.podDnsNameWithoutClusterDomain(namespace, KafkaResources.brokersServiceName(clusterName), node.podName()) )); - configureReplicationListener(); + configureReplicationListener(clusterName); // User-configured listeners for (GenericKafkaListener listener : kafkaListeners) { @@ -287,7 +286,7 @@ public KafkaBrokerConfigurationBuilder withListeners( listeners.add(listenerName + "://0.0.0.0:" + port); advertisedListeners.add(String.format("%s://%s:%s", listenerName, advertisedHostnameProvider.apply(envVarListenerName), advertisedPortProvider.apply(envVarListenerName))); - configureAuthentication(listenerName, securityProtocol, listener.isTls(), listener.getAuth()); + configureAuthentication(listenerName, securityProtocol, listener.isTls(), listener.getAuth(), clusterName); configureListener(listenerName, listener.getConfiguration()); if (listener.isTls()) { @@ -346,18 +345,18 @@ private void configureOAuthPrincipalBuilderIfNeeded(PrintWriter writer, List securityProtocol, boolean tls, KafkaListenerAuthentication auth) { + private void configureAuthentication(String listenerName, List securityProtocol, boolean tls, KafkaListenerAuthentication auth, String clusterName) { final String listenerNameInProperty = listenerName.toLowerCase(Locale.ENGLISH); final String listenerNameInEnvVar = listenerName.replace("-", "_"); @@ -487,9 +488,8 @@ private void configureAuthentication(String listenerName, List securityP securityProtocol.add(String.format("%s:%s", listenerName, getSecurityProtocol(tls, false))); writer.println(String.format("listener.name.%s.ssl.client.auth=required", listenerNameInProperty)); - writer.println(String.format("listener.name.%s.ssl.truststore.location=/tmp/kafka/clients.truststore.p12", listenerNameInProperty)); - writer.println(String.format("listener.name.%s.ssl.truststore.password=%s", listenerNameInProperty, PLACEHOLDER_CERT_STORE_PASSWORD_CONFIG_PROVIDER_ENV_VAR)); - writer.println(String.format("listener.name.%s.ssl.truststore.type=PKCS12", listenerNameInProperty)); + writer.println(String.format("listener.name.%s.ssl.truststore.certificates=%s", listenerNameInProperty, String.format(PLACEHOLDER_SECRET_TEMPLATE_KUBE_CONFIG_PROVIDER, reconciliation.namespace(), KafkaResources.clientsCaCertificateSecretName(clusterName), "*.crt"))); + writer.println(String.format("listener.name.%s.ssl.truststore.type=PEM", listenerNameInProperty)); writer.println(); } else if (auth instanceof KafkaListenerAuthenticationCustom customAuth) { securityProtocol.add(String.format("%s:%s", listenerName, getSecurityProtocol(tls, customAuth.isSasl()))); @@ -783,6 +783,7 @@ private void printConfigProviders(KafkaConfiguration userConfig) { writer.println("config.providers.strimzienv.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider"); writer.println("config.providers.strimzienv.param.allowlist.pattern=.*"); + writer.println("config.providers.strimzisecrets.class=io.strimzi.kafka.KubernetesSecretConfigProvider"); if (node.broker()) { // File and Directory providers are used only on broker nodes @@ -804,6 +805,7 @@ private void printConfigProviders(KafkaConfiguration userConfig) { private String getConfigProviderAliases(KafkaConfiguration userConfig) { Collection strimziAliases = new ArrayList<>(); strimziAliases.add("strimzienv"); + strimziAliases.add("strimzisecrets"); if (node.broker()) { // File and Directory providers are used only on broker nodes strimziAliases.add("strimzifile"); @@ -987,12 +989,11 @@ public KafkaBrokerConfigurationBuilder withTieredStorage(String clusterName, Tie writer.println("rlmm.config.remote.log.metadata.common.client.bootstrap.servers=" + clusterName + "-kafka-brokers:9091"); writer.println("rlmm.config.remote.log.metadata.common.client.security.protocol=SSL"); - writer.println("rlmm.config.remote.log.metadata.common.client.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12"); - writer.println("rlmm.config.remote.log.metadata.common.client.ssl.keystore.password=" + PLACEHOLDER_CERT_STORE_PASSWORD_CONFIG_PROVIDER_ENV_VAR); - writer.println("rlmm.config.remote.log.metadata.common.client.ssl.keystore.type=PKCS12"); - writer.println("rlmm.config.remote.log.metadata.common.client.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12"); - writer.println("rlmm.config.remote.log.metadata.common.client.ssl.truststore.password=" + PLACEHOLDER_CERT_STORE_PASSWORD_CONFIG_PROVIDER_ENV_VAR); - writer.println("rlmm.config.remote.log.metadata.common.client.ssl.truststore.type=PKCS12"); + writer.println("rlmm.config.remote.log.metadata.common.client.ssl.keystore.certificate.chain=" + String.format(PLACEHOLDER_SECRET_TEMPLATE_KUBE_CONFIG_PROVIDER, reconciliation.namespace(), node.podName(), node.podName() + ".crt")); + writer.println("rlmm.config.remote.log.metadata.common.client.ssl.keystore.key=" + String.format(PLACEHOLDER_SECRET_TEMPLATE_KUBE_CONFIG_PROVIDER, reconciliation.namespace(), node.podName(), node.podName() + ".key")); + writer.println("rlmm.config.remote.log.metadata.common.client.ssl.keystore.type=PEM"); + writer.println("rlmm.config.remote.log.metadata.common.client.ssl.truststore.certificates=" + String.format(PLACEHOLDER_SECRET_TEMPLATE_KUBE_CONFIG_PROVIDER, reconciliation.namespace(), AbstractModel.clusterCaCertSecretName(clusterName), "*.crt")); + writer.println("rlmm.config.remote.log.metadata.common.client.ssl.truststore.type=PEM"); writer.println("# RSM configs set by the operator and by the user"); @@ -1050,12 +1051,11 @@ private void configureQuotasPluginStrimzi(String clusterName, QuotasPluginStrimz // configuration of Admin client that will check the cluster writer.println("client.quota.callback.static.kafka.admin.bootstrap.servers=" + KafkaResources.brokersServiceName(clusterName) + ":9091"); writer.println("client.quota.callback.static.kafka.admin.security.protocol=SSL"); - writer.println("client.quota.callback.static.kafka.admin.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12"); - writer.println("client.quota.callback.static.kafka.admin.ssl.keystore.password=" + PLACEHOLDER_CERT_STORE_PASSWORD_CONFIG_PROVIDER_ENV_VAR); - writer.println("client.quota.callback.static.kafka.admin.ssl.keystore.type=PKCS12"); - writer.println("client.quota.callback.static.kafka.admin.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12"); - writer.println("client.quota.callback.static.kafka.admin.ssl.truststore.password=" + PLACEHOLDER_CERT_STORE_PASSWORD_CONFIG_PROVIDER_ENV_VAR); - writer.println("client.quota.callback.static.kafka.admin.ssl.truststore.type=PKCS12"); + writer.println("client.quota.callback.static.kafka.admin.ssl.keystore.certificate.chain=" + String.format(PLACEHOLDER_SECRET_TEMPLATE_KUBE_CONFIG_PROVIDER, reconciliation.namespace(), node.podName(), node.podName() + ".crt")); + writer.println("client.quota.callback.static.kafka.admin.ssl.keystore.key=" + String.format(PLACEHOLDER_SECRET_TEMPLATE_KUBE_CONFIG_PROVIDER, reconciliation.namespace(), node.podName(), node.podName() + ".key")); + writer.println("client.quota.callback.static.kafka.admin.ssl.keystore.type=PEM"); + writer.println("client.quota.callback.static.kafka.admin.ssl.truststore.certificates=" + String.format(PLACEHOLDER_SECRET_TEMPLATE_KUBE_CONFIG_PROVIDER, reconciliation.namespace(), AbstractModel.clusterCaCertSecretName(clusterName), "*.crt")); + writer.println("client.quota.callback.static.kafka.admin.ssl.truststore.type=PEM"); // configuration of user specified settings addOptionIfNotNull(writer, "client.quota.callback.static.produce", quotasPluginStrimzi.getProducerByteRate()); diff --git a/cluster-operator/src/main/java/io/strimzi/operator/cluster/model/KafkaCluster.java b/cluster-operator/src/main/java/io/strimzi/operator/cluster/model/KafkaCluster.java index 422e9e0c2a4..b4b44c906b7 100644 --- a/cluster-operator/src/main/java/io/strimzi/operator/cluster/model/KafkaCluster.java +++ b/cluster-operator/src/main/java/io/strimzi/operator/cluster/model/KafkaCluster.java @@ -32,13 +32,16 @@ import io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyPeer; import io.fabric8.kubernetes.api.model.policy.v1.PodDisruptionBudget; import io.fabric8.kubernetes.api.model.rbac.ClusterRoleBinding; +import io.fabric8.kubernetes.api.model.rbac.PolicyRule; +import io.fabric8.kubernetes.api.model.rbac.PolicyRuleBuilder; +import io.fabric8.kubernetes.api.model.rbac.Role; +import io.fabric8.kubernetes.api.model.rbac.RoleBinding; import io.fabric8.kubernetes.api.model.rbac.RoleRef; import io.fabric8.kubernetes.api.model.rbac.RoleRefBuilder; import io.fabric8.kubernetes.api.model.rbac.Subject; import io.fabric8.kubernetes.api.model.rbac.SubjectBuilder; import io.fabric8.openshift.api.model.Route; import io.fabric8.openshift.api.model.RouteBuilder; -import io.strimzi.api.kafka.model.common.CertAndKeySecretSource; import io.strimzi.api.kafka.model.common.Condition; import io.strimzi.api.kafka.model.common.Rack; import io.strimzi.api.kafka.model.common.metrics.JmxPrometheusExporterMetrics; @@ -63,6 +66,7 @@ import io.strimzi.api.kafka.model.kafka.listener.GenericKafkaListener; import io.strimzi.api.kafka.model.kafka.listener.KafkaListenerAuthenticationCustom; import io.strimzi.api.kafka.model.kafka.listener.KafkaListenerAuthenticationOAuth; +import io.strimzi.api.kafka.model.kafka.listener.KafkaListenerAuthenticationTls; import io.strimzi.api.kafka.model.kafka.listener.KafkaListenerType; import io.strimzi.api.kafka.model.kafka.quotas.QuotasPlugin; import io.strimzi.api.kafka.model.kafka.quotas.QuotasPluginStrimzi; @@ -97,6 +101,7 @@ import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; +import java.util.HashSet; import java.util.LinkedHashSet; import java.util.List; import java.util.Map; @@ -142,6 +147,7 @@ public class KafkaCluster extends AbstractModel implements SupportsMetrics, Supp protected static final String ENV_VAR_KAFKA_INIT_EXTERNAL_ADDRESS = "EXTERNAL_ADDRESS"; private static final String ENV_VAR_KAFKA_JMX_EXPORTER_ENABLED = "KAFKA_JMX_EXPORTER_ENABLED"; + private static final String ENV_VAR_KAFKA_CLUSTER_NAME = "KAFKA_CLUSTER_NAME"; private static final String ENV_VAR_STRIMZI_OPA_AUTHZ_TRUSTED_CERTS = "STRIMZI_OPA_AUTHZ_TRUSTED_CERTS"; private static final String ENV_VAR_STRIMZI_KEYCLOAK_AUTHZ_TRUSTED_CERTS = "STRIMZI_KEYCLOAK_AUTHZ_TRUSTED_CERTS"; @@ -172,12 +178,6 @@ public class KafkaCluster extends AbstractModel implements SupportsMetrics, Supp public static final int INGRESS_PORT = 443; protected static final String KAFKA_NAME = "kafka"; - protected static final String CLUSTER_CA_CERTS_VOLUME = "cluster-ca"; - protected static final String BROKER_CERTS_VOLUME = "broker-certs"; - protected static final String CLIENT_CA_CERTS_VOLUME = "client-ca-cert"; - protected static final String CLUSTER_CA_CERTS_VOLUME_MOUNT = "/opt/kafka/cluster-ca-certs"; - protected static final String BROKER_CERTS_VOLUME_MOUNT = "/opt/kafka/broker-certs"; - protected static final String CLIENT_CA_CERTS_VOLUME_MOUNT = "/opt/kafka/client-ca-certs"; protected static final String TRUSTED_CERTS_BASE_VOLUME_MOUNT = "/opt/kafka/certificates"; protected static final String CUSTOM_AUTHN_SECRETS_VOLUME_MOUNT = "/opt/kafka/custom-authn-secrets"; private static final String LOG_AND_METRICS_CONFIG_VOLUME_NAME = "kafka-metrics-and-logging"; @@ -1368,9 +1368,6 @@ private List getNonDataVolumes(boolean isOpenShift, NodeRef node, PodTem List volumeList = new ArrayList<>(); volumeList.add(VolumeUtils.createTempDirVolume(templatePod)); - volumeList.add(VolumeUtils.createSecretVolume(CLUSTER_CA_CERTS_VOLUME, AbstractModel.clusterCaCertSecretName(cluster), isOpenShift)); - volumeList.add(VolumeUtils.createSecretVolume(BROKER_CERTS_VOLUME, node.podName(), isOpenShift)); - volumeList.add(VolumeUtils.createSecretVolume(CLIENT_CA_CERTS_VOLUME, KafkaResources.clientsCaCertificateSecretName(cluster), isOpenShift)); volumeList.add(VolumeUtils.createConfigMapVolume(LOG_AND_METRICS_CONFIG_VOLUME_NAME, node.podName())); volumeList.add(VolumeUtils.createEmptyDirVolume("ready-files", "1Ki", "Memory")); @@ -1383,25 +1380,6 @@ private List getNonDataVolumes(boolean isOpenShift, NodeRef node, PodTem // Listener specific volumes related to their specific authentication or encryption settings for (GenericKafkaListener listener : listeners) { - if (listener.isTls() - && listener.getConfiguration() != null - && listener.getConfiguration().getBrokerCertChainAndKey() != null) { - CertAndKeySecretSource secretSource = listener.getConfiguration().getBrokerCertChainAndKey(); - - Map items = new HashMap<>(2); - items.put(secretSource.getKey(), "tls.key"); - items.put(secretSource.getCertificate(), "tls.crt"); - - volumeList.add( - VolumeUtils.createSecretVolume( - "custom-" + ListenersUtils.identifier(listener) + "-certs", - secretSource.getSecretName(), - items, - isOpenShift - ) - ); - } - if (ListenersUtils.isListenerWithOAuth(listener)) { KafkaListenerAuthenticationOAuth oauth = (KafkaListenerAuthenticationOAuth) listener.getAuth(); CertUtils.createTrustedCertificatesVolumes(volumeList, oauth.getTlsTrustedCertificates(), isOpenShift, "oauth-" + ListenersUtils.identifier(listener)); @@ -1460,9 +1438,6 @@ private List getPodSetVolumes(NodeRef node, Storage storage, PodTemplate private List getVolumeMounts(Storage storage, ContainerTemplate containerTemplate, boolean isBroker) { List volumeMountList = new ArrayList<>(VolumeUtils.createVolumeMounts(storage, false)); volumeMountList.add(VolumeUtils.createTempDirVolumeMount()); - volumeMountList.add(VolumeUtils.createVolumeMount(CLUSTER_CA_CERTS_VOLUME, CLUSTER_CA_CERTS_VOLUME_MOUNT)); - volumeMountList.add(VolumeUtils.createVolumeMount(BROKER_CERTS_VOLUME, BROKER_CERTS_VOLUME_MOUNT)); - volumeMountList.add(VolumeUtils.createVolumeMount(CLIENT_CA_CERTS_VOLUME, CLIENT_CA_CERTS_VOLUME_MOUNT)); volumeMountList.add(VolumeUtils.createVolumeMount(LOG_AND_METRICS_CONFIG_VOLUME_NAME, LOG_AND_METRICS_CONFIG_VOLUME_MOUNT)); volumeMountList.add(VolumeUtils.createVolumeMount("ready-files", "/var/opt/kafka")); @@ -1477,12 +1452,6 @@ private List getVolumeMounts(Storage storage, ContainerTemplate con for (GenericKafkaListener listener : listeners) { String identifier = ListenersUtils.identifier(listener); - if (listener.isTls() - && listener.getConfiguration() != null - && listener.getConfiguration().getBrokerCertChainAndKey() != null) { - volumeMountList.add(VolumeUtils.createVolumeMount("custom-" + identifier + "-certs", "/opt/kafka/certificates/custom-" + identifier + "-certs")); - } - if (ListenersUtils.isListenerWithOAuth(listener)) { KafkaListenerAuthenticationOAuth oauth = (KafkaListenerAuthenticationOAuth) listener.getAuth(); CertUtils.createTrustedCertificatesVolumeMounts(volumeMountList, oauth.getTlsTrustedCertificates(), TRUSTED_CERTS_BASE_VOLUME_MOUNT + "/oauth-" + identifier + "-certs/", "oauth-" + identifier); @@ -1626,6 +1595,7 @@ private List getEnvVars(KafkaPool pool) { varList.add(ContainerUtils.createEnvVar(ENV_VAR_KAFKA_JMX_EXPORTER_ENABLED, String.valueOf(metrics instanceof JmxPrometheusExporterModel))); varList.add(ContainerUtils.createEnvVar(ENV_VAR_STRIMZI_KAFKA_GC_LOG_ENABLED, String.valueOf(pool.gcLoggingEnabled))); + varList.add(ContainerUtils.createEnvVar(ENV_VAR_KAFKA_CLUSTER_NAME, cluster)); JvmOptionUtils.heapOptions(varList, 50, 5L * 1024L * 1024L * 1024L, pool.jvmOptions, pool.resources); JvmOptionUtils.jvmPerformanceOptions(varList, pool.jvmOptions); @@ -1699,6 +1669,61 @@ public ClusterRoleBinding generateClusterRoleBinding(String assemblyNamespace) { } } + /** + * Creates a Role for reading TLS certificate secrets in the same namespace as the resource. + * This is used for loading certificates from secrets directly. + ** + * @return role for the Kafka Cluster + */ + public Role generateRole() { + Set certSecretNames = new HashSet<>(); + certSecretNames.add(KafkaResources.clusterCaCertificateSecretName(cluster)); + certSecretNames.addAll(nodes().stream().map(NodeRef::podName).toList()); + + for (GenericKafkaListener listener : listeners) { + if (listener.isTls()) { + if (listener.getConfiguration() != null && listener.getConfiguration().getBrokerCertChainAndKey() != null) { + certSecretNames.add(listener.getConfiguration().getBrokerCertChainAndKey().getSecretName()); + } + } + + if (listener.getAuth() instanceof KafkaListenerAuthenticationTls) { + certSecretNames.add(KafkaResources.clientsCaCertificateSecretName(cluster)); + } + } + + List rules = List.of(new PolicyRuleBuilder() + .withApiGroups("") + .withResources("secrets") + .withVerbs("get") + .withResourceNames(certSecretNames.stream().toList()) + .build()); + + return RbacUtils.createRole(componentName, namespace, rules, labels, ownerReference, null); + } + + /** + * Generates the Kafka Cluster Role Binding + * + * @return Role Binding for the Kafka Cluster + */ + public RoleBinding generateRoleBindingForRole() { + Subject subject = new SubjectBuilder() + .withKind("ServiceAccount") + .withName(componentName) + .withNamespace(namespace) + .build(); + + RoleRef roleRef = new RoleRefBuilder() + .withName(componentName) + .withApiGroup("rbac.authorization.k8s.io") + .withKind("Role") + .build(); + + return RbacUtils + .createRoleBinding(KafkaResources.kafkaRoleBindingName(cluster), namespace, roleRef, List.of(subject), labels, ownerReference, null); + } + /** * Generates the NetworkPolicies relevant for Kafka brokers * @@ -1828,7 +1853,6 @@ private String generatePerBrokerConfiguration(NodeRef node, KafkaPool pool, Map< .withKRaftMetadataLogDir(VolumeUtils.kraftMetadataPath(pool.storage)) .withLogDirs(VolumeUtils.createVolumeMounts(pool.storage, false)) .withListeners(cluster, - kafkaVersion, namespace, listeners, listenerId -> advertisedHostnames.get(node.nodeId()).get(listenerId), @@ -1896,6 +1920,18 @@ public List generatePerBrokerConfigurationConfigMaps(MetricsAndLoggin return configMaps; } + /** + * Generates a Secret with the given name and data in Kafka Cluster's namespace + * + * @param secretData Secret data + * @param secretName Secret name + * + * @return Secret that is generated + */ + public Secret generateSecret(Map secretData, String secretName) { + return ModelUtils.createSecret(secretName, namespace, labels, ownerReference, secretData, Map.of(), Map.of()); + } + /** * @return Kafka version */ diff --git a/cluster-operator/src/main/java/io/strimzi/operator/cluster/operator/assembly/KafkaReconciler.java b/cluster-operator/src/main/java/io/strimzi/operator/cluster/operator/assembly/KafkaReconciler.java index 2d16db8e23d..7fa88ed7220 100644 --- a/cluster-operator/src/main/java/io/strimzi/operator/cluster/operator/assembly/KafkaReconciler.java +++ b/cluster-operator/src/main/java/io/strimzi/operator/cluster/operator/assembly/KafkaReconciler.java @@ -59,6 +59,8 @@ import io.strimzi.operator.cluster.operator.resource.kubernetes.PodDisruptionBudgetOperator; import io.strimzi.operator.cluster.operator.resource.kubernetes.PodOperator; import io.strimzi.operator.cluster.operator.resource.kubernetes.PvcOperator; +import io.strimzi.operator.cluster.operator.resource.kubernetes.RoleBindingOperator; +import io.strimzi.operator.cluster.operator.resource.kubernetes.RoleOperator; import io.strimzi.operator.cluster.operator.resource.kubernetes.RouteOperator; import io.strimzi.operator.cluster.operator.resource.kubernetes.SecretOperator; import io.strimzi.operator.cluster.operator.resource.kubernetes.ServiceAccountOperator; @@ -143,6 +145,8 @@ public class KafkaReconciler { private final PodDisruptionBudgetOperator podDisruptionBudgetOperator; private final PodOperator podOperator; private final ClusterRoleBindingOperator clusterRoleBindingOperator; + private final RoleOperator roleOperator; + private final RoleBindingOperator roleBindingOperator; private final RouteOperator routeOperator; private final IngressOperator ingressOperator; private final NodeOperator nodeOperator; @@ -218,6 +222,8 @@ public KafkaReconciler( this.podDisruptionBudgetOperator = supplier.podDisruptionBudgetOperator; this.podOperator = supplier.podOperations; this.clusterRoleBindingOperator = supplier.clusterRoleBindingOperator; + this.roleBindingOperator = supplier.roleBindingOperations; + this.roleOperator = supplier.roleOperations; this.routeOperator = supplier.routeOperations; this.ingressOperator = supplier.ingressOperations; this.nodeOperator = supplier.nodeOperator; @@ -248,6 +254,8 @@ public Future reconcile(KafkaStatus kafkaStatus, Clock clock) { .compose(i -> pvcs(kafkaStatus)) .compose(i -> serviceAccount()) .compose(i -> initClusterRoleBinding()) + .compose(i -> kafkaRole()) + .compose(i -> kafkaRoleBinding()) .compose(i -> scaleDown()) .compose(i -> updateNodePoolStatuses(kafkaStatus)) .compose(i -> listeners()) @@ -537,6 +545,40 @@ protected Future initClusterRoleBinding() { ).mapEmpty(); } + /** + * Manages the Kafka cluster role. When the desired Cluster Role Binding is null, and we get an RBAC error, + * we ignore it. This is to allow users to run the operator only inside a namespace when no features requiring + * Cluster Role are needed. + * + * @return Completes when the Cluster Role was successfully created or updated + */ + protected Future kafkaRole() { + return roleOperator + .reconcile( + reconciliation, + reconciliation.namespace(), + kafka.getComponentName(), + kafka.generateRole() + ).mapEmpty(); + } + + /** + * Manages the Kafka cluster role binding. When the desired Cluster Role Binding is null, and we get an RBAC error, + * we ignore it. This is to allow users to run the operator only inside a namespace when no features requiring + * Cluster Role Bindings are needed. + * + * @return Completes when the Cluster Role Binding was successfully created or updated + */ + protected Future kafkaRoleBinding() { + return roleBindingOperator + .reconcile( + reconciliation, + reconciliation.namespace(), + KafkaResources.kafkaRoleBindingName(reconciliation.name()), + kafka.generateRoleBindingForRole()) + .mapEmpty(); + } + /** * Scales down the Kafka cluster if needed. Kafka scale-down is done in one go. * @@ -878,7 +920,7 @@ private Future waitForNewNodes() { } /** - * Roles the Kafka brokers (if needed). + * Rolls the Kafka brokers (if needed). * * @param podSetDiffs Map with the PodSet reconciliation results * diff --git a/cluster-operator/src/test/java/io/strimzi/operator/cluster/model/KafkaBrokerConfigurationBuilderTest.java b/cluster-operator/src/test/java/io/strimzi/operator/cluster/model/KafkaBrokerConfigurationBuilderTest.java index 4ac17983082..4f7a8fa76cb 100644 --- a/cluster-operator/src/test/java/io/strimzi/operator/cluster/model/KafkaBrokerConfigurationBuilderTest.java +++ b/cluster-operator/src/test/java/io/strimzi/operator/cluster/model/KafkaBrokerConfigurationBuilderTest.java @@ -169,12 +169,11 @@ public void testCruiseControl() { CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_ENDPOINT_ID_ALGO + "=HTTPS", CruiseControlConfigurationParameters.METRICS_REPORTER_BOOTSTRAP_SERVERS + "=my-cluster-kafka-brokers:9091", CruiseControlConfigurationParameters.METRICS_REPORTER_SECURITY_PROTOCOL + "=SSL", - CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_TYPE + "=PKCS12", - CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_LOCATION + "=/tmp/kafka/cluster.keystore.p12", - CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_PASSWORD + "=${strimzienv:CERTS_STORE_PASSWORD}", - CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_TRUSTSTORE_TYPE + "=PKCS12", - CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_TRUSTSTORE_LOCATION + "=/tmp/kafka/cluster.truststore.p12", - CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_TRUSTSTORE_PASSWORD + "=${strimzienv:CERTS_STORE_PASSWORD}", + CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_TYPE + "=PEM", + CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_CERTIFICATE_CHAIN + "=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_KEY + "=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_TRUSTSTORE_TYPE + "=PEM", + CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_TRUSTSTORE_CERTIFICATES + "=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", CruiseControlConfigurationParameters.METRICS_TOPIC_AUTO_CREATE + "=true", CruiseControlConfigurationParameters.METRICS_TOPIC_NUM_PARTITIONS + "=1", CruiseControlConfigurationParameters.METRICS_TOPIC_REPLICATION_FACTOR + "=1", @@ -202,12 +201,11 @@ public void testCruiseControlCustomMetricReporterTopic() { CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_ENDPOINT_ID_ALGO + "=HTTPS", CruiseControlConfigurationParameters.METRICS_REPORTER_BOOTSTRAP_SERVERS + "=my-cluster-kafka-brokers:9091", CruiseControlConfigurationParameters.METRICS_REPORTER_SECURITY_PROTOCOL + "=SSL", - CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_TYPE + "=PKCS12", - CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_LOCATION + "=/tmp/kafka/cluster.keystore.p12", - CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_PASSWORD + "=${strimzienv:CERTS_STORE_PASSWORD}", - CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_TRUSTSTORE_TYPE + "=PKCS12", - CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_TRUSTSTORE_LOCATION + "=/tmp/kafka/cluster.truststore.p12", - CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_TRUSTSTORE_PASSWORD + "=${strimzienv:CERTS_STORE_PASSWORD}", + CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_TYPE + "=PEM", + CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_CERTIFICATE_CHAIN + "=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_KEY + "=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_TRUSTSTORE_TYPE + "=PEM", + CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_TRUSTSTORE_CERTIFICATES + "=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", CruiseControlConfigurationParameters.METRICS_TOPIC_AUTO_CREATE + "=true", CruiseControlConfigurationParameters.METRICS_TOPIC_NUM_PARTITIONS + "=2", CruiseControlConfigurationParameters.METRICS_TOPIC_REPLICATION_FACTOR + "=3", @@ -493,13 +491,14 @@ public void testNullUserConfiguration() { .build(); assertThat(configuration, isEquivalent("node.id=2", - "config.providers=strimzienv,strimzifile,strimzidir", + "config.providers=strimzienv,strimzisecrets,strimzifile,strimzidir", "config.providers.strimzienv.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider", "config.providers.strimzienv.param.allowlist.pattern=.*", "config.providers.strimzifile.class=org.apache.kafka.common.config.provider.FileConfigProvider", "config.providers.strimzifile.param.allowed.paths=/opt/kafka", "config.providers.strimzidir.class=org.apache.kafka.common.config.provider.DirectoryConfigProvider", "config.providers.strimzidir.param.allowed.paths=/opt/kafka", + "config.providers.strimzisecrets.class=io.strimzi.kafka.KubernetesSecretConfigProvider", "min.insync.replicas=1")); } @@ -510,13 +509,14 @@ public void testNullUserConfigurationAndCCReporter() { .build(); assertThat(configuration, isEquivalent("node.id=2", - "config.providers=strimzienv,strimzifile,strimzidir", + "config.providers=strimzienv,strimzisecrets,strimzifile,strimzidir", "config.providers.strimzienv.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider", "config.providers.strimzienv.param.allowlist.pattern=.*", "config.providers.strimzifile.class=org.apache.kafka.common.config.provider.FileConfigProvider", "config.providers.strimzifile.param.allowed.paths=/opt/kafka", "config.providers.strimzidir.class=org.apache.kafka.common.config.provider.DirectoryConfigProvider", "config.providers.strimzidir.param.allowed.paths=/opt/kafka", + "config.providers.strimzisecrets.class=io.strimzi.kafka.KubernetesSecretConfigProvider", "metric.reporters=com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter", "min.insync.replicas=1")); } @@ -531,13 +531,14 @@ public void testEmptyUserConfiguration() { .build(); assertThat(configuration, isEquivalent("node.id=2", - "config.providers=strimzienv,strimzifile,strimzidir", + "config.providers=strimzienv,strimzisecrets,strimzifile,strimzidir", "config.providers.strimzienv.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider", "config.providers.strimzienv.param.allowlist.pattern=.*", "config.providers.strimzifile.class=org.apache.kafka.common.config.provider.FileConfigProvider", "config.providers.strimzifile.param.allowed.paths=/opt/kafka", "config.providers.strimzidir.class=org.apache.kafka.common.config.provider.DirectoryConfigProvider", "config.providers.strimzidir.param.allowed.paths=/opt/kafka", + "config.providers.strimzisecrets.class=io.strimzi.kafka.KubernetesSecretConfigProvider", "min.insync.replicas=1")); } @@ -556,13 +557,14 @@ public void testUserConfiguration() { .build(); assertThat(configuration, isEquivalent("node.id=2", - "config.providers=strimzienv,strimzifile,strimzidir", + "config.providers=strimzienv,strimzisecrets,strimzifile,strimzidir", "config.providers.strimzienv.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider", "config.providers.strimzienv.param.allowlist.pattern=.*", "config.providers.strimzifile.class=org.apache.kafka.common.config.provider.FileConfigProvider", "config.providers.strimzifile.param.allowed.paths=/opt/kafka", "config.providers.strimzidir.class=org.apache.kafka.common.config.provider.DirectoryConfigProvider", "config.providers.strimzidir.param.allowed.paths=/opt/kafka", + "config.providers.strimzisecrets.class=io.strimzi.kafka.KubernetesSecretConfigProvider", "auto.create.topics.enable=false", "offsets.topic.replication.factor=3", "transaction.state.log.replication.factor=3", @@ -584,7 +586,7 @@ public void testUserConfigurationWithConfigProviders() { .build(); assertThat(configuration, isEquivalent("node.id=2", - "config.providers=env,strimzienv,strimzifile,strimzidir", + "config.providers=env,strimzienv,strimzisecrets,strimzifile,strimzidir", "config.providers.strimzienv.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider", "config.providers.strimzienv.param.allowlist.pattern=.*", "config.providers.strimzifile.class=org.apache.kafka.common.config.provider.FileConfigProvider", @@ -592,6 +594,7 @@ public void testUserConfigurationWithConfigProviders() { "config.providers.strimzidir.class=org.apache.kafka.common.config.provider.DirectoryConfigProvider", "config.providers.strimzidir.param.allowed.paths=/opt/kafka", "config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider", + "config.providers.strimzisecrets.class=io.strimzi.kafka.KubernetesSecretConfigProvider", "min.insync.replicas=1")); // Controller @@ -600,10 +603,11 @@ public void testUserConfigurationWithConfigProviders() { .build(); assertThat(configuration, isEquivalent("node.id=3", - "config.providers=env,strimzienv", + "config.providers=env,strimzienv,strimzisecrets", "config.providers.strimzienv.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider", "config.providers.strimzienv.param.allowlist.pattern=.*", "config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider", + "config.providers.strimzisecrets.class=io.strimzi.kafka.KubernetesSecretConfigProvider", "min.insync.replicas=1")); } @@ -630,13 +634,14 @@ public void testNullUserConfigurationWithJmxMetricsReporter() { .build(); assertThat(configuration, isEquivalent("node.id=2", - "config.providers=strimzienv,strimzifile,strimzidir", + "config.providers=strimzienv,strimzisecrets,strimzifile,strimzidir", "config.providers.strimzienv.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider", "config.providers.strimzienv.param.allowlist.pattern=.*", "config.providers.strimzifile.class=org.apache.kafka.common.config.provider.FileConfigProvider", "config.providers.strimzifile.param.allowed.paths=/opt/kafka", "config.providers.strimzidir.class=org.apache.kafka.common.config.provider.DirectoryConfigProvider", "config.providers.strimzidir.param.allowed.paths=/opt/kafka", + "config.providers.strimzisecrets.class=io.strimzi.kafka.KubernetesSecretConfigProvider", "metric.reporters=org.apache.kafka.common.metrics.JmxReporter", "min.insync.replicas=1")); } @@ -647,13 +652,14 @@ public void testNullUserConfigurationWithStrimziMetricsReporter() { .withUserConfiguration(null, false, false, true) .build(); assertThat(configuration, isEquivalent("node.id=2", - "config.providers=strimzienv,strimzifile,strimzidir", + "config.providers=strimzienv,strimzisecrets,strimzifile,strimzidir", "config.providers.strimzienv.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider", "config.providers.strimzienv.param.allowlist.pattern=.*", "config.providers.strimzifile.class=org.apache.kafka.common.config.provider.FileConfigProvider", "config.providers.strimzifile.param.allowed.paths=/opt/kafka", "config.providers.strimzidir.class=org.apache.kafka.common.config.provider.DirectoryConfigProvider", "config.providers.strimzidir.param.allowed.paths=/opt/kafka", + "config.providers.strimzisecrets.class=io.strimzi.kafka.KubernetesSecretConfigProvider", "min.insync.replicas=1", "metric.reporters=" + StrimziMetricsReporterConfig.KAFKA_CLASS, "kafka.metrics.reporters=" + StrimziMetricsReporterConfig.YAMMER_CLASS)); @@ -667,13 +673,14 @@ public void testNullUserConfigurationWithCruiseControlAndStrimziMetricsReporters .build(); assertThat(configuration, isEquivalent("node.id=2", - "config.providers=strimzienv,strimzifile,strimzidir", + "config.providers=strimzienv,strimzisecrets,strimzifile,strimzidir", "config.providers.strimzienv.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider", "config.providers.strimzienv.param.allowlist.pattern=.*", "config.providers.strimzifile.class=org.apache.kafka.common.config.provider.FileConfigProvider", "config.providers.strimzifile.param.allowed.paths=/opt/kafka", "config.providers.strimzidir.class=org.apache.kafka.common.config.provider.DirectoryConfigProvider", "config.providers.strimzidir.param.allowed.paths=/opt/kafka", + "config.providers.strimzisecrets.class=io.strimzi.kafka.KubernetesSecretConfigProvider", "min.insync.replicas=1", "metric.reporters=" + CruiseControlMetricsReporter.CRUISE_CONTROL_METRIC_REPORTER + "," + StrimziMetricsReporterConfig.KAFKA_CLASS, @@ -687,13 +694,14 @@ public void testNullUserConfigurationWithCruiseControlAndJmxAndStrimziMetricsRep .build(); assertThat(configuration, isEquivalent("node.id=2", - "config.providers=strimzienv,strimzifile,strimzidir", + "config.providers=strimzienv,strimzisecrets,strimzifile,strimzidir", "config.providers.strimzienv.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider", "config.providers.strimzienv.param.allowlist.pattern=.*", "config.providers.strimzifile.class=org.apache.kafka.common.config.provider.FileConfigProvider", "config.providers.strimzifile.param.allowed.paths=/opt/kafka", "config.providers.strimzidir.class=org.apache.kafka.common.config.provider.DirectoryConfigProvider", "config.providers.strimzidir.param.allowed.paths=/opt/kafka", + "config.providers.strimzisecrets.class=io.strimzi.kafka.KubernetesSecretConfigProvider", "metric.reporters=" + CruiseControlMetricsReporter.CRUISE_CONTROL_METRIC_REPORTER + ",org.apache.kafka.common.metrics.JmxReporter" + "," + StrimziMetricsReporterConfig.KAFKA_CLASS, @@ -708,13 +716,14 @@ static Stream sourceUserConfigWithMetricsReporters() { KafkaConfiguration userConfig = new KafkaConfiguration(Reconciliation.DUMMY_RECONCILIATION, configMap.entrySet()); String expectedConfig = "node.id=2\n" - + "config.providers=strimzienv,strimzifile,strimzidir\n" + + "config.providers=strimzienv,strimzisecrets,strimzifile,strimzidir\n" + "config.providers.strimzienv.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider\n" + "config.providers.strimzienv.param.allowlist.pattern=.*\n" + "config.providers.strimzifile.class=org.apache.kafka.common.config.provider.FileConfigProvider\n" + "config.providers.strimzifile.param.allowed.paths=/opt/kafka\n" + "config.providers.strimzidir.class=org.apache.kafka.common.config.provider.DirectoryConfigProvider\n" + "config.providers.strimzidir.param.allowed.paths=/opt/kafka\n" + + "config.providers.strimzisecrets.class=io.strimzi.kafka.KubernetesSecretConfigProvider\n" + "min.insync.replicas=1\n"; // testing 8 combinations of 3 boolean values @@ -781,13 +790,14 @@ public void testStrimziMetricsReporterViaUserAndMetricsConfigs() { .build(); assertThat(configuration, isEquivalent("node.id=2", - "config.providers=strimzienv,strimzifile,strimzidir", + "config.providers=strimzienv,strimzisecrets,strimzifile,strimzidir", "config.providers.strimzienv.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider", "config.providers.strimzienv.param.allowlist.pattern=.*", "config.providers.strimzifile.class=org.apache.kafka.common.config.provider.FileConfigProvider", "config.providers.strimzifile.param.allowed.paths=/opt/kafka", "config.providers.strimzidir.class=org.apache.kafka.common.config.provider.DirectoryConfigProvider", "config.providers.strimzidir.param.allowed.paths=/opt/kafka", + "config.providers.strimzisecrets.class=io.strimzi.kafka.KubernetesSecretConfigProvider", "metric.reporters=" + StrimziMetricsReporterConfig.KAFKA_CLASS, "kafka.metrics.reporters=" + StrimziMetricsReporterConfig.YAMMER_CLASS, "min.insync.replicas=1")); @@ -859,23 +869,21 @@ public void testJbodStorageLogDirs() { @Test public void testWithNoListeners() { String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", emptyList(), null, null) + .withListeners("my-cluster", "my-namespace", emptyList(), null, null) .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091", @@ -926,23 +934,21 @@ public void testConnectionLimits() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", asList(listener1, listener2, listener3, listener4), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", asList(listener1, listener2, listener3, listener4), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listener.name.listener1-9100.max.connections=100", "listener.name.listener1-9100.max.connection.creation.rate=10", @@ -966,23 +972,21 @@ public void testWithPlainListenersWithoutAuth() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc", listenerId -> "9092") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc", listenerId -> "9092") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,PLAIN-9092://0.0.0.0:9092", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,PLAIN-9092://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9092", @@ -1010,7 +1014,7 @@ public void testKraftListenersMixedNodes() { NodeRef nodeRef = nodes.stream().filter(nr -> nr.nodeId() == 2).findFirst().get(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, nodeRef) .withKRaft("my-cluster", "my-namespace", nodes) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc", listenerId -> "9092") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc", listenerId -> "9092") .build(); // KRaft controller or mixed node with version 3.9 or later should have advertised listeners configured with controller listener @@ -1019,18 +1023,16 @@ public void testKraftListenersMixedNodes() { "controller.listener.names=CONTROLPLANE-9090", "controller.quorum.voters=0@my-cluster-kafka-0.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090,1@my-cluster-kafka-1.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090,2@my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=CONTROLPLANE-9090://0.0.0.0:9090,REPLICATION-9091://0.0.0.0:9091,PLAIN-9092://0.0.0.0:9092", "advertised.listeners=CONTROLPLANE-9090://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9090,REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,PLAIN-9092://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9092", @@ -1062,7 +1064,7 @@ public void testKraftListenersBrokerAndControllerNodes() { NodeRef nodeRef = nodes.stream().filter(nr -> nr.nodeId() == 2).findFirst().get(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, nodeRef) .withKRaft("my-cluster", "my-namespace", nodes) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "my-cluster-controllers-2.my-cluster-kafka-brokers.my-namespace.svc", listenerId -> "9092") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "my-cluster-controllers-2.my-cluster-kafka-brokers.my-namespace.svc", listenerId -> "9092") .build(); assertThat(configuration, isEquivalent("node.id=2", @@ -1071,12 +1073,11 @@ public void testKraftListenersBrokerAndControllerNodes() { "controller.listener.names=CONTROLPLANE-9090", "controller.quorum.voters=0@my-cluster-controllers-0.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090,1@my-cluster-controllers-1.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090,2@my-cluster-controllers-2.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-controllers-2:my-cluster-controllers-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-controllers-2:my-cluster-controllers-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", "listeners=CONTROLPLANE-9090://0.0.0.0:9090", "listener.security.protocol.map=CONTROLPLANE-9090:SSL", "sasl.enabled.mechanisms=", @@ -1086,7 +1087,7 @@ public void testKraftListenersBrokerAndControllerNodes() { // Broker-only node configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, nodeRef) .withKRaft("my-cluster", "my-namespace", nodes) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "my-cluster-brokers-11.my-cluster-kafka-brokers.my-namespace.svc", listenerId -> "9092") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "my-cluster-brokers-11.my-cluster-kafka-brokers.my-namespace.svc", listenerId -> "9092") .build(); assertThat(configuration, isEquivalent("node.id=11", @@ -1094,18 +1095,16 @@ public void testKraftListenersBrokerAndControllerNodes() { "controller.listener.names=CONTROLPLANE-9090", "controller.quorum.voters=0@my-cluster-controllers-0.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090,1@my-cluster-controllers-1.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090,2@my-cluster-controllers-2.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-brokers-11:my-cluster-brokers-11.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-brokers-11:my-cluster-brokers-11.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-brokers-11:my-cluster-brokers-11.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-brokers-11:my-cluster-brokers-11.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,PLAIN-9092://0.0.0.0:9092", "advertised.listeners=REPLICATION-9091://my-cluster-brokers-11.my-cluster-kafka-brokers.my-namespace.svc:9091,PLAIN-9092://my-cluster-brokers-11.my-cluster-kafka-brokers.my-namespace.svc:9092", @@ -1156,7 +1155,7 @@ public void testKraftOauthBrokerControllerAndMixedNodes() { String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, nodes.stream().filter(nodeRef -> nodeRef.nodeId() == 2).findFirst().get()) .withKRaft("my-cluster", "my-namespace", nodes) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "my-cluster-controllers-2.my-cluster-kafka-brokers.my-namespace.svc", listenerId -> "9092") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "my-cluster-controllers-2.my-cluster-kafka-brokers.my-namespace.svc", listenerId -> "9092") .build(); assertThat(configuration, isEquivalent("node.id=2", @@ -1165,12 +1164,11 @@ public void testKraftOauthBrokerControllerAndMixedNodes() { "controller.listener.names=CONTROLPLANE-9090", "controller.quorum.voters=0@my-cluster-controllers-0.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090,1@my-cluster-controllers-1.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090,2@my-cluster-controllers-2.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090,13@my-cluster-kafka-13.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090,14@my-cluster-kafka-14.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090,15@my-cluster-kafka-15.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-controllers-2:my-cluster-controllers-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-controllers-2:my-cluster-controllers-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", "listeners=CONTROLPLANE-9090://0.0.0.0:9090", "listener.security.protocol.map=CONTROLPLANE-9090:SSL", "sasl.enabled.mechanisms=", @@ -1181,7 +1179,7 @@ public void testKraftOauthBrokerControllerAndMixedNodes() { configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, nodes.stream().filter(nodeRef -> nodeRef.nodeId() == 11).findFirst().get()) .withKRaft("my-cluster", "my-namespace", nodes) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "my-cluster-brokers-11.my-cluster-kafka-brokers.my-namespace.svc", listenerId -> "9092") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "my-cluster-brokers-11.my-cluster-kafka-brokers.my-namespace.svc", listenerId -> "9092") .build(); assertThat(configuration, isEquivalent("node.id=11", @@ -1189,18 +1187,16 @@ public void testKraftOauthBrokerControllerAndMixedNodes() { "controller.listener.names=CONTROLPLANE-9090", "controller.quorum.voters=0@my-cluster-controllers-0.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090,1@my-cluster-controllers-1.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090,2@my-cluster-controllers-2.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090,13@my-cluster-kafka-13.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090,14@my-cluster-kafka-14.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090,15@my-cluster-kafka-15.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-brokers-11:my-cluster-brokers-11.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-brokers-11:my-cluster-brokers-11.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-brokers-11:my-cluster-brokers-11.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-brokers-11:my-cluster-brokers-11.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,PLAIN-9092://0.0.0.0:9092", "advertised.listeners=REPLICATION-9091://my-cluster-brokers-11.my-cluster-kafka-brokers.my-namespace.svc:9091,PLAIN-9092://my-cluster-brokers-11.my-cluster-kafka-brokers.my-namespace.svc:9092", @@ -1220,7 +1216,7 @@ public void testKraftOauthBrokerControllerAndMixedNodes() { configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, nodes.stream().filter(nodeRef -> nodeRef.nodeId() == 14).findFirst().get()) .withKRaft("my-cluster", "my-namespace", nodes) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "my-cluster-kafka-14.my-cluster-kafka-brokers.my-namespace.svc", listenerId -> "9092") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "my-cluster-kafka-14.my-cluster-kafka-brokers.my-namespace.svc", listenerId -> "9092") .build(); assertThat(configuration, isEquivalent("node.id=14", @@ -1228,18 +1224,16 @@ public void testKraftOauthBrokerControllerAndMixedNodes() { "controller.listener.names=CONTROLPLANE-9090", "controller.quorum.voters=0@my-cluster-controllers-0.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090,1@my-cluster-controllers-1.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090,2@my-cluster-controllers-2.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090,13@my-cluster-kafka-13.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090,14@my-cluster-kafka-14.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090,15@my-cluster-kafka-15.my-cluster-kafka-brokers.my-namespace.svc.cluster.local:9090", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-14:my-cluster-kafka-14.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-14:my-cluster-kafka-14.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-14:my-cluster-kafka-14.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-14:my-cluster-kafka-14.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=CONTROLPLANE-9090://0.0.0.0:9090,REPLICATION-9091://0.0.0.0:9091,PLAIN-9092://0.0.0.0:9092", "advertised.listeners=CONTROLPLANE-9090://my-cluster-kafka-14.my-cluster-kafka-brokers.my-namespace.svc:9090,REPLICATION-9091://my-cluster-kafka-14.my-cluster-kafka-brokers.my-namespace.svc:9091,PLAIN-9092://my-cluster-kafka-14.my-cluster-kafka-brokers.my-namespace.svc:9092", @@ -1268,23 +1262,21 @@ public void testWithPlainListenersWithSaslAuth() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,PLAIN-9092://0.0.0.0:9092", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,PLAIN-9092://dummy-advertised-address:1919", @@ -1306,23 +1298,21 @@ public void testWithTlsListenersWithoutAuth() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,TLS-9093://0.0.0.0:9093", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,TLS-9093://dummy-advertised-address:1919", @@ -1330,9 +1320,9 @@ public void testWithTlsListenersWithoutAuth() { "inter.broker.listener.name=REPLICATION-9091", "sasl.enabled.mechanisms=", "ssl.endpoint.identification.algorithm=HTTPS", - "listener.name.tls-9093.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.tls-9093.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.tls-9093.ssl.keystore.type=PKCS12")); + "listener.name.tls-9093.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.tls-9093.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.tls-9093.ssl.keystore.type=PEM")); } @Test @@ -1347,23 +1337,21 @@ public void testWithTlsListenersWithTlsAuth() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,TLS-9093://0.0.0.0:9093", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,TLS-9093://dummy-advertised-address:1919", @@ -1372,12 +1360,11 @@ public void testWithTlsListenersWithTlsAuth() { "sasl.enabled.mechanisms=", "ssl.endpoint.identification.algorithm=HTTPS", "listener.name.tls-9093.ssl.client.auth=required", - "listener.name.tls-9093.ssl.truststore.location=/tmp/kafka/clients.truststore.p12", - "listener.name.tls-9093.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.tls-9093.ssl.truststore.type=PKCS12", - "listener.name.tls-9093.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.tls-9093.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.tls-9093.ssl.keystore.type=PKCS12")); + "listener.name.tls-9093.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-clients-ca-cert:*.crt}", + "listener.name.tls-9093.ssl.truststore.type=PEM", + "listener.name.tls-9093.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.tls-9093.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.tls-9093.ssl.keystore.type=PEM")); } @Test @@ -1397,23 +1384,21 @@ public void testWithTlsListenersWithCustomCerts() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,TLS-9093://0.0.0.0:9093", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,TLS-9093://dummy-advertised-address:1919", @@ -1421,9 +1406,9 @@ public void testWithTlsListenersWithCustomCerts() { "inter.broker.listener.name=REPLICATION-9091", "sasl.enabled.mechanisms=", "ssl.endpoint.identification.algorithm=HTTPS", - "listener.name.tls-9093.ssl.keystore.location=/tmp/kafka/custom-tls-9093.keystore.p12", - "listener.name.tls-9093.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.tls-9093.ssl.keystore.type=PKCS12")); + "listener.name.tls-9093.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-secret:my.crt}", + "listener.name.tls-9093.ssl.keystore.key=${strimzisecrets:namespace/my-secret:my.key}", + "listener.name.tls-9093.ssl.keystore.type=PEM")); } @Test @@ -1436,23 +1421,21 @@ public void testWithExternalRouteListenersWithoutAuth() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,EXTERNAL-9094://0.0.0.0:9094", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,EXTERNAL-9094://dummy-advertised-address:1919", @@ -1460,9 +1443,9 @@ public void testWithExternalRouteListenersWithoutAuth() { "inter.broker.listener.name=REPLICATION-9091", "sasl.enabled.mechanisms=", "ssl.endpoint.identification.algorithm=HTTPS", - "listener.name.external-9094.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.external-9094.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.external-9094.ssl.keystore.type=PKCS12")); + "listener.name.external-9094.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.external-9094.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.external-9094.ssl.keystore.type=PEM")); } @Test @@ -1477,23 +1460,21 @@ public void testWithExternalRouteListenersWithTlsAuth() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,EXTERNAL-9094://0.0.0.0:9094", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,EXTERNAL-9094://dummy-advertised-address:1919", @@ -1502,12 +1483,11 @@ public void testWithExternalRouteListenersWithTlsAuth() { "sasl.enabled.mechanisms=", "ssl.endpoint.identification.algorithm=HTTPS", "listener.name.external-9094.ssl.client.auth=required", - "listener.name.external-9094.ssl.truststore.location=/tmp/kafka/clients.truststore.p12", - "listener.name.external-9094.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.external-9094.ssl.truststore.type=PKCS12", - "listener.name.external-9094.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.external-9094.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.external-9094.ssl.keystore.type=PKCS12")); + "listener.name.external-9094.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-clients-ca-cert:*.crt}", + "listener.name.external-9094.ssl.truststore.type=PEM", + "listener.name.external-9094.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.external-9094.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.external-9094.ssl.keystore.type=PEM")); } @Test @@ -1522,23 +1502,19 @@ public void testWithExternalRouteListenersWithSaslAuth() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,EXTERNAL-9094://0.0.0.0:9094", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,EXTERNAL-9094://dummy-advertised-address:1919", @@ -1548,9 +1524,9 @@ public void testWithExternalRouteListenersWithSaslAuth() { "ssl.endpoint.identification.algorithm=HTTPS", "listener.name.external-9094.scram-sha-512.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required ;", "listener.name.external-9094.sasl.enabled.mechanisms=SCRAM-SHA-512", - "listener.name.external-9094.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.external-9094.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.external-9094.ssl.keystore.type=PKCS12")); + "listener.name.external-9094.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.external-9094.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.external-9094.ssl.keystore.type=PEM")); } @Test @@ -1570,23 +1546,21 @@ public void testWithExternalRouteListenersWithCustomCerts() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,EXTERNAL-9094://0.0.0.0:9094", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,EXTERNAL-9094://dummy-advertised-address:1919", @@ -1594,9 +1568,9 @@ public void testWithExternalRouteListenersWithCustomCerts() { "inter.broker.listener.name=REPLICATION-9091", "sasl.enabled.mechanisms=", "ssl.endpoint.identification.algorithm=HTTPS", - "listener.name.external-9094.ssl.keystore.location=/tmp/kafka/custom-external-9094.keystore.p12", - "listener.name.external-9094.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.external-9094.ssl.keystore.type=PKCS12")); + "listener.name.external-9094.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-secret:my.crt}", + "listener.name.external-9094.ssl.keystore.key=${strimzisecrets:namespace/my-secret:my.key}", + "listener.name.external-9094.ssl.keystore.type=PEM")); } @Test @@ -1609,23 +1583,21 @@ public void testWithExternalListenersLoadBalancerWithTls() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,EXTERNAL-9094://0.0.0.0:9094", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,EXTERNAL-9094://dummy-advertised-address:1919", @@ -1633,9 +1605,9 @@ public void testWithExternalListenersLoadBalancerWithTls() { "inter.broker.listener.name=REPLICATION-9091", "sasl.enabled.mechanisms=", "ssl.endpoint.identification.algorithm=HTTPS", - "listener.name.external-9094.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.external-9094.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.external-9094.ssl.keystore.type=PKCS12")); + "listener.name.external-9094.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.external-9094.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.external-9094.ssl.keystore.type=PEM")); } @Test @@ -1648,23 +1620,21 @@ public void testPerBrokerWithExternalListeners() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "my-lb.com", listenerId -> "9094") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "my-lb.com", listenerId -> "9094") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,EXTERNAL-9094://0.0.0.0:9094", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,EXTERNAL-9094://my-lb.com:9094", @@ -1672,9 +1642,9 @@ public void testPerBrokerWithExternalListeners() { "inter.broker.listener.name=REPLICATION-9091", "sasl.enabled.mechanisms=", "ssl.endpoint.identification.algorithm=HTTPS", - "listener.name.external-9094.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.external-9094.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.external-9094.ssl.keystore.type=PKCS12")); + "listener.name.external-9094.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.external-9094.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.external-9094.ssl.keystore.type=PEM")); } @Test @@ -1687,23 +1657,21 @@ public void testWithExternalListenersLoadBalancerWithoutTls() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,EXTERNAL-9094://0.0.0.0:9094", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,EXTERNAL-9094://dummy-advertised-address:1919", @@ -1723,23 +1691,21 @@ public void testWithExternalListenersNodePortWithTls() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,EXTERNAL-9094://0.0.0.0:9094", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,EXTERNAL-9094://dummy-advertised-address:1919", @@ -1747,9 +1713,9 @@ public void testWithExternalListenersNodePortWithTls() { "inter.broker.listener.name=REPLICATION-9091", "sasl.enabled.mechanisms=", "ssl.endpoint.identification.algorithm=HTTPS", - "listener.name.external-9094.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.external-9094.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.external-9094.ssl.keystore.type=PKCS12")); + "listener.name.external-9094.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.external-9094.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.external-9094.ssl.keystore.type=PEM")); } @Test @@ -1762,23 +1728,21 @@ public void testWithExternalListenersNodePortWithoutTls() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,EXTERNAL-9094://0.0.0.0:9094", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,EXTERNAL-9094://dummy-advertised-address:1919", @@ -1798,23 +1762,21 @@ public void testPerBrokerWithExternalListenersNodePortWithoutTls() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "${strimzienv:STRIMZI_NODEPORT_DEFAULT_ADDRESS}", listenerId -> "31234") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "${strimzienv:STRIMZI_NODEPORT_DEFAULT_ADDRESS}", listenerId -> "31234") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,EXTERNAL-9094://0.0.0.0:9094", "listener.security.protocol.map=CONTROLPLANE-9090:SSL,REPLICATION-9091:SSL,EXTERNAL-9094:PLAINTEXT", @@ -1846,23 +1808,21 @@ public void testWithExternalListenersIngress() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,EXTERNAL-9094://0.0.0.0:9094", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,EXTERNAL-9094://dummy-advertised-address:1919", @@ -1870,9 +1830,9 @@ public void testWithExternalListenersIngress() { "inter.broker.listener.name=REPLICATION-9091", "sasl.enabled.mechanisms=", "ssl.endpoint.identification.algorithm=HTTPS", - "listener.name.external-9094.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.external-9094.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.external-9094.ssl.keystore.type=PKCS12")); + "listener.name.external-9094.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.external-9094.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.external-9094.ssl.keystore.type=PEM")); } @Test @@ -1894,23 +1854,21 @@ public void testWithExternalListenersClusterIPWithTLS() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,EXTERNAL-9094://0.0.0.0:9094", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,EXTERNAL-9094://dummy-advertised-address:1919", @@ -1918,9 +1876,9 @@ public void testWithExternalListenersClusterIPWithTLS() { "inter.broker.listener.name=REPLICATION-9091", "sasl.enabled.mechanisms=", "ssl.endpoint.identification.algorithm=HTTPS", - "listener.name.external-9094.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.external-9094.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.external-9094.ssl.keystore.type=PKCS12")); + "listener.name.external-9094.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.external-9094.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.external-9094.ssl.keystore.type=PEM")); } @Test @@ -1942,23 +1900,21 @@ public void testWithExternalListenersClusterIPWithoutTLS() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,EXTERNAL-9094://0.0.0.0:9094", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,EXTERNAL-9094://dummy-advertised-address:1919", @@ -1999,23 +1955,21 @@ public void testOauthConfiguration() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,PLAIN-9092://0.0.0.0:9092", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,PLAIN-9092://dummy-advertised-address:1919", @@ -2057,23 +2011,21 @@ public void testOauthConfigurationWithPlainOnly() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,PLAIN-9092://0.0.0.0:9092", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,PLAIN-9092://dummy-advertised-address:1919", @@ -2100,23 +2052,21 @@ public void testOauthConfigurationWithoutOptions() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,PLAIN-9092://0.0.0.0:9092", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,PLAIN-9092://dummy-advertised-address:1919", @@ -2153,23 +2103,21 @@ public void testOauthConfigurationWithTlsConfig() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,PLAIN-9092://0.0.0.0:9092", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,PLAIN-9092://dummy-advertised-address:1919", @@ -2204,23 +2152,21 @@ public void testOauthConfigurationWithClientSecret() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", "listeners=REPLICATION-9091://0.0.0.0:9091,PLAIN-9092://0.0.0.0:9092", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,PLAIN-9092://dummy-advertised-address:1919", @@ -2328,7 +2274,7 @@ public void testCustomAuthConfigSetProtocolMapCorrectlyForsSslSasl() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, containsString("listener.security.protocol.map=CONTROLPLANE-9090:SSL,REPLICATION-9091:SSL,CUSTOM-LISTENER-9092:SASL_SSL")); @@ -2348,7 +2294,7 @@ public void testCustomAuthConfigSetProtocolMapCorrectlyForPlainSasl() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, containsString("listener.security.protocol.map=CONTROLPLANE-9090:SSL,REPLICATION-9091:SSL,CUSTOM-LISTENER-9092:SASL_PLAINTEXT")); @@ -2369,7 +2315,7 @@ public void testCustomAuthConfigSetProtocolMapCorrectlyForPlain() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, containsString("listener.security.protocol.map=CONTROLPLANE-9090:SSL,REPLICATION-9091:SSL,CUSTOM-LISTENER-9092:PLAINTEXT")); @@ -2389,7 +2335,7 @@ public void testCustomAuthConfigRemovesForbiddenPrefixes() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, not(containsString("ssl.keystore.path"))); @@ -2414,27 +2360,25 @@ public void testCustomAuthConfigPrefixesUserProvidedConfig() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", - "listener.name.custom-listener-9092.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.custom-listener-9092.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.custom-listener-9092.ssl.keystore.type=PKCS12", + "listener.name.custom-listener-9092.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.custom-listener-9092.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.custom-listener-9092.ssl.keystore.type=PEM", "listeners=REPLICATION-9091://0.0.0.0:9091,CUSTOM-LISTENER-9092://0.0.0.0:9092", "advertised.listeners=REPLICATION-9091://my-cluster-kafka-2.my-cluster-kafka-brokers.my-namespace.svc:9091,CUSTOM-LISTENER-9092://dummy-advertised-address:1919", "listener.security.protocol.map=CONTROLPLANE-9090:SSL,REPLICATION-9091:SSL,CUSTOM-LISTENER-9092:SASL_SSL", @@ -2466,27 +2410,25 @@ public void testCustomTlsAuth() { .build(); String configuration = new KafkaBrokerConfigurationBuilder(Reconciliation.DUMMY_RECONCILIATION, NODE_REF) - .withListeners("my-cluster", KAFKA_VERSION, "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") + .withListeners("my-cluster", "my-namespace", singletonList(listener), listenerId -> "dummy-advertised-address", listenerId -> "1919") .build(); assertThat(configuration, isEquivalent("node.id=2", "listener.name.controlplane-9090.ssl.client.auth=required", - "listener.name.controlplane-9090.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.controlplane-9090.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.keystore.type=PKCS12", - "listener.name.controlplane-9090.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.controlplane-9090.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.controlplane-9090.ssl.truststore.type=PKCS12", - "listener.name.replication-9091.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.replication-9091.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.keystore.type=PKCS12", - "listener.name.replication-9091.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "listener.name.replication-9091.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.replication-9091.ssl.truststore.type=PKCS12", + "listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.controlplane-9090.ssl.keystore.type=PEM", + "listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.controlplane-9090.ssl.truststore.type=PEM", + "listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.replication-9091.ssl.keystore.type=PEM", + "listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/my-cluster-cluster-ca-cert:*.crt}", + "listener.name.replication-9091.ssl.truststore.type=PEM", "listener.name.replication-9091.ssl.client.auth=required", - "listener.name.custom-listener-9092.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "listener.name.custom-listener-9092.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "listener.name.custom-listener-9092.ssl.keystore.type=PKCS12", + "listener.name.custom-listener-9092.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "listener.name.custom-listener-9092.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "listener.name.custom-listener-9092.ssl.keystore.type=PEM", "listener.name.custom-listener-9092.ssl.truststore.location=/opt/kafka/custom-authn-secrets/custom-listener-external-9094/custom-truststore/ca.crt", "listener.name.custom-listener-9092.ssl.truststore.type=PEM", "listener.name.custom-listener-9092.ssl.client.auth=required", @@ -2530,12 +2472,11 @@ public void testWithTieredStorage() { "remote.log.metadata.manager.listener.name=REPLICATION-9091", "rlmm.config.remote.log.metadata.common.client.bootstrap.servers=test-cluster-1-kafka-brokers:9091", "rlmm.config.remote.log.metadata.common.client.security.protocol=SSL", - "rlmm.config.remote.log.metadata.common.client.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "rlmm.config.remote.log.metadata.common.client.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "rlmm.config.remote.log.metadata.common.client.ssl.keystore.type=PKCS12", - "rlmm.config.remote.log.metadata.common.client.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "rlmm.config.remote.log.metadata.common.client.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "rlmm.config.remote.log.metadata.common.client.ssl.truststore.type=PKCS12", + "rlmm.config.remote.log.metadata.common.client.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "rlmm.config.remote.log.metadata.common.client.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "rlmm.config.remote.log.metadata.common.client.ssl.keystore.type=PEM", + "rlmm.config.remote.log.metadata.common.client.ssl.truststore.certificates=${strimzisecrets:namespace/test-cluster-1-cluster-ca-cert:*.crt}", + "rlmm.config.remote.log.metadata.common.client.ssl.truststore.type=PEM", "remote.log.storage.manager.class.name=com.example.kafka.tiered.storage.s3.S3RemoteStorageManager", "remote.log.storage.manager.class.path=/opt/kafka/plugins/tiered-storage-s3/*", "remote.log.storage.manager.impl.prefix=rsm.config.", @@ -2581,12 +2522,11 @@ public void testWithStrimziQuotas() { "client.quota.callback.class=io.strimzi.kafka.quotas.StaticQuotaCallback", "client.quota.callback.static.kafka.admin.bootstrap.servers=my-personal-cluster-kafka-brokers:9091", "client.quota.callback.static.kafka.admin.security.protocol=SSL", - "client.quota.callback.static.kafka.admin.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12", - "client.quota.callback.static.kafka.admin.ssl.keystore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "client.quota.callback.static.kafka.admin.ssl.keystore.type=PKCS12", - "client.quota.callback.static.kafka.admin.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12", - "client.quota.callback.static.kafka.admin.ssl.truststore.password=${strimzienv:CERTS_STORE_PASSWORD}", - "client.quota.callback.static.kafka.admin.ssl.truststore.type=PKCS12", + "client.quota.callback.static.kafka.admin.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.crt}", + "client.quota.callback.static.kafka.admin.ssl.keystore.key=${strimzisecrets:namespace/my-cluster-kafka-2:my-cluster-kafka-2.key}", + "client.quota.callback.static.kafka.admin.ssl.keystore.type=PEM", + "client.quota.callback.static.kafka.admin.ssl.truststore.certificates=${strimzisecrets:namespace/my-personal-cluster-cluster-ca-cert:*.crt}", + "client.quota.callback.static.kafka.admin.ssl.truststore.type=PEM", "client.quota.callback.static.produce=1000", "client.quota.callback.static.fetch=1000", "client.quota.callback.static.storage.per.volume.limit.min.available.bytes=200000", @@ -2645,13 +2585,14 @@ public void testDefaultMinInSyncReplicasWhenNotSpecified() { .build(); assertThat(configuration, isEquivalent("node.id=2", - "config.providers=strimzienv,strimzifile,strimzidir", + "config.providers=strimzienv,strimzisecrets,strimzifile,strimzidir", "config.providers.strimzienv.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider", "config.providers.strimzienv.param.allowlist.pattern=.*", "config.providers.strimzifile.class=org.apache.kafka.common.config.provider.FileConfigProvider", "config.providers.strimzifile.param.allowed.paths=/opt/kafka", "config.providers.strimzidir.class=org.apache.kafka.common.config.provider.DirectoryConfigProvider", "config.providers.strimzidir.param.allowed.paths=/opt/kafka", + "config.providers.strimzisecrets.class=io.strimzi.kafka.KubernetesSecretConfigProvider", "min.insync.replicas=1", "auto.create.topics.enable=false", "offsets.topic.replication.factor=3")); diff --git a/cluster-operator/src/test/java/io/strimzi/operator/cluster/model/KafkaClusterListenersTest.java b/cluster-operator/src/test/java/io/strimzi/operator/cluster/model/KafkaClusterListenersTest.java index 91084352683..44a66f873a9 100644 --- a/cluster-operator/src/test/java/io/strimzi/operator/cluster/model/KafkaClusterListenersTest.java +++ b/cluster-operator/src/test/java/io/strimzi/operator/cluster/model/KafkaClusterListenersTest.java @@ -45,7 +45,9 @@ import java.util.List; import java.util.Map; +import static org.hamcrest.CoreMatchers.containsString; import static org.hamcrest.CoreMatchers.is; +import static org.hamcrest.CoreMatchers.not; import static org.hamcrest.CoreMatchers.notNullValue; import static org.hamcrest.CoreMatchers.nullValue; import static org.hamcrest.CoreMatchers.startsWith; @@ -124,6 +126,21 @@ public class KafkaClusterListenersTest { .endSpec() .build(); + private final static Map> ADVERTISED_HOSTNAMES = Map.of( + 3, Map.of("PLAIN_9092", "mixed-3", "TLS_9093", "mixed-3", "EXTERNAL_9094", "mixed-3"), + 4, Map.of("PLAIN_9092", "mixed-4", "TLS_9093", "mixed-4", "EXTERNAL_9094", "mixed-4"), + 5, Map.of("PLAIN_9092", "broker-5", "TLS_9093", "broker-5", "EXTERNAL_9094", "broker-5"), + 6, Map.of("PLAIN_9092", "broker-6", "TLS_9093", "broker-6", "EXTERNAL_9094", "broker-6"), + 7, Map.of("PLAIN_9092", "broker-7", "TLS_9093", "broker-7", "EXTERNAL_9094", "broker-7") + ); + private final static Map> ADVERTISED_PORTS = Map.of( + 3, Map.of("PLAIN_9092", "9092", "TLS_9093", "10003", "EXTERNAL_9094", "20003"), + 4, Map.of("PLAIN_9092", "9092", "TLS_9093", "10004", "EXTERNAL_9094", "20004"), + 5, Map.of("PLAIN_9092", "9092", "TLS_9093", "10005", "EXTERNAL_9094", "20005"), + 6, Map.of("PLAIN_9092", "9092", "TLS_9093", "10006", "EXTERNAL_9094", "20006"), + 7, Map.of("PLAIN_9092", "9092", "TLS_9093", "10007", "EXTERNAL_9094", "20007") + ); + ////////// // Utility methods ////////// @@ -2307,33 +2324,14 @@ public void testExternalCertificateIngress() { .build(); List pools = NodePoolUtils.createKafkaPools(Reconciliation.DUMMY_RECONCILIATION, kafkaAssembly, List.of(POOL_CONTROLLERS, POOL_MIXED, POOL_BROKERS), Map.of(), KafkaVersionTestUtils.DEFAULT_KRAFT_VERSION_CHANGE, SHARED_ENV_PROVIDER); KafkaCluster kc = KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, kafkaAssembly, pools, VERSIONS, KafkaVersionTestUtils.DEFAULT_KRAFT_VERSION_CHANGE, null, SHARED_ENV_PROVIDER); - List podSets = kc.generatePodSets(true, null, null, node -> Map.of()); - - podSets.stream().forEach(podSet -> PodSetUtils.podSetToPods(podSet).stream().forEach(pod -> { - // Volumes - List volumes = pod.getSpec().getVolumes(); - Volume vol = volumes.stream().filter(v -> "custom-external-9094-certs".equals(v.getName())).findFirst().orElse(null); + String brokerConfig = kc.generatePerBrokerConfiguration(5, ADVERTISED_HOSTNAMES, ADVERTISED_PORTS); - // Volume mounts - Container container = pod.getSpec().getContainers().stream().findFirst().orElseThrow(); - VolumeMount mount = container.getVolumeMounts().stream().filter(v -> "custom-external-9094-certs".equals(v.getName())).findFirst().orElse(null); + assertThat(brokerConfig, is(containsString("listener.name.external-9094.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-secret:my-external-cert.crt}"))); + assertThat(brokerConfig, is(containsString("listener.name.external-9094.ssl.keystore.key=${strimzisecrets:namespace/my-secret:my.key}"))); + assertThat(brokerConfig, is(containsString("listener.name.external-9094.ssl.keystore.type=PEM"))); - if (pod.getMetadata().getName().startsWith(CLUSTER + "-controllers")) { - assertThat(vol, is(nullValue())); - assertThat(mount, is(nullValue())); - } else { - assertThat(vol, is(notNullValue())); - assertThat(vol.getSecret().getSecretName(), is(secret)); - assertThat(vol.getSecret().getItems().get(0).getKey(), is(key)); - assertThat(vol.getSecret().getItems().get(0).getPath(), is("tls.key")); - assertThat(vol.getSecret().getItems().get(1).getKey(), is(cert)); - assertThat(vol.getSecret().getItems().get(1).getPath(), is("tls.crt")); - - assertThat(mount, is(notNullValue())); - assertThat(mount.getName(), is("custom-external-9094-certs")); - assertThat(mount.getMountPath(), is("/opt/kafka/certificates/custom-external-9094-certs")); - } - })); + String controllerConfig = kc.generatePerBrokerConfiguration(0, Map.of(0, Map.of("CONTROLPLANE_9090", "controller-0")), Map.of(0, Map.of("CONTROLPLANE_9090", "9090"))); + assertThat(controllerConfig, not(containsString("listener.name.external-9094"))); } @Test @@ -2363,32 +2361,13 @@ public void testCustomCertificateTls() { .build(); List pools = NodePoolUtils.createKafkaPools(Reconciliation.DUMMY_RECONCILIATION, kafkaAssembly, List.of(POOL_CONTROLLERS, POOL_MIXED, POOL_BROKERS), Map.of(), KafkaVersionTestUtils.DEFAULT_KRAFT_VERSION_CHANGE, SHARED_ENV_PROVIDER); KafkaCluster kc = KafkaCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, kafkaAssembly, pools, VERSIONS, KafkaVersionTestUtils.DEFAULT_KRAFT_VERSION_CHANGE, null, SHARED_ENV_PROVIDER); - List podSets = kc.generatePodSets(true, null, null, node -> Map.of()); - - podSets.stream().forEach(podSet -> PodSetUtils.podSetToPods(podSet).stream().forEach(pod -> { - // Test volumes - List volumes = pod.getSpec().getVolumes(); - Volume vol = volumes.stream().filter(v -> "custom-tls-9093-certs".equals(v.getName())).findFirst().orElse(null); + String mixedConfig = kc.generatePerBrokerConfiguration(4, ADVERTISED_HOSTNAMES, ADVERTISED_PORTS); - // Test volume mounts - Container container = pod.getSpec().getContainers().stream().findAny().orElseThrow(); - VolumeMount mount = container.getVolumeMounts().stream().filter(v -> "custom-tls-9093-certs".equals(v.getName())).findFirst().orElse(null); + assertThat(mixedConfig, is(containsString("listener.name.tls-9093.ssl.keystore.certificate.chain=${strimzisecrets:namespace/my-secret:my-external-cert.crt}"))); + assertThat(mixedConfig, is(containsString("listener.name.tls-9093.ssl.keystore.key=${strimzisecrets:namespace/my-secret:my.key}"))); + assertThat(mixedConfig, is(containsString("listener.name.tls-9093.ssl.keystore.type=PEM"))); - if (pod.getMetadata().getName().startsWith(CLUSTER + "-controllers")) { - assertThat(vol, is(nullValue())); - assertThat(mount, is(nullValue())); - } else { - assertThat(vol, is(notNullValue())); - assertThat(vol.getSecret().getSecretName(), is(secret)); - assertThat(vol.getSecret().getItems().get(0).getKey(), is(key)); - assertThat(vol.getSecret().getItems().get(0).getPath(), is("tls.key")); - assertThat(vol.getSecret().getItems().get(1).getKey(), is(cert)); - assertThat(vol.getSecret().getItems().get(1).getPath(), is("tls.crt")); - - assertThat(mount, is(notNullValue())); - assertThat(mount.getName(), is("custom-tls-9093-certs")); - assertThat(mount.getMountPath(), is("/opt/kafka/certificates/custom-tls-9093-certs")); - } - })); + String controllerConfig = kc.generatePerBrokerConfiguration(0, Map.of(0, Map.of("CONTROLPLANE_9090", "controller-0")), Map.of(0, Map.of("CONTROLPLANE_9090", "9090"))); + assertThat(controllerConfig, not(containsString("listener.name.tls-9093"))); } } diff --git a/cluster-operator/src/test/java/io/strimzi/operator/cluster/model/KafkaClusterTest.java b/cluster-operator/src/test/java/io/strimzi/operator/cluster/model/KafkaClusterTest.java index 38bb339786c..3cf2336baf0 100644 --- a/cluster-operator/src/test/java/io/strimzi/operator/cluster/model/KafkaClusterTest.java +++ b/cluster-operator/src/test/java/io/strimzi/operator/cluster/model/KafkaClusterTest.java @@ -1179,6 +1179,12 @@ public void testPerBrokerConfiguration() { assertThat(config, CoreMatchers.containsString("advertised.listeners=CONTROLPLANE-9090://foo-controllers-1.foo-kafka-brokers.test.svc:9090\n")); assertThat(config, CoreMatchers.containsString("process.roles=controller\n")); assertThat(config, CoreMatchers.containsString("controller.quorum.voters=0@foo-controllers-0.foo-kafka-brokers.test.svc.cluster.local:9090,1@foo-controllers-1.foo-kafka-brokers.test.svc.cluster.local:9090,2@foo-controllers-2.foo-kafka-brokers.test.svc.cluster.local:9090,3@foo-mixed-3.foo-kafka-brokers.test.svc.cluster.local:9090,4@foo-mixed-4.foo-kafka-brokers.test.svc.cluster.local:9090\n")); + assertThat(config, CoreMatchers.containsString("listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/foo-controllers-1:foo-controllers-1.crt}")); + assertThat(config, CoreMatchers.containsString("listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/foo-controllers-1:foo-controllers-1.key}")); + assertThat(config, CoreMatchers.containsString("listener.name.controlplane-9090.ssl.keystore.type=PEM")); + assertThat(config, CoreMatchers.containsString("listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/foo-cluster-ca-cert:*.crt}")); + assertThat(config, CoreMatchers.containsString("listener.name.controlplane-9090.ssl.truststore.type=PEM")); + assertThat(config, CoreMatchers.containsString("listener.name.controlplane-9090.ssl.client.auth=required")); config = KC.generatePerBrokerConfiguration(4, ADVERTISED_HOSTNAMES, ADVERTISED_PORTS); assertThat(config, CoreMatchers.containsString("node.id=4")); @@ -1187,6 +1193,18 @@ public void testPerBrokerConfiguration() { assertThat(config, CoreMatchers.containsString("advertised.listeners=CONTROLPLANE-9090://foo-mixed-4.foo-kafka-brokers.test.svc:9090,REPLICATION-9091://foo-mixed-4.foo-kafka-brokers.test.svc:9091,PLAIN-9092://mixed-4:9092,TLS-9093://mixed-4:10004\n")); assertThat(config, CoreMatchers.containsString("process.roles=broker,controller\n")); assertThat(config, CoreMatchers.containsString("controller.quorum.voters=0@foo-controllers-0.foo-kafka-brokers.test.svc.cluster.local:9090,1@foo-controllers-1.foo-kafka-brokers.test.svc.cluster.local:9090,2@foo-controllers-2.foo-kafka-brokers.test.svc.cluster.local:9090,3@foo-mixed-3.foo-kafka-brokers.test.svc.cluster.local:9090,4@foo-mixed-4.foo-kafka-brokers.test.svc.cluster.local:9090\n")); + assertThat(config, CoreMatchers.containsString("listener.name.controlplane-9090.ssl.keystore.certificate.chain=${strimzisecrets:namespace/foo-mixed-4:foo-mixed-4.crt}")); + assertThat(config, CoreMatchers.containsString("listener.name.controlplane-9090.ssl.keystore.key=${strimzisecrets:namespace/foo-mixed-4:foo-mixed-4.key}")); + assertThat(config, CoreMatchers.containsString("listener.name.controlplane-9090.ssl.keystore.type=PEM")); + assertThat(config, CoreMatchers.containsString("listener.name.controlplane-9090.ssl.truststore.certificates=${strimzisecrets:namespace/foo-cluster-ca-cert:*.crt}")); + assertThat(config, CoreMatchers.containsString("listener.name.controlplane-9090.ssl.truststore.type=PEM")); + assertThat(config, CoreMatchers.containsString("listener.name.controlplane-9090.ssl.client.auth=required")); + assertThat(config, CoreMatchers.containsString("listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/foo-mixed-4:foo-mixed-4.crt}")); + assertThat(config, CoreMatchers.containsString("listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/foo-mixed-4:foo-mixed-4.key}")); + assertThat(config, CoreMatchers.containsString("listener.name.replication-9091.ssl.keystore.type=PEM")); + assertThat(config, CoreMatchers.containsString("listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/foo-cluster-ca-cert:*.crt}")); + assertThat(config, CoreMatchers.containsString("listener.name.replication-9091.ssl.truststore.type=PEM")); + assertThat(config, CoreMatchers.containsString("listener.name.replication-9091.ssl.client.auth=required")); config = KC.generatePerBrokerConfiguration(6, ADVERTISED_HOSTNAMES, ADVERTISED_PORTS); assertThat(config, CoreMatchers.containsString("node.id=6")); @@ -1195,6 +1213,13 @@ public void testPerBrokerConfiguration() { assertThat(config, CoreMatchers.containsString("advertised.listeners=REPLICATION-9091://foo-brokers-6.foo-kafka-brokers.test.svc:9091,PLAIN-9092://broker-6:9092,TLS-9093://broker-6:10006\n")); assertThat(config, CoreMatchers.containsString("process.roles=broker\n")); assertThat(config, CoreMatchers.containsString("controller.quorum.voters=0@foo-controllers-0.foo-kafka-brokers.test.svc.cluster.local:9090,1@foo-controllers-1.foo-kafka-brokers.test.svc.cluster.local:9090,2@foo-controllers-2.foo-kafka-brokers.test.svc.cluster.local:9090,3@foo-mixed-3.foo-kafka-brokers.test.svc.cluster.local:9090,4@foo-mixed-4.foo-kafka-brokers.test.svc.cluster.local:9090\n")); + assertThat(config, CoreMatchers.containsString("listener.name.replication-9091.ssl.keystore.certificate.chain=${strimzisecrets:namespace/foo-brokers-6:foo-brokers-6.crt}")); + assertThat(config, CoreMatchers.containsString("listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/foo-brokers-6:foo-brokers-6.key}")); + assertThat(config, CoreMatchers.containsString("listener.name.replication-9091.ssl.keystore.key=${strimzisecrets:namespace/foo-brokers-6:foo-brokers-6.key}")); + assertThat(config, CoreMatchers.containsString("listener.name.replication-9091.ssl.keystore.type=PEM")); + assertThat(config, CoreMatchers.containsString("listener.name.replication-9091.ssl.truststore.certificates=${strimzisecrets:namespace/foo-cluster-ca-cert:*.crt}")); + assertThat(config, CoreMatchers.containsString("listener.name.replication-9091.ssl.truststore.type=PEM")); + assertThat(config, CoreMatchers.containsString("listener.name.replication-9091.ssl.client.auth=required")); } @Test @@ -3411,32 +3436,20 @@ public void testPodSet() { assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(0).getMountPath(), is("/var/lib/kafka/data-0")); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(1).getName(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_VOLUME_NAME)); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(1).getMountPath(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_MOUNT_PATH)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getName(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getMountPath(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getName(), is(KafkaCluster.BROKER_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getMountPath(), is(KafkaCluster.BROKER_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getName(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getMountPath(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(5).getName(), is("kafka-metrics-and-logging")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(5).getMountPath(), is("/opt/kafka/custom-config/")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(6).getName(), is("ready-files")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(6).getMountPath(), is("/var/opt/kafka")); - - assertThat(pod.getSpec().getVolumes().size(), is(7)); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getName(), is("kafka-metrics-and-logging")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getMountPath(), is("/opt/kafka/custom-config/")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getName(), is("ready-files")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getMountPath(), is("/var/opt/kafka")); + + assertThat(pod.getSpec().getVolumes().size(), is(4)); assertThat(pod.getSpec().getVolumes().get(0).getName(), is("data-0")); assertThat(pod.getSpec().getVolumes().get(0).getPersistentVolumeClaim(), is(notNullValue())); assertThat(pod.getSpec().getVolumes().get(1).getName(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_VOLUME_NAME)); assertThat(pod.getSpec().getVolumes().get(1).getEmptyDir(), is(notNullValue())); - assertThat(pod.getSpec().getVolumes().get(2).getName(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(2).getSecret().getSecretName(), is("foo-cluster-ca-cert")); - assertThat(pod.getSpec().getVolumes().get(3).getName(), is(KafkaCluster.BROKER_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(3).getSecret().getSecretName(), is(pod.getMetadata().getName())); - assertThat(pod.getSpec().getVolumes().get(4).getName(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(4).getSecret().getSecretName(), is("foo-clients-ca-cert")); - assertThat(pod.getSpec().getVolumes().get(5).getName(), is("kafka-metrics-and-logging")); - assertThat(pod.getSpec().getVolumes().get(5).getConfigMap().getName(), is(pod.getMetadata().getName())); - assertThat(pod.getSpec().getVolumes().get(6).getName(), is("ready-files")); - assertThat(pod.getSpec().getVolumes().get(6).getEmptyDir(), is(notNullValue())); + assertThat(pod.getSpec().getVolumes().get(2).getName(), is("kafka-metrics-and-logging")); + assertThat(pod.getSpec().getVolumes().get(2).getConfigMap().getName(), is(pod.getMetadata().getName())); + assertThat(pod.getSpec().getVolumes().get(3).getName(), is("ready-files")); + assertThat(pod.getSpec().getVolumes().get(3).getEmptyDir(), is(notNullValue())); } // Mixed nodes @@ -3477,32 +3490,20 @@ public void testPodSet() { assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(0).getMountPath(), is("/var/lib/kafka/data-0")); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(1).getName(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_VOLUME_NAME)); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(1).getMountPath(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_MOUNT_PATH)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getName(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getMountPath(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getName(), is(KafkaCluster.BROKER_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getMountPath(), is(KafkaCluster.BROKER_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getName(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getMountPath(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(5).getName(), is("kafka-metrics-and-logging")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(5).getMountPath(), is("/opt/kafka/custom-config/")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(6).getName(), is("ready-files")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(6).getMountPath(), is("/var/opt/kafka")); - - assertThat(pod.getSpec().getVolumes().size(), is(7)); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getName(), is("kafka-metrics-and-logging")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getMountPath(), is("/opt/kafka/custom-config/")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getName(), is("ready-files")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getMountPath(), is("/var/opt/kafka")); + + assertThat(pod.getSpec().getVolumes().size(), is(4)); assertThat(pod.getSpec().getVolumes().get(0).getName(), is("data-0")); assertThat(pod.getSpec().getVolumes().get(0).getPersistentVolumeClaim(), is(notNullValue())); assertThat(pod.getSpec().getVolumes().get(1).getName(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_VOLUME_NAME)); assertThat(pod.getSpec().getVolumes().get(1).getEmptyDir(), is(notNullValue())); - assertThat(pod.getSpec().getVolumes().get(2).getName(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(2).getSecret().getSecretName(), is("foo-cluster-ca-cert")); - assertThat(pod.getSpec().getVolumes().get(3).getName(), is(KafkaCluster.BROKER_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(3).getSecret().getSecretName(), is(pod.getMetadata().getName())); - assertThat(pod.getSpec().getVolumes().get(4).getName(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(4).getSecret().getSecretName(), is("foo-clients-ca-cert")); - assertThat(pod.getSpec().getVolumes().get(5).getName(), is("kafka-metrics-and-logging")); - assertThat(pod.getSpec().getVolumes().get(5).getConfigMap().getName(), is(pod.getMetadata().getName())); - assertThat(pod.getSpec().getVolumes().get(6).getName(), is("ready-files")); - assertThat(pod.getSpec().getVolumes().get(6).getEmptyDir(), is(notNullValue())); + assertThat(pod.getSpec().getVolumes().get(2).getName(), is("kafka-metrics-and-logging")); + assertThat(pod.getSpec().getVolumes().get(2).getConfigMap().getName(), is(pod.getMetadata().getName())); + assertThat(pod.getSpec().getVolumes().get(3).getName(), is("ready-files")); + assertThat(pod.getSpec().getVolumes().get(3).getEmptyDir(), is(notNullValue())); } // Brokers @@ -3543,32 +3544,20 @@ public void testPodSet() { assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(0).getMountPath(), is("/var/lib/kafka/data-0")); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(1).getName(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_VOLUME_NAME)); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(1).getMountPath(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_MOUNT_PATH)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getName(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getMountPath(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getName(), is(KafkaCluster.BROKER_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getMountPath(), is(KafkaCluster.BROKER_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getName(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getMountPath(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(5).getName(), is("kafka-metrics-and-logging")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(5).getMountPath(), is("/opt/kafka/custom-config/")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(6).getName(), is("ready-files")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(6).getMountPath(), is("/var/opt/kafka")); - - assertThat(pod.getSpec().getVolumes().size(), is(7)); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getName(), is("kafka-metrics-and-logging")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getMountPath(), is("/opt/kafka/custom-config/")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getName(), is("ready-files")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getMountPath(), is("/var/opt/kafka")); + + assertThat(pod.getSpec().getVolumes().size(), is(4)); assertThat(pod.getSpec().getVolumes().get(0).getName(), is("data-0")); assertThat(pod.getSpec().getVolumes().get(0).getPersistentVolumeClaim(), is(notNullValue())); assertThat(pod.getSpec().getVolumes().get(1).getName(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_VOLUME_NAME)); assertThat(pod.getSpec().getVolumes().get(1).getEmptyDir(), is(notNullValue())); - assertThat(pod.getSpec().getVolumes().get(2).getName(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(2).getSecret().getSecretName(), is("foo-cluster-ca-cert")); - assertThat(pod.getSpec().getVolumes().get(3).getName(), is(KafkaCluster.BROKER_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(3).getSecret().getSecretName(), is(pod.getMetadata().getName())); - assertThat(pod.getSpec().getVolumes().get(4).getName(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(4).getSecret().getSecretName(), is("foo-clients-ca-cert")); - assertThat(pod.getSpec().getVolumes().get(5).getName(), is("kafka-metrics-and-logging")); - assertThat(pod.getSpec().getVolumes().get(5).getConfigMap().getName(), is(pod.getMetadata().getName())); - assertThat(pod.getSpec().getVolumes().get(6).getName(), is("ready-files")); - assertThat(pod.getSpec().getVolumes().get(6).getEmptyDir(), is(notNullValue())); + assertThat(pod.getSpec().getVolumes().get(2).getName(), is("kafka-metrics-and-logging")); + assertThat(pod.getSpec().getVolumes().get(2).getConfigMap().getName(), is(pod.getMetadata().getName())); + assertThat(pod.getSpec().getVolumes().get(3).getName(), is("ready-files")); + assertThat(pod.getSpec().getVolumes().get(3).getEmptyDir(), is(notNullValue())); } } @@ -3777,24 +3766,18 @@ public void testCustomizedPodSet() { assertThat(pod.getSpec().getAffinity(), is(affinity)); assertThat(pod.getSpec().getTolerations(), is(toleration)); - assertThat(pod.getSpec().getVolumes().size(), is(8)); + assertThat(pod.getSpec().getVolumes().size(), is(5)); assertThat(pod.getSpec().getVolumes().get(0).getName(), is("data-0")); assertThat(pod.getSpec().getVolumes().get(0).getPersistentVolumeClaim(), is(notNullValue())); assertThat(pod.getSpec().getVolumes().get(1).getName(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_VOLUME_NAME)); assertThat(pod.getSpec().getVolumes().get(1).getEmptyDir(), is(notNullValue())); assertThat(pod.getSpec().getVolumes().get(1).getEmptyDir().getSizeLimit(), is(new Quantity("10Mi"))); - assertThat(pod.getSpec().getVolumes().get(2).getName(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(2).getSecret().getSecretName(), is("foo-cluster-ca-cert")); - assertThat(pod.getSpec().getVolumes().get(3).getName(), is(KafkaCluster.BROKER_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(3).getSecret().getSecretName(), is(pod.getMetadata().getName())); - assertThat(pod.getSpec().getVolumes().get(4).getName(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(4).getSecret().getSecretName(), is("foo-clients-ca-cert")); - assertThat(pod.getSpec().getVolumes().get(5).getName(), is("kafka-metrics-and-logging")); - assertThat(pod.getSpec().getVolumes().get(5).getConfigMap().getName(), is(pod.getMetadata().getName())); - assertThat(pod.getSpec().getVolumes().get(6).getName(), is("ready-files")); - assertThat(pod.getSpec().getVolumes().get(6).getEmptyDir(), is(notNullValue())); - assertThat(pod.getSpec().getVolumes().get(7).getName(), is("secret-volume-name")); - assertThat(pod.getSpec().getVolumes().get(7).getSecret(), is(notNullValue())); + assertThat(pod.getSpec().getVolumes().get(2).getName(), is("kafka-metrics-and-logging")); + assertThat(pod.getSpec().getVolumes().get(2).getConfigMap().getName(), is(pod.getMetadata().getName())); + assertThat(pod.getSpec().getVolumes().get(3).getName(), is("ready-files")); + assertThat(pod.getSpec().getVolumes().get(3).getEmptyDir(), is(notNullValue())); + assertThat(pod.getSpec().getVolumes().get(4).getName(), is("secret-volume-name")); + assertThat(pod.getSpec().getVolumes().get(4).getSecret(), is(notNullValue())); // Containers assertThat(pod.getSpec().getContainers().size(), is(1)); @@ -3817,23 +3800,17 @@ public void testCustomizedPodSet() { assertThat(pod.getSpec().getContainers().get(0).getResources().getRequests(), is(Map.of("cpu", new Quantity("100m"), "memory", new Quantity("4Gi")))); assertThat(pod.getSpec().getContainers().get(0).getResources().getLimits(), is(Map.of("cpu", new Quantity("500m"), "memory", new Quantity("8Gi")))); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().size(), is(8)); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().size(), is(5)); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(0).getName(), is("data-0")); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(0).getMountPath(), is("/var/lib/kafka/data-0")); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(1).getName(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_VOLUME_NAME)); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(1).getMountPath(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_MOUNT_PATH)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getName(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getMountPath(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getName(), is(KafkaCluster.BROKER_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getMountPath(), is(KafkaCluster.BROKER_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getName(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getMountPath(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(5).getName(), is("kafka-metrics-and-logging")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(5).getMountPath(), is("/opt/kafka/custom-config/")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(6).getName(), is("ready-files")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(6).getMountPath(), is("/var/opt/kafka")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(7).getName(), is("secret-volume-name")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(7).getMountPath(), is("/mnt/secret-volume")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getName(), is("kafka-metrics-and-logging")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getMountPath(), is("/opt/kafka/custom-config/")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getName(), is("ready-files")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getMountPath(), is("/var/opt/kafka")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getName(), is("secret-volume-name")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getMountPath(), is("/mnt/secret-volume")); } } } @@ -4120,24 +4097,18 @@ public void testCustomizedPodSetInKafkaAndNodePool() { assertThat(pod.getSpec().getAffinity(), is(poolAffinity)); assertThat(pod.getSpec().getTolerations(), is(poolToleration)); - assertThat(pod.getSpec().getVolumes().size(), is(8)); + assertThat(pod.getSpec().getVolumes().size(), is(5)); assertThat(pod.getSpec().getVolumes().get(0).getName(), is("data-0")); assertThat(pod.getSpec().getVolumes().get(0).getPersistentVolumeClaim(), is(notNullValue())); assertThat(pod.getSpec().getVolumes().get(1).getName(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_VOLUME_NAME)); assertThat(pod.getSpec().getVolumes().get(1).getEmptyDir(), is(notNullValue())); assertThat(pod.getSpec().getVolumes().get(1).getEmptyDir().getSizeLimit(), is(new Quantity("10Mi"))); - assertThat(pod.getSpec().getVolumes().get(2).getName(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(2).getSecret().getSecretName(), is("foo-cluster-ca-cert")); - assertThat(pod.getSpec().getVolumes().get(3).getName(), is(KafkaCluster.BROKER_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(3).getSecret().getSecretName(), is(pod.getMetadata().getName())); - assertThat(pod.getSpec().getVolumes().get(4).getName(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(4).getSecret().getSecretName(), is("foo-clients-ca-cert")); - assertThat(pod.getSpec().getVolumes().get(5).getName(), is("kafka-metrics-and-logging")); - assertThat(pod.getSpec().getVolumes().get(5).getConfigMap().getName(), is(pod.getMetadata().getName())); - assertThat(pod.getSpec().getVolumes().get(6).getName(), is("ready-files")); - assertThat(pod.getSpec().getVolumes().get(6).getEmptyDir(), is(notNullValue())); - assertThat(pod.getSpec().getVolumes().get(7).getName(), is("secret-volume-name2")); - assertThat(pod.getSpec().getVolumes().get(7).getSecret(), is(notNullValue())); + assertThat(pod.getSpec().getVolumes().get(2).getName(), is("kafka-metrics-and-logging")); + assertThat(pod.getSpec().getVolumes().get(2).getConfigMap().getName(), is(pod.getMetadata().getName())); + assertThat(pod.getSpec().getVolumes().get(3).getName(), is("ready-files")); + assertThat(pod.getSpec().getVolumes().get(3).getEmptyDir(), is(notNullValue())); + assertThat(pod.getSpec().getVolumes().get(4).getName(), is("secret-volume-name2")); + assertThat(pod.getSpec().getVolumes().get(4).getSecret(), is(notNullValue())); // Containers assertThat(pod.getSpec().getContainers().size(), is(1)); @@ -4149,23 +4120,17 @@ public void testCustomizedPodSetInKafkaAndNodePool() { assertThat(pod.getSpec().getContainers().get(0).getResources().getRequests(), is(Map.of("cpu", new Quantity("100m"), "memory", new Quantity("4Gi")))); assertThat(pod.getSpec().getContainers().get(0).getResources().getLimits(), is(Map.of("cpu", new Quantity("500m"), "memory", new Quantity("8Gi")))); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().size(), is(8)); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().size(), is(5)); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(0).getName(), is("data-0")); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(0).getMountPath(), is("/var/lib/kafka/data-0")); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(1).getName(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_VOLUME_NAME)); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(1).getMountPath(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_MOUNT_PATH)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getName(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getMountPath(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getName(), is(KafkaCluster.BROKER_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getMountPath(), is(KafkaCluster.BROKER_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getName(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getMountPath(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(5).getName(), is("kafka-metrics-and-logging")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(5).getMountPath(), is("/opt/kafka/custom-config/")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(6).getName(), is("ready-files")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(6).getMountPath(), is("/var/opt/kafka")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(7).getName(), is("secret-volume-name2")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(7).getMountPath(), is("/mnt/secret-volume2")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getName(), is("kafka-metrics-and-logging")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getMountPath(), is("/opt/kafka/custom-config/")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getName(), is("ready-files")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getMountPath(), is("/var/opt/kafka")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getName(), is("secret-volume-name2")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getMountPath(), is("/mnt/secret-volume2")); } else { assertThat(pod.getSpec().getPriorityClassName(), is("top-priority")); assertThat(pod.getSpec().getSchedulerName(), is("my-scheduler")); @@ -4182,24 +4147,18 @@ public void testCustomizedPodSetInKafkaAndNodePool() { assertThat(pod.getSpec().getAffinity(), is(affinity)); assertThat(pod.getSpec().getTolerations(), is(toleration)); - assertThat(pod.getSpec().getVolumes().size(), is(8)); + assertThat(pod.getSpec().getVolumes().size(), is(5)); assertThat(pod.getSpec().getVolumes().get(0).getName(), is("data-0")); assertThat(pod.getSpec().getVolumes().get(0).getPersistentVolumeClaim(), is(notNullValue())); assertThat(pod.getSpec().getVolumes().get(1).getName(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_VOLUME_NAME)); assertThat(pod.getSpec().getVolumes().get(1).getEmptyDir(), is(notNullValue())); assertThat(pod.getSpec().getVolumes().get(1).getEmptyDir().getSizeLimit(), is(new Quantity("13Mi"))); - assertThat(pod.getSpec().getVolumes().get(2).getName(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(2).getSecret().getSecretName(), is("foo-cluster-ca-cert")); - assertThat(pod.getSpec().getVolumes().get(3).getName(), is(KafkaCluster.BROKER_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(3).getSecret().getSecretName(), is(pod.getMetadata().getName())); - assertThat(pod.getSpec().getVolumes().get(4).getName(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(4).getSecret().getSecretName(), is("foo-clients-ca-cert")); - assertThat(pod.getSpec().getVolumes().get(5).getName(), is("kafka-metrics-and-logging")); - assertThat(pod.getSpec().getVolumes().get(5).getConfigMap().getName(), is(pod.getMetadata().getName())); - assertThat(pod.getSpec().getVolumes().get(6).getName(), is("ready-files")); - assertThat(pod.getSpec().getVolumes().get(6).getEmptyDir(), is(notNullValue())); - assertThat(pod.getSpec().getVolumes().get(7).getName(), is("secret-volume-name")); - assertThat(pod.getSpec().getVolumes().get(7).getSecret(), is(notNullValue())); + assertThat(pod.getSpec().getVolumes().get(2).getName(), is("kafka-metrics-and-logging")); + assertThat(pod.getSpec().getVolumes().get(2).getConfigMap().getName(), is(pod.getMetadata().getName())); + assertThat(pod.getSpec().getVolumes().get(3).getName(), is("ready-files")); + assertThat(pod.getSpec().getVolumes().get(3).getEmptyDir(), is(notNullValue())); + assertThat(pod.getSpec().getVolumes().get(4).getName(), is("secret-volume-name")); + assertThat(pod.getSpec().getVolumes().get(4).getSecret(), is(notNullValue())); // Containers assertThat(pod.getSpec().getContainers().size(), is(1)); @@ -4211,23 +4170,17 @@ public void testCustomizedPodSetInKafkaAndNodePool() { assertThat(pod.getSpec().getContainers().get(0).getResources().getRequests(), is(Map.of("cpu", new Quantity("1000m"), "memory", new Quantity("40Gi")))); assertThat(pod.getSpec().getContainers().get(0).getResources().getLimits(), is(Map.of("cpu", new Quantity("5000m"), "memory", new Quantity("80Gi")))); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().size(), is(8)); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().size(), is(5)); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(0).getName(), is("data-0")); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(0).getMountPath(), is("/var/lib/kafka/data-0")); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(1).getName(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_VOLUME_NAME)); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(1).getMountPath(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_MOUNT_PATH)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getName(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getMountPath(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getName(), is(KafkaCluster.BROKER_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getMountPath(), is(KafkaCluster.BROKER_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getName(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getMountPath(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(5).getName(), is("kafka-metrics-and-logging")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(5).getMountPath(), is("/opt/kafka/custom-config/")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(6).getName(), is("ready-files")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(6).getMountPath(), is("/var/opt/kafka")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(7).getName(), is("secret-volume-name")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(7).getMountPath(), is("/mnt/secret-volume")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getName(), is("kafka-metrics-and-logging")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getMountPath(), is("/opt/kafka/custom-config/")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getName(), is("ready-files")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getMountPath(), is("/var/opt/kafka")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getName(), is("secret-volume-name")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getMountPath(), is("/mnt/secret-volume")); } } } @@ -4422,24 +4375,18 @@ public void testCustomizedPodSetInNodePool() { assertThat(pod.getSpec().getAffinity(), is(affinity)); assertThat(pod.getSpec().getTolerations(), is(toleration)); - assertThat(pod.getSpec().getVolumes().size(), is(8)); + assertThat(pod.getSpec().getVolumes().size(), is(5)); assertThat(pod.getSpec().getVolumes().get(0).getName(), is("data-0")); assertThat(pod.getSpec().getVolumes().get(0).getPersistentVolumeClaim(), is(notNullValue())); assertThat(pod.getSpec().getVolumes().get(1).getName(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_VOLUME_NAME)); assertThat(pod.getSpec().getVolumes().get(1).getEmptyDir(), is(notNullValue())); assertThat(pod.getSpec().getVolumes().get(1).getEmptyDir().getSizeLimit(), is(new Quantity("10Mi"))); - assertThat(pod.getSpec().getVolumes().get(2).getName(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(2).getSecret().getSecretName(), is("foo-cluster-ca-cert")); - assertThat(pod.getSpec().getVolumes().get(3).getName(), is(KafkaCluster.BROKER_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(3).getSecret().getSecretName(), is(pod.getMetadata().getName())); - assertThat(pod.getSpec().getVolumes().get(4).getName(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(4).getSecret().getSecretName(), is("foo-clients-ca-cert")); - assertThat(pod.getSpec().getVolumes().get(5).getName(), is("kafka-metrics-and-logging")); - assertThat(pod.getSpec().getVolumes().get(5).getConfigMap().getName(), is(pod.getMetadata().getName())); - assertThat(pod.getSpec().getVolumes().get(6).getName(), is("ready-files")); - assertThat(pod.getSpec().getVolumes().get(6).getEmptyDir(), is(notNullValue())); - assertThat(pod.getSpec().getVolumes().get(7).getName(), is("secret-volume-name")); - assertThat(pod.getSpec().getVolumes().get(7).getSecret(), is(notNullValue())); + assertThat(pod.getSpec().getVolumes().get(2).getName(), is("kafka-metrics-and-logging")); + assertThat(pod.getSpec().getVolumes().get(2).getConfigMap().getName(), is(pod.getMetadata().getName())); + assertThat(pod.getSpec().getVolumes().get(3).getName(), is("ready-files")); + assertThat(pod.getSpec().getVolumes().get(3).getEmptyDir(), is(notNullValue())); + assertThat(pod.getSpec().getVolumes().get(4).getName(), is("secret-volume-name")); + assertThat(pod.getSpec().getVolumes().get(4).getSecret(), is(notNullValue())); // Containers assertThat(pod.getSpec().getContainers().size(), is(1)); @@ -4451,23 +4398,17 @@ public void testCustomizedPodSetInNodePool() { assertThat(pod.getSpec().getContainers().get(0).getResources().getRequests(), is(Map.of("cpu", new Quantity("100m"), "memory", new Quantity("4Gi")))); assertThat(pod.getSpec().getContainers().get(0).getResources().getLimits(), is(Map.of("cpu", new Quantity("500m"), "memory", new Quantity("8Gi")))); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().size(), is(8)); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().size(), is(5)); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(0).getName(), is("data-0")); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(0).getMountPath(), is("/var/lib/kafka/data-0")); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(1).getName(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_VOLUME_NAME)); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(1).getMountPath(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_MOUNT_PATH)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getName(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getMountPath(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getName(), is(KafkaCluster.BROKER_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getMountPath(), is(KafkaCluster.BROKER_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getName(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getMountPath(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(5).getName(), is("kafka-metrics-and-logging")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(5).getMountPath(), is("/opt/kafka/custom-config/")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(6).getName(), is("ready-files")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(6).getMountPath(), is("/var/opt/kafka")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(7).getName(), is("secret-volume-name")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(7).getMountPath(), is("/mnt/secret-volume")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getName(), is("kafka-metrics-and-logging")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getMountPath(), is("/opt/kafka/custom-config/")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getName(), is("ready-files")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getMountPath(), is("/var/opt/kafka")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getName(), is("secret-volume-name")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getMountPath(), is("/mnt/secret-volume")); } else { // Metadata assertThat(pod.getMetadata().getLabels().entrySet().containsAll(podLabels.entrySet()), is(false)); @@ -4486,22 +4427,16 @@ public void testCustomizedPodSetInNodePool() { assertThat(pod.getSpec().getAffinity(), is(new Affinity())); assertThat(pod.getSpec().getTolerations(), is(List.of())); - assertThat(pod.getSpec().getVolumes().size(), is(7)); + assertThat(pod.getSpec().getVolumes().size(), is(4)); assertThat(pod.getSpec().getVolumes().get(0).getName(), is("data-0")); assertThat(pod.getSpec().getVolumes().get(0).getPersistentVolumeClaim(), is(notNullValue())); assertThat(pod.getSpec().getVolumes().get(1).getName(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_VOLUME_NAME)); assertThat(pod.getSpec().getVolumes().get(1).getEmptyDir(), is(notNullValue())); assertThat(pod.getSpec().getVolumes().get(1).getEmptyDir().getSizeLimit(), is(new Quantity("5Mi"))); - assertThat(pod.getSpec().getVolumes().get(2).getName(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(2).getSecret().getSecretName(), is("foo-cluster-ca-cert")); - assertThat(pod.getSpec().getVolumes().get(3).getName(), is(KafkaCluster.BROKER_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(3).getSecret().getSecretName(), is(pod.getMetadata().getName())); - assertThat(pod.getSpec().getVolumes().get(4).getName(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getVolumes().get(4).getSecret().getSecretName(), is("foo-clients-ca-cert")); - assertThat(pod.getSpec().getVolumes().get(5).getName(), is("kafka-metrics-and-logging")); - assertThat(pod.getSpec().getVolumes().get(5).getConfigMap().getName(), is(pod.getMetadata().getName())); - assertThat(pod.getSpec().getVolumes().get(6).getName(), is("ready-files")); - assertThat(pod.getSpec().getVolumes().get(6).getEmptyDir(), is(notNullValue())); + assertThat(pod.getSpec().getVolumes().get(2).getName(), is("kafka-metrics-and-logging")); + assertThat(pod.getSpec().getVolumes().get(2).getConfigMap().getName(), is(pod.getMetadata().getName())); + assertThat(pod.getSpec().getVolumes().get(3).getName(), is("ready-files")); + assertThat(pod.getSpec().getVolumes().get(3).getEmptyDir(), is(notNullValue())); // Containers assertThat(pod.getSpec().getContainers().size(), is(1)); @@ -4512,21 +4447,15 @@ public void testCustomizedPodSetInNodePool() { assertThat(pod.getSpec().getContainers().get(0).getEnv().stream().filter(e -> envVar3.getName().equals(e.getName())).findFirst().orElseThrow().getValue(), is("false")); assertThat(pod.getSpec().getContainers().get(0).getResources(), is(nullValue())); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().size(), is(7)); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().size(), is(4)); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(0).getName(), is("data-0")); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(0).getMountPath(), is("/var/lib/kafka/data-0")); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(1).getName(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_VOLUME_NAME)); assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(1).getMountPath(), is(VolumeUtils.STRIMZI_TMP_DIRECTORY_DEFAULT_MOUNT_PATH)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getName(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getMountPath(), is(KafkaCluster.CLUSTER_CA_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getName(), is(KafkaCluster.BROKER_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getMountPath(), is(KafkaCluster.BROKER_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getName(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(4).getMountPath(), is(KafkaCluster.CLIENT_CA_CERTS_VOLUME_MOUNT)); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(5).getName(), is("kafka-metrics-and-logging")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(5).getMountPath(), is("/opt/kafka/custom-config/")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(6).getName(), is("ready-files")); - assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(6).getMountPath(), is("/var/opt/kafka")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getName(), is("kafka-metrics-and-logging")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(2).getMountPath(), is("/opt/kafka/custom-config/")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getName(), is("ready-files")); + assertThat(pod.getSpec().getContainers().get(0).getVolumeMounts().get(3).getMountPath(), is("/var/opt/kafka")); } } } diff --git a/docker-images/kafka-based/kafka/scripts/kafka_run.sh b/docker-images/kafka-based/kafka/scripts/kafka_run.sh index ee0d64a22de..1c4f0d23521 100755 --- a/docker-images/kafka-based/kafka/scripts/kafka_run.sh +++ b/docker-images/kafka-based/kafka/scripts/kafka_run.sh @@ -83,11 +83,11 @@ fi echo "" echo "Preparing Kafka Agent configuration" rm -f /tmp/kafka-agent.properties +NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace) cat < /tmp/kafka-agent.properties -sslKeyStorePath=/tmp/kafka/cluster.keystore.p12 -sslKeyStorePass=${CERTS_STORE_PASSWORD} -sslTrustStorePath=/tmp/kafka/cluster.truststore.p12 -sslTrustStorePass=${CERTS_STORE_PASSWORD} +sslTrustStoreSecretName=${KAFKA_CLUSTER_NAME}-cluster-ca-cert +sslKeyStoreSecretName=${HOSTNAME} +namespace=${NAMESPACE} EOF echo "" diff --git a/docker-images/kafka-based/kafka/scripts/kafka_tls_prepare_certificates.sh b/docker-images/kafka-based/kafka/scripts/kafka_tls_prepare_certificates.sh index ccced0a99d8..d676671ebb1 100755 --- a/docker-images/kafka-based/kafka/scripts/kafka_tls_prepare_certificates.sh +++ b/docker-images/kafka-based/kafka/scripts/kafka_tls_prepare_certificates.sh @@ -4,46 +4,12 @@ set -e # Load predefined functions for preparing trust- and keystores source ./tls_utils.sh -echo "Preparing truststore for replication listener" -# Add each certificate to the trust store -STORE=/tmp/kafka/cluster.truststore.p12 -rm -f "$STORE" -for CRT in /opt/kafka/cluster-ca-certs/*.crt; do - ALIAS=$(basename "$CRT" .crt) - echo "Adding $CRT to truststore $STORE with alias $ALIAS" - create_truststore "$STORE" "$CERTS_STORE_PASSWORD" "$CRT" "$ALIAS" -done -echo "Preparing truststore for replication listener is complete" - -echo "Looking for the CA matching the server certificate" -CA=$(find_ca /opt/kafka/cluster-ca-certs "/opt/kafka/broker-certs/$HOSTNAME.crt") - -if [ ! -f "$CA" ]; then - echo "No CA matching the server certificate found. This process will exit with failure." - exit 1 -fi -echo "CA matching the server certificate found: $CA" - -echo "Preparing keystore for replication and clienttls listener" -STORE=/tmp/kafka/cluster.keystore.p12 -rm -f "$STORE" -create_keystore "$STORE" "$CERTS_STORE_PASSWORD" \ - "/opt/kafka/broker-certs/$HOSTNAME.crt" \ - "/opt/kafka/broker-certs/$HOSTNAME.key" \ - "$CA" \ - "$HOSTNAME" -echo "Preparing keystore for replication and clienttls listener is complete" - -regex="^\/opt\/kafka\/certificates\/(custom|oauth)-(.+)-(.+)-certs$" +regex="^\/opt\/kafka\/certificates\/(oauth)-(.+)-(.+)-certs$" for CERT_DIR in /opt/kafka/certificates/*; do if [[ $CERT_DIR =~ $regex ]]; then listener=${BASH_REMATCH[1]}-${BASH_REMATCH[2]}-${BASH_REMATCH[3]} - echo "Preparing store for $listener listener" - if [[ ${BASH_REMATCH[1]} == "custom" ]]; then - echo "Creating keystore /tmp/kafka/$listener.keystore.p12" - rm -f /tmp/kafka/"$listener".keystore.p12 - create_keystore_without_ca_file /tmp/kafka/"$listener".keystore.p12 "$CERTS_STORE_PASSWORD" "${CERT_DIR}/tls.crt" "${CERT_DIR}/tls.key" custom-key - elif [[ ${BASH_REMATCH[1]} == "oauth" ]]; then + echo "Preparing store for $listener oauth listener" + if [[ ${BASH_REMATCH[1]} == "oauth" ]]; then trusted_certs="STRIMZI_${BASH_REMATCH[2]^^}_${BASH_REMATCH[3]}_OAUTH_TRUSTED_CERTS" if [ -n "${!trusted_certs}" ]; then prepare_truststore "/tmp/kafka/$listener.truststore.p12" "$CERTS_STORE_PASSWORD" "$CERT_DIR" "${!trusted_certs}" @@ -53,17 +19,6 @@ for CERT_DIR in /opt/kafka/certificates/*; do fi done -echo "Preparing truststore for client authentication" -# Add each certificate to the trust store -STORE=/tmp/kafka/clients.truststore.p12 -rm -f "$STORE" -for CRT in /opt/kafka/client-ca-certs/*.crt; do - ALIAS=$(basename "$CRT" .crt) - echo "Adding $CRT to truststore $STORE with alias $ALIAS" - create_truststore "$STORE" "$CERTS_STORE_PASSWORD" "$CRT" "$ALIAS" -done -echo "Preparing truststore for client authentication is complete" - if [ -n "$STRIMZI_OPA_AUTHZ_TRUSTED_CERTS" ]; then echo "Preparing Open Policy Agent authorization truststore" prepare_truststore "/tmp/kafka/authz-opa.truststore.p12" "$CERTS_STORE_PASSWORD" "/opt/kafka/certificates/authz-opa-certs" "$STRIMZI_OPA_AUTHZ_TRUSTED_CERTS" diff --git a/kafka-agent/pom.xml b/kafka-agent/pom.xml index 5842dd9ba60..2bc1a2cab0e 100644 --- a/kafka-agent/pom.xml +++ b/kafka-agent/pom.xml @@ -78,6 +78,14 @@ mockito-core test + + io.fabric8 + kubernetes-client-api + + + io.fabric8 + kubernetes-model-core + diff --git a/kafka-agent/src/main/java/io/strimzi/kafka/agent/KafkaAgent.java b/kafka-agent/src/main/java/io/strimzi/kafka/agent/KafkaAgent.java index 629d7d5fa12..34173a1ab21 100644 --- a/kafka-agent/src/main/java/io/strimzi/kafka/agent/KafkaAgent.java +++ b/kafka-agent/src/main/java/io/strimzi/kafka/agent/KafkaAgent.java @@ -10,6 +10,9 @@ import com.yammer.metrics.core.MetricName; import com.yammer.metrics.core.MetricsRegistry; import com.yammer.metrics.core.MetricsRegistryListener; +import io.fabric8.kubernetes.api.model.Secret; +import io.fabric8.kubernetes.client.KubernetesClient; +import io.fabric8.kubernetes.client.KubernetesClientBuilder; import org.eclipse.jetty.http.HttpHeader; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.Handler; @@ -35,6 +38,9 @@ import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.nio.charset.StandardCharsets; +import java.security.GeneralSecurityException; +import java.security.SecureRandom; +import java.util.Base64; import java.util.HashMap; import java.util.Map; import java.util.Properties; @@ -72,10 +78,9 @@ public class KafkaAgent { private static final byte BROKER_RUNNING_STATE = 3; private static final byte BROKER_RECOVERY_STATE = 2; private static final byte BROKER_UNKNOWN_STATE = 127; - private String sslKeyStorePath; - private String sslKeyStorePassword; - private String sslTruststorePath; - private String sslTruststorePassword; + private static final SecureRandom RANDOM = new SecureRandom(); + private Secret caCertSecret; + private Secret nodeCertSecret; private MetricName brokerStateName; private Gauge brokerState; private Gauge remainingLogsToRecover; @@ -84,16 +89,18 @@ public class KafkaAgent { /** * Constructor of the KafkaAgent * - * @param sslKeyStorePath Keystore containing the broker certificate - * @param sslKeyStorePass Password for keystore - * @param sslTruststorePath Truststore containing CA certs for authenticating clients - * @param sslTruststorePass Password for truststore + * @param client Keystore containing the broker certificate + * @param caCertSecretName Password for keystore + * @param nodeCertSecretName Truststore containing CA certs for authenticating clients + * @param namespace Password for truststore */ - /* test */ KafkaAgent(String sslKeyStorePath, String sslKeyStorePass, String sslTruststorePath, String sslTruststorePass) { - this.sslKeyStorePath = sslKeyStorePath; - this.sslKeyStorePassword = sslKeyStorePass; - this.sslTruststorePath = sslTruststorePath; - this.sslTruststorePassword = sslTruststorePass; + /* test */ KafkaAgent(KubernetesClient client, String caCertSecretName, String nodeCertSecretName, String namespace) { + this.caCertSecret = getKubernetesSecret(client, caCertSecretName, namespace); + this.nodeCertSecret = getKubernetesSecret(client, nodeCertSecretName, namespace); + } + + private Secret getKubernetesSecret(KubernetesClient client, String caCertSecretName, String namespace) { + return client.secrets().inNamespace(namespace).withName(caCertSecretName).get(); } /** @@ -255,15 +262,16 @@ public boolean handle(Request request, Response response, Callback callback) thr }; } - private SslContextFactory.Server getSSLContextFactory() { + private SslContextFactory.Server getSSLContextFactory() throws GeneralSecurityException, IOException { SslContextFactory.Server sslContextFactory = new SslContextFactory.Server(); + sslContextFactory.setTrustStore(KafkaAgentUtils.jksTrustStore(caCertSecret)); - sslContextFactory.setKeyStorePath(sslKeyStorePath); - sslContextFactory.setKeyStorePassword(sslKeyStorePassword); - sslContextFactory.setKeyManagerPassword(sslKeyStorePassword); + byte[] random = new byte[24]; + RANDOM.nextBytes(random); + String password = Base64.getUrlEncoder().withoutPadding().encodeToString(random).substring(0, 32); - sslContextFactory.setTrustStorePath(sslTruststorePath); - sslContextFactory.setTrustStorePassword(sslTruststorePassword); + sslContextFactory.setKeyStore(KafkaAgentUtils.jksKeyStore(nodeCertSecret, password.toCharArray())); + sslContextFactory.setKeyStorePassword(password); sslContextFactory.setNeedClientAuth(true); return sslContextFactory; } @@ -325,22 +333,16 @@ public static void premain(String agentArgs) { System.exit(1); } - final String sslKeyStorePath = agentConfigs.get("sslKeyStorePath"); - final String sslKeyStorePass = agentConfigs.get("sslKeyStorePass"); - final String sslTrustStorePath = agentConfigs.get("sslTrustStorePath"); - final String sslTrustStorePass = agentConfigs.get("sslTrustStorePass"); - if (sslKeyStorePath.isEmpty() || sslTrustStorePath.isEmpty()) { - LOGGER.error("SSLKeyStorePath or SSLTrustStorePath is empty: sslKeyStorePath={} sslTrustStore={} ", sslKeyStorePath, sslTrustStorePath); - System.exit(1); - } else if (sslKeyStorePass.isEmpty()) { - LOGGER.error("Keystore password is empty"); - System.exit(1); - } else if (sslTrustStorePass.isEmpty()) { - LOGGER.error("Truststore password is empty"); + final String caCertSecretName = agentConfigs.get("sslTrustStoreSecretName"); + final String nodeCertSecretName = agentConfigs.get("sslKeyStoreSecretName"); + final String namespace = agentConfigs.get("namespace"); + if (caCertSecretName.isEmpty() || nodeCertSecretName.isEmpty() || namespace.isEmpty()) { + LOGGER.error("Missing the required Secret information: sslTrustStoreSecretName={} sslKeyStoreSecretName={} namespace={}", caCertSecretName, nodeCertSecretName, namespace); System.exit(1); } else { - LOGGER.info("Starting KafkaAgent with sslKeyStorePath={} and sslTrustStore={}", sslKeyStorePath, sslTrustStorePath); - new KafkaAgent(sslKeyStorePath, sslKeyStorePass, sslTrustStorePath, sslTrustStorePass).run(); + LOGGER.info("Starting KafkaAgent with sslTrustStoreSecretName={} sslKeyStoreSecretName={} namespace={}", caCertSecretName, nodeCertSecretName, namespace); + KubernetesClient client = new KubernetesClientBuilder().build(); + new KafkaAgent(client, caCertSecretName, nodeCertSecretName, namespace).run(); } } } diff --git a/kafka-agent/src/main/java/io/strimzi/kafka/agent/KafkaAgentUtils.java b/kafka-agent/src/main/java/io/strimzi/kafka/agent/KafkaAgentUtils.java new file mode 100644 index 00000000000..9d2dc6bf90f --- /dev/null +++ b/kafka-agent/src/main/java/io/strimzi/kafka/agent/KafkaAgentUtils.java @@ -0,0 +1,161 @@ +/* + * Copyright Strimzi authors. + * License: Apache License 2.0 (see the file LICENSE or http://apache.org/licenses/LICENSE-2.0.html). + */ +package io.strimzi.kafka.agent; + +import io.fabric8.kubernetes.api.model.Secret; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.security.GeneralSecurityException; +import java.security.KeyFactory; +import java.security.KeyStore; +import java.security.PrivateKey; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; +import java.security.spec.PKCS8EncodedKeySpec; +import java.util.Base64; +import java.util.Map; +import java.util.Objects; +import java.util.stream.Collectors; + + +/** + * Class with various utility methods for generating KeyStore and TrustStore for KafkaAgent + */ +public class KafkaAgentUtils { + + /** + * Creates TrustStore to use for TLS connections from the given Secret. This also validates each one is a valid certificate and + * throws an exception if it is not. + * + * @param secret Secret containing the TrustStore certificates + * @return TrustStore file in JKS format + * @throws GeneralSecurityException if something goes wrong when creating the truststore + * @throws IOException if there is an I/O or format problem with the data used to load the truststore. + * This is not expected as the truststore is loaded with null parameter. + */ + static KeyStore jksTrustStore(Secret secret) throws GeneralSecurityException, IOException { + KeyStore trustStore = KeyStore.getInstance("JKS"); + trustStore.load(null); + int aliasIndex = 0; + for (X509Certificate certificate : asX509Certificates(extractCerts(secret), secret.getMetadata().getName(), secret.getMetadata().getNamespace()).values()) { + trustStore.setEntry(certificate.getSubjectX500Principal().getName() + "-" + aliasIndex, new KeyStore.TrustedCertificateEntry(certificate), null); + aliasIndex++; + } + return trustStore; + } + + /** + * Creates KeyStore to use for TLS connections from the given Secret. + * + * @param secret Secret containing private key and certificate + * + * @return KeyStore file in JKS format + * @throws GeneralSecurityException if something goes wrong when creating the truststore + * @throws IOException if there is an I/O or format problem with the data used to load the truststore. + */ + static KeyStore jksKeyStore(Secret secret, char[] password) throws GeneralSecurityException, IOException { + String secretName = secret.getMetadata().getName(); + String strippedPrivateKey = new String(decodeBase64FieldFromSecret(secret, secretName + ".key"), StandardCharsets.US_ASCII) + .replace("-----BEGIN PRIVATE KEY-----", "") + .replaceAll(System.lineSeparator(), "") + .replace("-----END PRIVATE KEY-----", ""); + byte[] decodedKey = Base64.getDecoder().decode(strippedPrivateKey); + PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(decodedKey); + final KeyFactory keyFactory = KeyFactory.getInstance("RSA"); + final PrivateKey key = keyFactory.generatePrivate(keySpec); + + X509Certificate certificateChain = x509Certificate(decodeBase64FieldFromSecret(secret, secretName + ".crt")); + KeyStore nodeKeyStore = KeyStore.getInstance("JKS"); + nodeKeyStore.load(null); + nodeKeyStore.setKeyEntry(secret.getMetadata().getName(), key, password, new Certificate[]{certificateChain}); + return nodeKeyStore; + } + + /** + * Extract all public keys (all .crt records) from a secret. + */ + private static Map extractCerts(Secret secret) { + Map certs = secret + .getData() + .entrySet() + .stream() + .filter(record -> record.getKey().endsWith(".crt")) + .collect(Collectors.toMap( + entry -> stripCertKeySuffix(entry.getKey()), + entry -> Base64.getDecoder().decode(entry.getValue())) + ); + if (certs.isEmpty()) { + throw new RuntimeException("The Secret " + secret.getMetadata().getNamespace() + "/" + secret.getMetadata().getName() + " does not contain any fields with the suffix .crt"); + } + return certs; + } + + private static String stripCertKeySuffix(String key) { + return key.substring(0, key.length() - ".crt".length()); + } + + /** + * Creates X509Certificate instance from a byte array containing a certificate. + * + * @param bytes Bytes with the X509 certificate + * @throws CertificateException Thrown when the creation of the X509Certificate instance fails. Typically, this + * would happen because the bytes do not contain a valid X509 certificate. + * @return X509Certificate instance created based on the Certificate bytes + */ + private static X509Certificate x509Certificate(byte[] bytes) throws CertificateException { + final CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); + Certificate certificate = certificateFactory.generateCertificate(new ByteArrayInputStream(bytes)); + if (certificate instanceof X509Certificate) { + return (X509Certificate) certificate; + } else { + throw new CertificateException("Not an X509Certificate: " + certificate); + } + } + + /** + * Decode binary item from Kubernetes Secret from base64 into byte array + * + * @param secret Kubernetes Secret + * @param field Field which should be retrieved and decoded + * @return Decoded bytes + */ + private static byte[] decodeBase64FieldFromSecret(Secret secret, String field) { + Objects.requireNonNull(secret); + String data = secret.getData().get(field); + if (data != null) { + return Base64.getDecoder().decode(data); + } else { + throw new RuntimeException(String.format("The Secret %s/%s is missing the field %s", + secret.getMetadata().getNamespace(), + secret.getMetadata().getName(), + field)); + } + } + + /** + * Certificates to use in a TrustStore for TLS connections, with each certificate as a separate X509Certificate object. + * This also validates each one is a valid certificate and throws an exception if it is not. + * @return The set of trusted certificates as X509Certificate. + */ + private static Map asX509Certificates(Map trustedCertificateMap, String secretName, String secretNamespace) { + return trustedCertificateMap.entrySet() + .stream() + .collect(Collectors.toMap( + Map.Entry::getKey, + entry -> { + try { + return x509Certificate(entry.getValue()); + } catch (CertificateException e) { + throw new RuntimeException("Bad/corrupt certificate found in data." + entry.getKey() + ".crt of Secret " + + secretName + " in namespace " + secretNamespace); + } + } + )); + } +} diff --git a/operator-common/src/main/java/io/strimzi/operator/common/model/cruisecontrol/CruiseControlConfigurationParameters.java b/operator-common/src/main/java/io/strimzi/operator/common/model/cruisecontrol/CruiseControlConfigurationParameters.java index cafa85ac01e..db4baf3bb48 100644 --- a/operator-common/src/main/java/io/strimzi/operator/common/model/cruisecontrol/CruiseControlConfigurationParameters.java +++ b/operator-common/src/main/java/io/strimzi/operator/common/model/cruisecontrol/CruiseControlConfigurationParameters.java @@ -129,6 +129,16 @@ public enum CruiseControlConfigurationParameters { */ METRICS_REPORTER_SSL_KEYSTORE_PASSWORD("cruise.control.metrics.reporter.ssl.keystore.password"), + /** + * Metrics reporter keystore certificate chain + */ + METRICS_REPORTER_SSL_KEYSTORE_CERTIFICATE_CHAIN("cruise.control.metrics.reporter.ssl.keystore.certificate.chain"), + + /** + * Metrics reporter keystore key + */ + METRICS_REPORTER_SSL_KEYSTORE_KEY("cruise.control.metrics.reporter.ssl.keystore.key"), + /** * Metrics reporter truststore type */ @@ -144,6 +154,11 @@ public enum CruiseControlConfigurationParameters { */ METRICS_REPORTER_SSL_TRUSTSTORE_PASSWORD("cruise.control.metrics.reporter.ssl.truststore.password"), + /** + * Metrics reporter truststore certificates + */ + METRICS_REPORTER_SSL_TRUSTSTORE_CERTIFICATES("cruise.control.metrics.reporter.ssl.truststore.certificates"), + // Metrics topic configurations /** * Name of the Cruise Control metrics topic diff --git a/systemtest/src/main/java/io/strimzi/systemtest/utils/specific/CruiseControlUtils.java b/systemtest/src/main/java/io/strimzi/systemtest/utils/specific/CruiseControlUtils.java index 8389e66dd9a..f934c55845e 100644 --- a/systemtest/src/main/java/io/strimzi/systemtest/utils/specific/CruiseControlUtils.java +++ b/systemtest/src/main/java/io/strimzi/systemtest/utils/specific/CruiseControlUtils.java @@ -12,8 +12,6 @@ import io.strimzi.systemtest.TestConstants; import io.strimzi.systemtest.kafkaclients.internalClients.admin.AdminClient; import io.strimzi.systemtest.kafkaclients.internalClients.admin.KafkaTopicDescription; -import io.strimzi.systemtest.labels.LabelSelectors; -import io.strimzi.systemtest.resources.crd.KafkaComponents; import io.strimzi.systemtest.utils.AdminClientUtils; import io.strimzi.systemtest.utils.kubeUtils.objects.PodUtils; import io.strimzi.test.TestUtils; @@ -114,7 +112,8 @@ public static ApiResult callApi(String namespaceName, HttpMethod method, Scheme } @SuppressWarnings("BooleanExpressionComplexity") - public static void verifyCruiseControlMetricReporterConfigurationInKafkaConfigMapIsPresent(Properties kafkaProperties) { + public static void verifyCruiseControlMetricReporterConfigurationInKafkaConfigMapIsPresent(String clusterName, String namespace, String brokerPodName) throws IOException { + Properties kafkaProperties = getKafkaCruiseControlMetricsReporterConfiguration(namespace, clusterName, brokerPodName); String kafkaClusterName = kafkaProperties.getProperty("cluster-name"); TestUtils.waitFor("Verify that Kafka configuration " + kafkaProperties + " has correct CruiseControl metric reporter properties", TestConstants.GLOBAL_POLL_INTERVAL, TestConstants.GLOBAL_CRUISE_CONTROL_TIMEOUT, () -> @@ -122,12 +121,10 @@ public static void verifyCruiseControlMetricReporterConfigurationInKafkaConfigMa kafkaProperties.getProperty(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_ENDPOINT_ID_ALGO.getValue()).equals("HTTPS") && kafkaProperties.getProperty(CruiseControlConfigurationParameters.METRICS_REPORTER_BOOTSTRAP_SERVERS.getValue()).equals(kafkaClusterName + "-kafka-brokers:9091") && kafkaProperties.getProperty(CruiseControlConfigurationParameters.METRICS_REPORTER_SECURITY_PROTOCOL.getValue()).equals("SSL") && - kafkaProperties.getProperty(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_TYPE.getValue()).equals("PKCS12") && - kafkaProperties.getProperty(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_LOCATION.getValue()).equals("/tmp/kafka/cluster.keystore.p12") && - kafkaProperties.getProperty(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_PASSWORD.getValue()).equals("${strimzienv:CERTS_STORE_PASSWORD}") && - kafkaProperties.getProperty(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_TRUSTSTORE_TYPE.getValue()).equals("PKCS12") && - kafkaProperties.getProperty(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_TRUSTSTORE_LOCATION.getValue()).equals("/tmp/kafka/cluster.truststore.p12") && - kafkaProperties.getProperty(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_TRUSTSTORE_PASSWORD.getValue()).equals("${strimzienv:CERTS_STORE_PASSWORD}")); + kafkaProperties.getProperty(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_TYPE.getValue()).equals("PEM") && + kafkaProperties.getProperty(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_KEYSTORE_CERTIFICATE_CHAIN.getValue()).equals("${strimzisecrets:" + namespace + "/" + brokerPodName + ":" + brokerPodName + ".crt}") && + kafkaProperties.getProperty(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_TRUSTSTORE_TYPE.getValue()).equals("PEM") && + kafkaProperties.getProperty(CruiseControlConfigurationParameters.METRICS_REPORTER_SSL_TRUSTSTORE_CERTIFICATES.getValue()).equals("${strimzisecrets:" + namespace + "/" + clusterName + "-cluster-ca-cert:*.crt}")); } public static void verifyThatCruiseControlTopicsArePresent(AdminClient adminClient, int defaultReplicaCount) { @@ -153,9 +150,7 @@ public static void verifyThatCruiseControlTopicsArePresent(AdminClient adminClie assertThat(ccPartitionMetricTopic.partitionCount(), is(32)); } - public static Properties getKafkaCruiseControlMetricsReporterConfiguration(String namespaceName, String clusterName) throws IOException { - String cmName = KubeResourceManager.get().kubeClient().listPods(namespaceName, LabelSelectors.kafkaLabelSelector(clusterName, KafkaComponents.getBrokerPodSetName(clusterName))).get(0).getMetadata().getName(); - + public static Properties getKafkaCruiseControlMetricsReporterConfiguration(String namespaceName, String clusterName, String cmName) throws IOException { InputStream configurationFileStream = new ByteArrayInputStream(KubeResourceManager.get().kubeClient().getClient().configMaps().inNamespace(namespaceName).withName(cmName).get() .getData().get("server.config").getBytes(StandardCharsets.UTF_8)); diff --git a/systemtest/src/test/java/io/strimzi/systemtest/cruisecontrol/CruiseControlConfigurationST.java b/systemtest/src/test/java/io/strimzi/systemtest/cruisecontrol/CruiseControlConfigurationST.java index fc908b82278..4437e0c0784 100644 --- a/systemtest/src/test/java/io/strimzi/systemtest/cruisecontrol/CruiseControlConfigurationST.java +++ b/systemtest/src/test/java/io/strimzi/systemtest/cruisecontrol/CruiseControlConfigurationST.java @@ -121,8 +121,9 @@ void testDeployAndUnDeployCruiseControl() throws IOException { LOGGER.info("Verifying that {} Pod is not present", testStorage.getClusterName() + "-cruise-control-"); PodUtils.waitUntilPodStabilityReplicasCount(testStorage.getNamespaceName(), testStorage.getClusterName() + "-cruise-control-", 0); + String brokerPodName = brokerPods.keySet().stream().iterator().next(); LOGGER.info("Verifying that there is no configuration to CruiseControl metric reporter in Kafka ConfigMap"); - assertThrows(WaitException.class, () -> CruiseControlUtils.verifyCruiseControlMetricReporterConfigurationInKafkaConfigMapIsPresent(CruiseControlUtils.getKafkaCruiseControlMetricsReporterConfiguration(testStorage.getNamespaceName(), testStorage.getClusterName()))); + assertThrows(WaitException.class, () -> CruiseControlUtils.verifyCruiseControlMetricReporterConfigurationInKafkaConfigMapIsPresent(testStorage.getClusterName(), testStorage.getNamespaceName(), brokerPodName)); KubeResourceManager.get().createResourceWithWait( AdminClientTemplates.plainAdminClient( @@ -144,7 +145,7 @@ void testDeployAndUnDeployCruiseControl() throws IOException { RollingUpdateUtils.waitTillComponentHasRolled(testStorage.getNamespaceName(), testStorage.getBrokerSelector(), defaultBrokerReplicaCount, brokerPods); LOGGER.info("Verifying that configuration of CruiseControl metric reporter is present in Kafka ConfigMap"); - CruiseControlUtils.verifyCruiseControlMetricReporterConfigurationInKafkaConfigMapIsPresent(CruiseControlUtils.getKafkaCruiseControlMetricsReporterConfiguration(testStorage.getNamespaceName(), testStorage.getClusterName())); + CruiseControlUtils.verifyCruiseControlMetricReporterConfigurationInKafkaConfigMapIsPresent(testStorage.getClusterName(), testStorage.getNamespaceName(), brokerPodName); LOGGER.info("Verifying that {} Topics are created after CC is instantiated", TestConstants.CRUISE_CONTROL_NAME); CruiseControlUtils.verifyThatCruiseControlTopicsArePresent(adminClient, defaultBrokerReplicaCount);