strimzi
diff --git a/‎.checkstyle/import-control.xml‎
Lines changed: 1 addition & 0 deletions b/‎.checkstyle/import-control.xml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cluster-operator/src/main/java/io/strimzi/operator/cluster/model/CertManagerUtils.java‎
Lines changed: 155 additions & 0 deletions b/‎cluster-operator/src/main/java/io/strimzi/operator/cluster/model/CertManagerUtils.java‎
Lines changed: 155 additions & 0 deletions
diff --git a/‎cluster-operator/src/main/java/io/strimzi/operator/cluster/model/CertUtils.java‎
Lines changed: 0 additions & 76 deletions b/‎cluster-operator/src/main/java/io/strimzi/operator/cluster/model/CertUtils.java‎
Lines changed: 0 additions & 76 deletions
diff --git a/‎cluster-operator/src/main/java/io/strimzi/operator/cluster/model/ClusterCa.java‎
Lines changed: 39 additions & 12 deletions b/‎cluster-operator/src/main/java/io/strimzi/operator/cluster/model/ClusterCa.java‎
Lines changed: 39 additions & 12 deletions
@@ -70,6 +70,7 @@ We also control imports only in production classes and not in tests. This is con
         <allow pkg="io.strimzi.platform" />
         <allow pkg="io.strimzi.certs" />
         <allow pkg="io.strimzi.kafka.config.model" />
+        <allow pkg="io.strimzi.operator.common.auth" />
         <allow pkg="io.strimzi.operator.common.model" />
         <allow pkg="io.strimzi.operator.cluster.model" />
         <allow class="io.strimzi.operator.common.Reconciliation" />
 
@@ -0,0 +1,155 @@
+/*
+ * Copyright Strimzi authors.
+ * License: Apache License 2.0 (see the file LICENSE or http://apache.org/licenses/LICENSE-2.0.html).
+ */
+package io.strimzi.operator.cluster.model;
+
+import io.fabric8.certmanager.api.model.v1.Certificate;
+import io.fabric8.certmanager.api.model.v1.CertificateBuilder;
+import io.fabric8.kubernetes.api.model.OwnerReference;
+import io.fabric8.kubernetes.api.model.Secret;
+import io.strimzi.operator.common.Annotations;
+import io.strimzi.operator.common.model.Ca;
+import io.strimzi.operator.common.model.ClientsCa;
+import io.strimzi.operator.common.model.Labels;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+
+/**
+ * cert-manager utility methods
+ */
+public class CertManagerUtils {
+    private static final String CERT_MANAGER_SECRET_SUFFIX = "-cm";
+    /**
+     * Get the name of the Secret managed by cert-manager, given a Strimzi managed Secret
+     *
+     * @param strimziSecretName Name of the Secret managed by Strimzi
+     * @return Secret name to use for cert-manager managed Secret
+     */
+    public static String certManagerSecretName(String strimziSecretName) {
+        return strimziSecretName + CERT_MANAGER_SECRET_SUFFIX;
+    }
+
+    /**
+     * Get the name of the Secret managed by Strimzi, given a cert-manager managed Secret
+     *
+     * @param certManagerSecretName Name of the Secret managed by cert-manager
+     * @return Secret name to use for Strimzi managed Secret
+     */
+    public static String strimziSecretName(String certManagerSecretName) {
+        if (!matchesCertManagerSecretNaming(certManagerSecretName)) {
+            throw new RuntimeException("Supplied Secret does not match expected format for cert-manager Secret name");
+        }
+        return certManagerSecretName.substring(0, certManagerSecretName.length() - CERT_MANAGER_SECRET_SUFFIX.length());
+    }
+
+    /**
+     * Returns whether the supplied Secret name has the same format as a Secret created by cert-manager
+     *
+     * @param secretName Secret name to check
+     * @return Whether the Secret name matches the format of a Secret created by cert-manager
+     */
+    public static boolean matchesCertManagerSecretNaming(String secretName) {
+        return secretName.endsWith(CERT_MANAGER_SECRET_SUFFIX);
+    }
+
+    /**
+     * Build Certificate object to give to cert-manager to generate certificate
+     *
+     * @param namespace             Namespace for the Certificate
+     * @param name                  Name for the Certificate
+     * @param initialCertificate    Certificate to use as a base
+     * @param labels                Labels for Certificate
+     * @param ownerReference        Owner reference for Certificate
+     * @return Certificate object
+     */
+    public static Certificate buildCertManagerCertificate(String namespace,
+                                                          String name, Certificate initialCertificate,
+                                                          Labels labels, OwnerReference ownerReference) {
+        String secretName = certManagerSecretName(name);
+        if (ownerReference == null) {
+            return new CertificateBuilder(initialCertificate)
+                    .withNewMetadata()
+                        .withName(name)
+                        .withNamespace(namespace)
+                    .endMetadata()
+                    .editSpec()
+                        .withSecretName(secretName)
+                        .withNewSecretTemplate()
+                            .withLabels(labels.toMap())
+                        .endSecretTemplate()
+                    .endSpec()
+                    .build();
+        } else {
+            return new CertificateBuilder(initialCertificate)
+                    .withNewMetadata()
+                        .withName(name)
+                        .withNamespace(namespace)
+                            .withOwnerReferences(ownerReference)
+                    .endMetadata()
+                    .editSpec()
+                        .withSecretName(secretName)
+                        .withNewSecretTemplate()
+                            .withLabels(labels.toMap())
+                        .endSecretTemplate()
+                    .endSpec()
+                    .build();
+        }
+    }
+
+    /**
+     * Builds a clusterCa certificate Secret for the different Strimzi components (TO, UO, KE, ...).
+     * Used when cert-manager has issued the CA Secret.
+     *
+     * @param clusterCa         The Cluster CA
+     * @param clientsCa         The Clients CA. If this is not null the Clients CA generation is added
+     * @param certManagerSecret cert-manager Secret containing the Cluster CA
+     * @param namespace         Namespace for the Secret
+     * @param secretName        Name of the Secret
+     * @param keyCertName       Key under which the certificate will be stored in the new Secret
+     * @param labels            Labels
+     * @param ownerReference    Owner reference
+     * @return Newly built Secret
+     */
+    public static Secret buildTrustedCertificateSecretFromCertManager(ClusterCa clusterCa, ClientsCa clientsCa, Secret certManagerSecret, String namespace,
+                                                                      String secretName, String keyCertName, Labels labels,
+                                                                      OwnerReference ownerReference) {
+        String certHash = CertUtils.getCertificateThumbprint(certManagerSecret, "tls.crt");
+        Objects.requireNonNull(certHash);
+
+        Map<String, String> annotations = new HashMap<>();
+        annotations.put(Annotations.ANNO_STRIMZI_SERVER_CERT_HASH, certHash);
+        Map.Entry<String, String> clusterCaGeneration = clusterCa.caCertGenerationFullAnnotation();
+        annotations.put(clusterCaGeneration.getKey(), clusterCaGeneration.getValue());
+
+        if (clientsCa != null) {
+            Map.Entry<String, String> clientsCaGeneration = clientsCa.caCertGenerationFullAnnotation();
+            annotations.put(clientsCaGeneration.getKey(), clientsCaGeneration.getValue());
+        }
+
+        return ModelUtils.createSecret(secretName, namespace, labels, ownerReference,
+                Map.of(
+                        Ca.SecretEntry.CRT.asKey(keyCertName), certManagerSecret.getData().get("tls.crt"),
+                        Ca.SecretEntry.KEY.asKey(keyCertName), certManagerSecret.getData().get("tls.key")
+                ),
+                annotations,
+                Map.of());
+    }
+
+    /**
+     * Checks if the hashes of certs in a cert Secret have changed
+     * @param existingCertSecret    Existing cert Secret
+     * @param newCertSecret         New cert Secret
+     * @return Whether the cert has been updated in the new Secret
+     */
+    public static boolean certManagerCertUpdated(Secret existingCertSecret, Secret newCertSecret) {
+        String existingCertHash = Annotations.stringAnnotation(existingCertSecret, Annotations.ANNO_STRIMZI_SERVER_CERT_HASH, null);
+        String newCertHash = Annotations.stringAnnotation(newCertSecret, Annotations.ANNO_STRIMZI_SERVER_CERT_HASH, null);
+        if (existingCertHash == null || newCertHash == null) {
+            throw new RuntimeException(String.format("Failed to find server-cert-hash annotation for Secret %s/%s", existingCertSecret.getMetadata().getNamespace(), existingCertSecret.getMetadata().getName()));
+        }
+        return !existingCertHash.equals(newCertHash);
+    }
+}
@@ -4,15 +4,12 @@
  */
 package io.strimzi.operator.cluster.model;
 
-import io.fabric8.certmanager.api.model.v1.Certificate;
-import io.fabric8.certmanager.api.model.v1.CertificateBuilder;
 import io.fabric8.kubernetes.api.model.OwnerReference;
 import io.fabric8.kubernetes.api.model.Secret;
 import io.fabric8.kubernetes.api.model.Volume;
 import io.fabric8.kubernetes.api.model.VolumeMount;
 import io.strimzi.api.kafka.model.common.CertSecretSource;
 import io.strimzi.certs.CertAndKey;
-import io.strimzi.operator.common.Annotations;
 import io.strimzi.operator.common.Reconciliation;
 import io.strimzi.operator.common.ReconciliationLogger;
 import io.strimzi.operator.common.Util;
@@ -38,7 +35,6 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.Objects;
 import java.util.Set;
 
 import static java.util.Collections.emptyMap;
@@ -142,78 +138,6 @@ public static Secret buildTrustedCertificateSecret(Reconciliation reconciliation
         return ModelUtils.createSecret(secretName, namespace, labels, ownerReference, secretData, Map.ofEntries(clusterCa.caCertGenerationFullAnnotation()), emptyMap());
     }
 
-    /**
-     * Build Certificate object to give to cert-manager to generate certificate
-     *
-     * @param clusterCa      Cluster CA
-     * @param namespace      Namespace for the Certificate
-     * @param name           Name for the Certificate
-     * @param commonName     Common name for certificates
-     * @param labels         Labels for Certificate
-     * @param ownerReference Owner reference for Certificate
-     * @return Certificate object
-     */
-    public static Certificate buildCertManagerCertificate(ClusterCa clusterCa, String namespace,
-                                                          String name, String commonName,
-                                                          Labels labels, OwnerReference ownerReference) {
-        Certificate certificate = clusterCa.getCertManagerCert(commonName, Ca.IO_STRIMZI);
-        String secretName = name + "cm";
-        if (ownerReference == null) {
-            return new CertificateBuilder(certificate)
-                    .withNewMetadata()
-                        .withName(name)
-                        .withNamespace(namespace)
-                    .endMetadata()
-                    .editSpec()
-                        .withSecretName(secretName)
-                        .withNewSecretTemplate()
-                            .withLabels(labels.toMap())
-                        .endSecretTemplate()
-                    .endSpec()
-                    .build();
-        } else {
-            return new CertificateBuilder(certificate)
-                    .withNewMetadata()
-                        .withName(name)
-                        .withNamespace(namespace)
-                            .withOwnerReferences(ownerReference)
-                    .endMetadata()
-                    .editSpec()
-                        .withSecretName(secretName)
-                        .withNewSecretTemplate()
-                            .withLabels(labels.toMap())
-                        .endSecretTemplate()
-                    .endSpec()
-                    .build();
-        }
-    }
-
-    /**
-     * Builds a clusterCa certificate Secret for the different Strimzi components (TO, UO, KE, ...).
-     * Used when cert-manager has issued the CA Secret.
-     * @param clusterCa The Cluster CA
-     * @param certManagerSecret cert-manager Secret containing the Cluster CA
-     * @param namespace Namspace for the Secret
-     * @param secretName Name of the Secret
-     * @param keyCertName Key under which the certificate will be stored in the new Secret
-     * @param labels Labels
-     * @param ownerReference Owner reference
-     * @return Newly built Secret
-     */
-    public static Secret buildTrustedCertificateSecretFromCertManager(ClusterCa clusterCa, Secret certManagerSecret, String namespace,
-                                                                      String secretName, String keyCertName, Labels labels, OwnerReference ownerReference) {
-        String certHash = getCertificateShortThumbprint(certManagerSecret, "tls.crt");
-        Objects.requireNonNull(certHash);
-
-        return ModelUtils.createSecret(secretName, namespace, labels, ownerReference,
-                Map.of(
-                        Ca.SecretEntry.CRT.asKey(keyCertName), certManagerSecret.getData().get("tls.crt"),
-                        Ca.SecretEntry.KEY.asKey(keyCertName), certManagerSecret.getData().get("tls.key")
-                ),
-                Map.ofEntries(clusterCa.caCertGenerationFullAnnotation(), Map.entry(Annotations.ANNO_STRIMZI_SERVER_CERT_HASH, certHash)),
-                Map.of());
-    }
-
     /**
      * Constructs a Map containing the provided certificates to be stored in a Kubernetes Secret.
      *
 
@@ -4,6 +4,7 @@
  */
 package io.strimzi.operator.cluster.model;
 
+import io.fabric8.certmanager.api.model.v1.Certificate;
 import io.fabric8.kubernetes.api.model.Secret;
 import io.strimzi.api.kafka.model.common.CertificateAuthority;
 import io.strimzi.api.kafka.model.common.CertificateExpirationPolicy;
@@ -178,7 +179,43 @@ protected Map<String, CertAndKey> generateBrokerCerts(
             Map<Integer, Set<String>> externalAddresses,
             boolean isMaintenanceTimeWindowsSatisfied
     ) throws IOException {
-        Function<NodeRef, Subject> subjectFn = node -> {
+        LOGGER.debugCr(reconciliation, "{}: Reconciling kafka broker certificates", this);
+        return maybeCopyOrGenerateCerts(
+                reconciliation,
+                nodes,
+                kafkaNodeCertsSubjectFn(namespace, clusterName, externalBootstrapAddresses, externalAddresses),
+                existingCertificates,
+                isMaintenanceTimeWindowsSatisfied
+        );
+    }
+
+    /**
+     * Prepares the Certificate objects for the Kafka nodes.
+     * Only used when cert-manager is issuing certificates.
+     *
+     * @param namespace                     Namespace of the Kafka cluster
+     * @param clusterName                   Name of the Kafka cluster
+     * @param nodes                         Nodes that are part of the Kafka cluster
+     * @param externalBootstrapAddresses    List of external bootstrap addresses (used for certificate SANs)
+     * @param externalAddresses             Map with external listener addresses for the different nodes (used for certificate SANs)
+     *
+     * @return Map of Certificate resources keyed on the node id
+     */
+    public Map<String, Certificate> generateKafkaNodeCertificateResources(String namespace, String clusterName, Set<NodeRef> nodes,
+                                                                          Set<String> externalBootstrapAddresses,
+                                                                          Map<Integer, Set<String>> externalAddresses) {
+        Map<String, Certificate> certificates = new HashMap<>();
+        for (NodeRef node : nodes)  {
+            certificates.put(node.podName(), getCertManagerCert(kafkaNodeCertsSubjectFn(namespace, clusterName, externalBootstrapAddresses, externalAddresses).apply(node)));
+        }
+        return certificates;
+    }
+
+    private Function<NodeRef, Subject> kafkaNodeCertsSubjectFn(String namespace, String clusterName,
+                                                               Set<String> externalBootstrapAddresses,
+                                                               Map<Integer, Set<String>> externalAddresses
+    ) {
+        return node -> {
             Subject.Builder subject = new Subject.Builder()
                     .withOrganizationName("io.strimzi")
                     .withCommonName(KafkaResources.kafkaComponentName(clusterName));
@@ -215,16 +252,6 @@ protected Map<String, CertAndKey> generateBrokerCerts(
 
             return subject.build();
         };
-
-        LOGGER.debugCr(reconciliation, "{}: Reconciling kafka broker certificates", this);
-
-        return maybeCopyOrGenerateCerts(
-            reconciliation,
-            nodes,
-            subjectFn,
-            existingCertificates,
-            isMaintenanceTimeWindowsSatisfied
-        );
     }
 
     @Override
@@ -378,7 +405,7 @@ public void maybeDeleteOldCerts() {
     }
 
     @Override
-    public void updateCertAndGenerations(String caCert, X509Certificate endEntityCertificate) {
+    public void updateCertAndIncrementGenerations(String caCert, X509Certificate endEntityCertificate) {
         if (endEntityCertificate == null) {
             // Cluster operator certificate is missing, so no cert path validation to perform
             LOGGER.warnCr(reconciliation, "Strimzi CA cert Secret containing custom cert has been created, but operator Secret is missing");