Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kafka-ssl in fips #6091

Merged
merged 1 commit into from
May 22, 2024
Merged

kafka-ssl in fips #6091

merged 1 commit into from
May 22, 2024

Conversation

JiriOndrusek
Copy link
Contributor

fixes #6090
contains part of #5967

  • kafka test module works in FIPS
  • kafka-sasl uses plaintext sasl, therefore can not work in FIP (sasl scenario for FIPS is covered by kafka-sasl-ssl), the test is disabled in FIPS environment
  • kafka-ssl and kafka-sasl-ssl are both fixed by this PR

Workaround because of strimzi kafka container.

Password-based encryption support in FIPs mode was implemented in the Red Hat build of OpenJDK 17 update 4.
OpenJdk17 should be present in the image according to this blog post. Unfortunately, even the newest image (3.7.0) uses java 11.
I had to add a step in the camel-quarkus-integration-tests-support-kafka module when I was creating a custom image with OpenJDK 17. This workaround happens only in FIPS mode and only once. (The custom image with Java 17 is cached and the next runs should use it)

Adaptation of certificate-generator project

Certificate-generator project brings support for the generation of certificates easily and clearly. The project can be used as a common approach to certificate generation for the CQ (see discussion in this ticket)

CQ requires the certificates to be customized in case the external docker host is used (see the code for kafka).
To achieve the same functionality when using certificate-generator project I had to create a special annotation TestCertificates with the extension implementation (TestCertificateGenerationExtension). The extension is based on the original extension brought by certificate-generator project and customizes cn and SubjectAlternativeName in case the docker host is not localhost.

The new annotation (TestCertificates) is placed into a new module camel-quarkus-integration-tests-support-certificate

JiriOndrusek
JiriOndrusek commented May 15, 2024
View reviewed changes
...tests/kafka-sasl-ssl/src/test/java/org/apache/camel/quarkus/kafka/sasl/KafkaSaslSslTest.java
import org.junit.jupiter.api.Test;

import static org.assertj.core.api.Assertions.assertThat;

@TestCertificates(certificates = {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ppalaga This annotation instructs certificate-generator project to generate certificates.
(it should be possible to test more certificate types, by providing some parameters for the test methods. I haven't tried that yet)

@JiriOndrusek JiriOndrusek force-pushed the kafka-fips-generator-plugin branch 2 times, most recently from 8a7ad46 to 7eebe04 Compare May 15, 2024 11:27
@jamesnetherton
Copy link
Contributor

If possible, it might be a good idea to test that this works ok in the Quarkus Platform before we merge this work.

@JiriOndrusek
Copy link
Contributor Author

If possible, it might be a good idea to test that this works ok in the Quarkus Platform before we merge this work.

I suppose that running platform with CQ locally should be enough, right?

@JiriOndrusek
Copy link
Contributor Author

JiriOndrusek commented May 15, 2024
edited

I also noticed, that I have to do small fix in the TestCertificateGenerationExtension, because the docker customization is not necessary for each certificate generation task (so I plan to add a parameter to annotation TestContainers, so I would test docker only in necessary cases

@jamesnetherton
Copy link
Contributor

I suppose that running platform with CQ locally should be enough, right?

Yeah, you can just tweak the CQ version in the platform to 3.11.0-SNAPSHOT, build the project and run a few of the CQ tests.

This was referenced May 16, 2024
Merged
Open
@JiriOndrusek
Copy link
Contributor Author

I suppose that running platform with CQ locally should be enough, right?

Yeah, you can just tweak the CQ version in the platform to 3.11.0-SNAPSHOT, build the project and run a few of the CQ tests.

I built quarkus-platform with CQ 3.11.0-SNAPSHOT and successfully run all 4 kafka test modules.

jamesnetherton
jamesnetherton approved these changes May 22, 2024
View reviewed changes
Copy link
Contributor

@jamesnetherton jamesnetherton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm ok with merging this and using it as a base to build on & improve to use the cert generator in other places in the project.

@JiriOndrusek
Copy link
Contributor Author

@jamesnetherton The support module was renamed to camel-quarkus-integration-tests-support-certificate-generator

@jamesnetherton jamesnetherton merged commit 1de918f into apache:main May 22, 2024
23 of 24 checks passed
@JiriOndrusek JiriOndrusek mentioned this pull request Aug 22, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jamesnetherton jamesnetherton jamesnetherton approved these changes

@oscerd oscerd oscerd approved these changes

Assignees
No one assigned
Labels
backport/3.8.x
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Kafka tests fails in FIPS environment
3 participants
@JiriOndrusek @jamesnetherton @oscerd