下面列出了io.fabric8.kubernetes.api.model.Secret#getData ( ) 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
/**
* Compares two Secrets with certificates and checks whether any value for a key which exists in both Secrets
* changed. This method is used to evaluate whether rolling update of existing brokers is needed when secrets with
* certificates change. It separates changes for existing certificates with other changes to the secret such as
* added or removed certificates (scale-up or scale-down).
*
* @param current Existing secret
* @param desired Desired secret
*
* @return True if there is a key which exists in the data sections of both secrets and which changed.
*/
public static boolean doExistingCertificatesDiffer(Secret current, Secret desired) {
Map<String, String> currentData = current.getData();
Map<String, String> desiredData = desired.getData();
for (Map.Entry<String, String> entry : currentData.entrySet()) {
String desiredValue = desiredData.get(entry.getKey());
if (entry.getValue() != null
&& desiredValue != null
&& !entry.getValue().equals(desiredValue)) {
return true;
}
}
return false;
}
/**
* Returns the given {@code cert} and {@code key} values from the given {@code Secret} as a {@code CertAndKey},
* or null if the given {@code secret} is null.
* An exception is thrown if the given {@code secret} is non-null, but does not contain the given
* entries in its {@code data}.
* @param secret The secret.
* @param key The key.
* @param cert The cert.
* @param keyStore The keyStore.
* @param keyStorePassword The store password.
* @return The CertAndKey.
*/
public static CertAndKey asCertAndKey(Secret secret, String key, String cert, String keyStore, String keyStorePassword) {
Base64.Decoder decoder = Base64.getDecoder();
if (secret == null || secret.getData() == null) {
return null;
} else {
String keyData = secret.getData().get(key);
if (keyData == null) {
throw new RuntimeException("The Secret " + secret.getMetadata().getNamespace() + "/" + secret.getMetadata().getName() + " is missing the key " + key);
}
String certData = secret.getData().get(cert);
if (certData == null) {
throw new RuntimeException("The Secret " + secret.getMetadata().getNamespace() + "/" + secret.getMetadata().getName() + " is missing the key " + cert);
}
return new CertAndKey(
decoder.decode(keyData),
decoder.decode(certData),
null,
decoder.decode(secret.getData().get(keyStore)),
new String(decoder.decode(secret.getData().get(keyStorePassword)), StandardCharsets.US_ASCII));
}
}
private static void putAll(Secret secret, Map<String, Object> result) {
if (secret != null && secret.getData() != null) {
secret.getData().forEach((k, v) -> result.put(
k,
new String(Base64.getDecoder().decode(v)).trim())
);
}
}
/**
* In Strimzi 0.6.0 the Secrets and keys used a different convention.
* Here we adapt the keys in the {@code *-cluster-ca} Secret to match what
* 0.7.0 expects.
* @param clusterCaKey The cluster CA key Secret
* @return The same Secret.
*/
public static Secret adapt060ClusterCaSecret(Secret clusterCaKey) {
if (clusterCaKey != null && clusterCaKey.getData() != null) {
String key = clusterCaKey.getData().get("cluster-ca.key");
if (key != null) {
clusterCaKey.getData().put("ca.key", key);
}
}
return clusterCaKey;
}
/**
* Set the {@code strimzi.io/force-renew} annotation on the given {@code caCert} if the given {@code caKey} has
* the given {@code key}.
*
* This is used to force certificate renewal when upgrading from a Strimzi 0.6.0 Secret.
*/
protected static Secret forceRenewal(Secret caCert, Secret caKey, String key) {
if (caCert != null && caKey != null && caKey.getData() != null && caKey.getData().containsKey(key)) {
caCert = new SecretBuilder(caCert).editMetadata().addToAnnotations(ANNO_STRIMZI_IO_FORCE_RENEW, "true").endMetadata().build();
}
return caCert;
}
public static X509Certificate cert(Secret secret, String key) {
if (secret == null || secret.getData() == null || secret.getData().get(key) == null) {
return null;
}
Base64.Decoder decoder = Base64.getDecoder();
byte[] bytes = decoder.decode(secret.getData().get(key));
try {
return x509Certificate(bytes);
} catch (CertificateException e) {
throw new RuntimeException("Failed to decode certificate in data." + key.replace(".", "\\.") + " of Secret " + secret.getMetadata().getName(), e);
}
}
/**
* In Strimzi 0.6.0 the Secrets and keys used a different convention.
* Here we adapt the keys in the {@code *-clients-ca} Secret to match what
* 0.7.0 expects.
* @param clientsCaKey The secret to adapt.
* @return The same Secret instance.
*/
public static Secret adapt060ClientsCaSecret(Secret clientsCaKey) {
if (clientsCaKey != null && clientsCaKey.getData() != null) {
String key = clientsCaKey.getData().get("clients-ca.key");
if (key != null) {
clientsCaKey.getData().put("ca.key", key);
}
}
return clientsCaKey;
}
@Override
public String getCert(String secretName) {
Secret secret = client.secrets().inNamespace(namespace).withName(secretName).get();
if (secret == null) {
throw new InternalServerErrorException("Cannot get secret " + secretName);
}
Map<String, String> caData = secret.getData();
return new String(Base64.getDecoder().decode(caData.get("tls.crt")), StandardCharsets.UTF_8);
}
public static UserCredentials getSupportCredentials(AddressSpace addressSpace) {
Map<String, String> secretLabels = new HashMap<>();
secretLabels.put(LabelKeys.INFRA_UUID, AddressSpaceUtils.getAddressSpaceInfraUuid(addressSpace));
secretLabels.put(LabelKeys.ROLE, "support-credentials");
Secret supportSecret = Kubernetes.getInstance().listSecrets(secretLabels).get(0);
Map<String, String> data = supportSecret.getData();
String supportUser = new String(Base64.getDecoder().decode(data.get("username")), StandardCharsets.UTF_8);
String supportPassword = new String(Base64.getDecoder().decode(data.get("password")), StandardCharsets.UTF_8);
return new UserCredentials(supportUser, supportPassword);
}
private static void putAll(Secret secret, Map<String, Object> result) {
if (secret != null && secret.getData() != null) {
secret.getData().forEach((k, v) -> result.put(k,
new String(Base64.getDecoder().decode(v)).trim()));
}
}
private void assertNoCertsGetGeneratedOutsideRenewalPeriod(VertxTestContext context, boolean generateCertificateAuthority)
throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
CertificateAuthority certificateAuthority = new CertificateAuthorityBuilder()
.withValidityDays(100)
.withRenewalDays(10)
.withGenerateCertificateAuthority(generateCertificateAuthority)
.build();
List<Secret> clusterCaSecrets = initialClusterCaSecrets(certificateAuthority);
Secret initialClusterCaKeySecret = clusterCaSecrets.get(0);
Secret initialClusterCaCertSecret = clusterCaSecrets.get(1);
Map<String, String> clusterCaCertData = initialClusterCaCertSecret.getData();
assertThat(clusterCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(clusterCaCertData.get(CA_CRT), is(notNullValue()));
assertThat(clusterCaCertData.get(CA_STORE), is(notNullValue()));
assertThat(clusterCaCertData.get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClusterCaCertSecret.getData()), is(true));
Map<String, String> clusterCaKeyData = initialClusterCaKeySecret.getData();
assertThat(clusterCaKeyData.keySet(), is(singleton(CA_KEY)));
assertThat(clusterCaKeyData.get(CA_KEY), is(notNullValue()));
List<Secret> clientsCaSecrets = initialClientsCaSecrets(certificateAuthority);
Secret initialClientsCaKeySecret = clientsCaSecrets.get(0);
Secret initialClientsCaCertSecret = clientsCaSecrets.get(1);
Map<String, String> clientsCaCertData = initialClientsCaCertSecret.getData();
assertThat(clientsCaCertData.keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(clientsCaCertData.get(CA_CRT), is(notNullValue()));
assertThat(clientsCaCertData.get(CA_STORE), is(notNullValue()));
assertThat(clientsCaCertData.get(CA_STORE_PASSWORD), is(notNullValue()));
assertThat(isCertInTrustStore(CA_CRT, initialClientsCaCertSecret.getData()), is(true));
Map<String, String> clientsCaKeyData = initialClientsCaKeySecret.getData();
assertThat(clientsCaKeyData.keySet(), is(singleton(CA_KEY)));
assertThat(clientsCaKeyData.get(CA_KEY), is(notNullValue()));
secrets.add(initialClusterCaCertSecret);
secrets.add(initialClusterCaKeySecret);
secrets.add(initialClientsCaCertSecret);
secrets.add(initialClientsCaKeySecret);
Checkpoint async = context.checkpoint();
reconcileCa(context, certificateAuthority, certificateAuthority)
.onComplete(context.succeeding(c -> context.verify(() -> {
assertThat(c.getAllValues().get(0).getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(c.getAllValues().get(0).getData().get(CA_CRT), is(initialClusterCaCertSecret.getData().get(CA_CRT)));
assertDoesNotThrow(() -> {
assertThat(x509Certificate(initialClusterCaCertSecret.getData().get(CA_CRT)),
is(getCertificateFromTrustStore(CA_CRT, c.getAllValues().get(0).getData())));
});
assertThat(c.getAllValues().get(1).getData().keySet(), is(set(CA_KEY)));
assertThat(c.getAllValues().get(1).getData().get(CA_KEY), is(initialClusterCaKeySecret.getData().get(CA_KEY)));
assertThat(c.getAllValues().get(2).getData().keySet(), is(set(CA_CRT, CA_STORE, CA_STORE_PASSWORD)));
assertThat(c.getAllValues().get(2).getData().get(CA_CRT), is(initialClientsCaCertSecret.getData().get(CA_CRT)));
assertDoesNotThrow(() -> {
assertThat(x509Certificate(initialClientsCaCertSecret.getData().get(CA_CRT)),
is(getCertificateFromTrustStore(CA_CRT, c.getAllValues().get(2).getData())));
});
assertThat(c.getAllValues().get(3).getData().keySet(), is(set(CA_KEY)));
assertThat(c.getAllValues().get(3).getData().get(CA_KEY), is(initialClientsCaKeySecret.getData().get(CA_KEY)));
async.flag();
})));
}
protected static Secret forceReplacement(Secret caCert, Secret caKey, String key) {
if (caCert != null && caKey != null && caKey.getData() != null && caKey.getData().containsKey(key)) {
caKey = new SecretBuilder(caKey).editMetadata().addToAnnotations(ANNO_STRIMZI_IO_FORCE_REPLACE, "true").endMetadata().build();
}
return caKey;
}