From fc20eb79c80edbca380556a99be8c718ec7afca3 Mon Sep 17 00:00:00 2001
From: see-quick <maros.orsak159@gmail.com>
Date: Wed, 26 Oct 2022 14:25:31 +0200
Subject: [PATCH 1/5] [system test] -> internal Kafka clients should do TLS
 hostname verification except Nodeports

Signed-off-by: see-quick <maros.orsak159@gmail.com>
---
 .../kafkaclients/internalClients/KafkaClients.java          | 2 --
 .../bridge/HttpBridgeKafkaExternalListenersST.java          | 6 ++++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/systemtest/src/main/java/io/strimzi/systemtest/kafkaclients/internalClients/KafkaClients.java b/systemtest/src/main/java/io/strimzi/systemtest/kafkaclients/internalClients/KafkaClients.java
index 8c8a453b430..177efef2d12 100644
--- a/systemtest/src/main/java/io/strimzi/systemtest/kafkaclients/internalClients/KafkaClients.java
+++ b/systemtest/src/main/java/io/strimzi/systemtest/kafkaclients/internalClients/KafkaClients.java
@@ -419,7 +419,6 @@ final protected void configureScramSha(SecurityProtocol securityProtocol) {
 
         this.setAdditionalConfig(this.getAdditionalConfig() +
             // scram-sha
-            "ssl.endpoint.identification.algorithm=\n" +
             "sasl.mechanism=SCRAM-SHA-512\n" +
             "security.protocol=" + securityProtocol + "\n" +
             "sasl.jaas.config=" + saslJaasConfigDecrypted);
@@ -427,7 +426,6 @@ final protected void configureScramSha(SecurityProtocol securityProtocol) {
 
     final protected void configureTls() {
         this.setAdditionalConfig(this.getAdditionalConfig() +
-            "ssl.endpoint.identification.algorithm=\n" +
             "sasl.mechanism=GSSAPI\n" +
             "security.protocol=" + SecurityProtocol.SSL + "\n");
     }
diff --git a/systemtest/src/test/java/io/strimzi/systemtest/bridge/HttpBridgeKafkaExternalListenersST.java b/systemtest/src/test/java/io/strimzi/systemtest/bridge/HttpBridgeKafkaExternalListenersST.java
index f9a7e03b187..d2b9e312c8d 100644
--- a/systemtest/src/test/java/io/strimzi/systemtest/bridge/HttpBridgeKafkaExternalListenersST.java
+++ b/systemtest/src/test/java/io/strimzi/systemtest/bridge/HttpBridgeKafkaExternalListenersST.java
@@ -155,6 +155,9 @@ private void testWeirdUsername(ExtensionContext extensionContext, String weirdUs
             .withMessageCount(MESSAGE_COUNT)
             .withPort(Constants.HTTP_BRIDGE_DEFAULT_PORT)
             .withNamespaceName(namespace)
+            // we disable ssl.endpoint.identification.algorithm for external listener (i.e., Nodeport),
+            // because TLS hostname verification is not supported on such listener type.
+            .withAdditionalConfig("ssl.endpoint.identification.algorithm=\n")
             .build();
 
         // Create topic
@@ -213,6 +216,9 @@ private void testWeirdUsername(ExtensionContext extensionContext, String weirdUs
             .withTopicName(topicName)
             .withMessageCount(MESSAGE_COUNT)
             .withUserName(weirdUserName)
+            // we disable ssl.endpoint.identification.algorithm for external listener (i.e., Nodeport),
+            // because TLS hostname verification is not supported on such listener type.
+            .withAdditionalConfig("ssl.endpoint.identification.algorithm=\n")
             .build();
 
         if (auth.getType().equals(Constants.TLS_LISTENER_DEFAULT_NAME)) {

From 6a0ee254b60c9c014cb545d3a45b674cd88c180b Mon Sep 17 00:00:00 2001
From: see-quick <maros.orsak159@gmail.com>
Date: Thu, 27 Oct 2022 14:32:50 +0200
Subject: [PATCH 2/5] add SANs Kafka brokers in ListenersST test suite to fix
 problem

Signed-off-by: see-quick <maros.orsak159@gmail.com>
---
 .../security/SystemTestCertManager.java       | 17 +++++++
 .../HttpBridgeKafkaExternalListenersST.java   |  5 +-
 .../kafka/listeners/ListenersST.java          | 47 +++++++++++++++++--
 3 files changed, 60 insertions(+), 9 deletions(-)

diff --git a/systemtest/src/main/java/io/strimzi/systemtest/security/SystemTestCertManager.java b/systemtest/src/main/java/io/strimzi/systemtest/security/SystemTestCertManager.java
index a0511d01c33..2fcf3937d15 100644
--- a/systemtest/src/main/java/io/strimzi/systemtest/security/SystemTestCertManager.java
+++ b/systemtest/src/main/java/io/strimzi/systemtest/security/SystemTestCertManager.java
@@ -100,12 +100,29 @@ public static SystemTestCertAndKey generateIntermediateCaCertAndKey(SystemTestCe
                 .withSubjectDn(STRIMZI_INTERMEDIATE_CA)
                 .build();
     }
+
+    public static SystemTestCertAndKey generateIntermediateCaCertAndKey(final SystemTestCertAndKey rootCert,
+                                                                        final ASN1Encodable[] sanDnsNames) {
+        return intermediateCaCertBuilder(rootCert)
+                .withSubjectDn(STRIMZI_INTERMEDIATE_CA)
+                .withSanDnsNames(sanDnsNames)
+                .build();
+    }
+
     public static SystemTestCertAndKey generateStrimziCaCertAndKey(SystemTestCertAndKey rootCert, String subjectDn) {
         return strimziCaCertBuilder(rootCert)
                 .withSubjectDn(subjectDn)
                 .build();
     }
 
+    public static SystemTestCertAndKey generateEndEntityCertAndKey(final SystemTestCertAndKey intermediateCert,
+                                                                   final ASN1Encodable[] sansNames) {
+        return endEntityCertBuilder(intermediateCert)
+                .withSubjectDn(STRIMZI_END_SUBJECT)
+                .withSanDnsNames(sansNames)
+                .build();
+    }
+
     public static SystemTestCertAndKey generateEndEntityCertAndKey(SystemTestCertAndKey intermediateCert) {
         return endEntityCertBuilder(intermediateCert)
                 .withSubjectDn(STRIMZI_END_SUBJECT)
diff --git a/systemtest/src/test/java/io/strimzi/systemtest/bridge/HttpBridgeKafkaExternalListenersST.java b/systemtest/src/test/java/io/strimzi/systemtest/bridge/HttpBridgeKafkaExternalListenersST.java
index d2b9e312c8d..9d8a9d95799 100644
--- a/systemtest/src/test/java/io/strimzi/systemtest/bridge/HttpBridgeKafkaExternalListenersST.java
+++ b/systemtest/src/test/java/io/strimzi/systemtest/bridge/HttpBridgeKafkaExternalListenersST.java
@@ -155,9 +155,6 @@ private void testWeirdUsername(ExtensionContext extensionContext, String weirdUs
             .withMessageCount(MESSAGE_COUNT)
             .withPort(Constants.HTTP_BRIDGE_DEFAULT_PORT)
             .withNamespaceName(namespace)
-            // we disable ssl.endpoint.identification.algorithm for external listener (i.e., Nodeport),
-            // because TLS hostname verification is not supported on such listener type.
-            .withAdditionalConfig("ssl.endpoint.identification.algorithm=\n")
             .build();
 
         // Create topic
@@ -216,7 +213,7 @@ private void testWeirdUsername(ExtensionContext extensionContext, String weirdUs
             .withTopicName(topicName)
             .withMessageCount(MESSAGE_COUNT)
             .withUserName(weirdUserName)
-            // we disable ssl.endpoint.identification.algorithm for external listener (i.e., Nodeport),
+            // we disable ssl.endpoint.identification.algorithm for external listener (i.e., NodePort),
             // because TLS hostname verification is not supported on such listener type.
             .withAdditionalConfig("ssl.endpoint.identification.algorithm=\n")
             .build();
diff --git a/systemtest/src/test/java/io/strimzi/systemtest/kafka/listeners/ListenersST.java b/systemtest/src/test/java/io/strimzi/systemtest/kafka/listeners/ListenersST.java
index 531807e9ec4..8a818737212 100644
--- a/systemtest/src/test/java/io/strimzi/systemtest/kafka/listeners/ListenersST.java
+++ b/systemtest/src/test/java/io/strimzi/systemtest/kafka/listeners/ListenersST.java
@@ -48,6 +48,8 @@
 import org.apache.kafka.common.security.auth.SecurityProtocol;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.bouncycastle.asn1.ASN1Encodable;
+import org.bouncycastle.asn1.x509.GeneralName;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Tag;
 import org.junit.jupiter.api.extension.ExtensionContext;
@@ -680,7 +682,13 @@ void testCustomSoloCertificatesForNodePort(ExtensionContext extensionContext) {
         final TestStorage testStorage = new TestStorage(extensionContext);
         final String clusterCustomCertServer1 = testStorage.getClusterName() + "-" + customCertServer1;
 
-        SecretUtils.createCustomSecret(clusterCustomCertServer1, testStorage.getClusterName(), testStorage.getNamespaceName(), STRIMZI_CERT_AND_KEY_1);
+        final SystemTestCertAndKey root1 = generateRootCaCertAndKey();
+        final SystemTestCertAndKey intermediate1 = generateIntermediateCaCertAndKey(root1);
+        final SystemTestCertAndKey strimzi1 = generateEndEntityCertAndKey(intermediate1, this.retrieveKafkaBrokerSANs(testStorage));
+
+        final CertAndKeyFiles strimziCertAndKey1 = exportToPemFiles(strimzi1);
+
+        SecretUtils.createCustomSecret(clusterCustomCertServer1, testStorage.getClusterName(), testStorage.getNamespaceName(), strimziCertAndKey1);
 
         resourceManager.createResource(extensionContext, KafkaTemplates.kafkaEphemeral(testStorage.getClusterName(), 3, 3)
             .editSpec()
@@ -765,8 +773,15 @@ void testCustomChainCertificatesForNodePort(ExtensionContext extensionContext) {
         final String clusterCustomCertChain1 = testStorage.getClusterName() + "-" + customCertChain1;
         final String clusterCustomRootCA1 = testStorage.getClusterName() + "-" + customRootCA1;
 
-        SecretUtils.createCustomSecret(clusterCustomCertChain1, testStorage.getClusterName(), testStorage.getNamespaceName(), CHAIN_CERT_AND_KEY_1);
-        SecretUtils.createCustomSecret(clusterCustomRootCA1, testStorage.getClusterName(), testStorage.getNamespaceName(), ROOT_CA_CERT_AND_KEY_1);
+        final SystemTestCertAndKey root1 = generateRootCaCertAndKey();
+        final SystemTestCertAndKey intermediate1 = generateIntermediateCaCertAndKey(root1);
+        final SystemTestCertAndKey strimzi1 = generateEndEntityCertAndKey(intermediate1, this.retrieveKafkaBrokerSANs(testStorage));
+
+        final CertAndKeyFiles rootCertAndKey1 = exportToPemFiles(root1);
+        final CertAndKeyFiles chainCertAndKey1 = exportToPemFiles(strimzi1, intermediate1, root1);
+
+        SecretUtils.createCustomSecret(clusterCustomCertChain1, testStorage.getClusterName(), testStorage.getNamespaceName(), chainCertAndKey1);
+        SecretUtils.createCustomSecret(clusterCustomRootCA1, testStorage.getClusterName(), testStorage.getNamespaceName(), rootCertAndKey1);
 
         resourceManager.createResource(extensionContext, KafkaTemplates.kafkaEphemeral(testStorage.getClusterName(), 1, 1)
             .editSpec()
@@ -1451,8 +1466,20 @@ void testCustomCertNodePortAndTlsRollingUpdate(ExtensionContext extensionContext
         final String clusterCustomCertServer1 = testStorage.getClusterName() + "-" + customCertServer1;
         final String clusterCustomCertServer2 = testStorage.getClusterName() + "-" + customCertServer2;
 
-        SecretUtils.createCustomSecret(clusterCustomCertServer1, testStorage.getClusterName(), testStorage.getNamespaceName(), STRIMZI_CERT_AND_KEY_1);
-        SecretUtils.createCustomSecret(clusterCustomCertServer2, testStorage.getClusterName(), testStorage.getNamespaceName(), STRIMZI_CERT_AND_KEY_2);
+        final SystemTestCertAndKey root1 = generateRootCaCertAndKey();
+        final SystemTestCertAndKey intermediate1 = generateIntermediateCaCertAndKey(root1);
+        final SystemTestCertAndKey strimzi1 = generateEndEntityCertAndKey(intermediate1, this.retrieveKafkaBrokerSANs(testStorage));
+
+        final CertAndKeyFiles strimziCertAndKey1 = exportToPemFiles(strimzi1);
+
+        final SystemTestCertAndKey root2 = generateRootCaCertAndKey();
+        final SystemTestCertAndKey intermediate2 = generateIntermediateCaCertAndKey(root2);
+        final SystemTestCertAndKey strimzi2 = generateEndEntityCertAndKey(intermediate2, this.retrieveKafkaBrokerSANs(testStorage));
+
+        final CertAndKeyFiles strimziCertAndKey2 = exportToPemFiles(strimzi2);
+
+        SecretUtils.createCustomSecret(clusterCustomCertServer1, testStorage.getClusterName(), testStorage.getNamespaceName(), strimziCertAndKey1);
+        SecretUtils.createCustomSecret(clusterCustomCertServer2, testStorage.getClusterName(), testStorage.getNamespaceName(), strimziCertAndKey2);
 
         resourceManager.createResource(extensionContext, KafkaTemplates.kafkaPersistent(testStorage.getClusterName(), 3)
             .editSpec()
@@ -2242,4 +2269,14 @@ void afterEach(ExtensionContext extensionContext) {
         final String namespaceName = StUtils.getNamespaceBasedOnRbac(clusterOperator.getDeploymentNamespace(), extensionContext);
         kubeClient(namespaceName).getClient().persistentVolumeClaims().inNamespace(namespaceName).delete();
     }
+
+    private ASN1Encodable[] retrieveKafkaBrokerSANs(final TestStorage testStorage) {
+        return new ASN1Encodable[] {
+            new GeneralName(GeneralName.dNSName, "*.127.0.0.1.nip.io"),
+            new GeneralName(GeneralName.dNSName, "*." + testStorage.getClusterName() + "-kafka-brokers"),
+            new GeneralName(GeneralName.dNSName, "*." + testStorage.getClusterName() + "-kafka-brokers." + testStorage.getNamespaceName() + ".svc"),
+            new GeneralName(GeneralName.dNSName, testStorage.getClusterName() + "-kafka-bootstrap"),
+            new GeneralName(GeneralName.dNSName, testStorage.getClusterName() + "-kafka-bootstrap." + testStorage.getNamespaceName() + ".svc")
+        };
+    }
 }

From de80b471af9a6369b680447ea3d6e2acbe3e1269 Mon Sep 17 00:00:00 2001
From: see-quick <maros.orsak159@gmail.com>
Date: Fri, 4 Nov 2022 12:38:55 +0100
Subject: [PATCH 3/5] fix testCustomCertNodePortAndTlsRollingUpdate test case

Signed-off-by: see-quick <maros.orsak159@gmail.com>
---
 .../strimzi/systemtest/kafka/listeners/ListenersST.java   | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/systemtest/src/test/java/io/strimzi/systemtest/kafka/listeners/ListenersST.java b/systemtest/src/test/java/io/strimzi/systemtest/kafka/listeners/ListenersST.java
index 8a818737212..a1244ef3c34 100644
--- a/systemtest/src/test/java/io/strimzi/systemtest/kafka/listeners/ListenersST.java
+++ b/systemtest/src/test/java/io/strimzi/systemtest/kafka/listeners/ListenersST.java
@@ -1587,7 +1587,7 @@ void testCustomCertNodePortAndTlsRollingUpdate(ExtensionContext extensionContext
             externalKafkaClient.receiveMessagesTls()
         );
 
-        int expectedMessageCountForNewGroup = testStorage.getMessageCount() * 3;
+        int expectedMessageCountForNewGroup = testStorage.getMessageCount();
 
         KafkaClients kafkaClients = new KafkaClientsBuilder()
             .withNamespaceName(testStorage.getNamespaceName())
@@ -1611,10 +1611,10 @@ void testCustomCertNodePortAndTlsRollingUpdate(ExtensionContext extensionContext
             .build();
 
         resourceManager.createResource(extensionContext, kafkaClients.consumerTlsStrimzi(testStorage.getClusterName()));
-        ClientUtils.waitForClientSuccess(testStorage.getConsumerName(), testStorage.getNamespaceName(), testStorage.getMessageCount() * 3);
+        ClientUtils.waitForClientSuccess(testStorage.getConsumerName(), testStorage.getNamespaceName(), testStorage.getMessageCount());
 
-        SecretUtils.createCustomSecret(clusterCustomCertServer1, testStorage.getClusterName(), testStorage.getNamespaceName(), STRIMZI_CERT_AND_KEY_2);
-        SecretUtils.createCustomSecret(clusterCustomCertServer2, testStorage.getClusterName(), testStorage.getNamespaceName(), STRIMZI_CERT_AND_KEY_1);
+        SecretUtils.createCustomSecret(clusterCustomCertServer1, testStorage.getClusterName(), testStorage.getNamespaceName(), strimziCertAndKey2);
+        SecretUtils.createCustomSecret(clusterCustomCertServer2, testStorage.getClusterName(), testStorage.getNamespaceName(), strimziCertAndKey1);
 
         kafkaSnapshot = RollingUpdateUtils.waitTillComponentHasRolled(testStorage.getNamespaceName(), testStorage.getKafkaSelector(), 3, kafkaSnapshot);
 

From 08904ef33d64c8552cfbbcab0029c7d846e79967 Mon Sep 17 00:00:00 2001
From: see-quick <maros.orsak159@gmail.com>
Date: Fri, 4 Nov 2022 12:40:19 +0100
Subject: [PATCH 4/5] let messages count

Signed-off-by: see-quick <maros.orsak159@gmail.com>
---
 .../io/strimzi/systemtest/kafka/listeners/ListenersST.java    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/systemtest/src/test/java/io/strimzi/systemtest/kafka/listeners/ListenersST.java b/systemtest/src/test/java/io/strimzi/systemtest/kafka/listeners/ListenersST.java
index a1244ef3c34..81adb2aa1fb 100644
--- a/systemtest/src/test/java/io/strimzi/systemtest/kafka/listeners/ListenersST.java
+++ b/systemtest/src/test/java/io/strimzi/systemtest/kafka/listeners/ListenersST.java
@@ -1587,7 +1587,7 @@ void testCustomCertNodePortAndTlsRollingUpdate(ExtensionContext extensionContext
             externalKafkaClient.receiveMessagesTls()
         );
 
-        int expectedMessageCountForNewGroup = testStorage.getMessageCount();
+        int expectedMessageCountForNewGroup = testStorage.getMessageCount() * 3;
 
         KafkaClients kafkaClients = new KafkaClientsBuilder()
             .withNamespaceName(testStorage.getNamespaceName())
@@ -1611,7 +1611,7 @@ void testCustomCertNodePortAndTlsRollingUpdate(ExtensionContext extensionContext
             .build();
 
         resourceManager.createResource(extensionContext, kafkaClients.consumerTlsStrimzi(testStorage.getClusterName()));
-        ClientUtils.waitForClientSuccess(testStorage.getConsumerName(), testStorage.getNamespaceName(), testStorage.getMessageCount());
+        ClientUtils.waitForClientSuccess(testStorage.getConsumerName(), testStorage.getNamespaceName(), testStorage.getMessageCount() * 3);
 
         SecretUtils.createCustomSecret(clusterCustomCertServer1, testStorage.getClusterName(), testStorage.getNamespaceName(), strimziCertAndKey2);
         SecretUtils.createCustomSecret(clusterCustomCertServer2, testStorage.getClusterName(), testStorage.getNamespaceName(), strimziCertAndKey1);

From df449a8df0002f795bebcc992f8bb31b6d5ef015 Mon Sep 17 00:00:00 2001
From: see-quick <maros.orsak159@gmail.com>
Date: Thu, 10 Nov 2022 10:43:11 +0100
Subject: [PATCH 5/5] remove sans from inter

Signed-off-by: see-quick <maros.orsak159@gmail.com>
---
 .../systemtest/security/SystemTestCertManager.java        | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/systemtest/src/main/java/io/strimzi/systemtest/security/SystemTestCertManager.java b/systemtest/src/main/java/io/strimzi/systemtest/security/SystemTestCertManager.java
index 2fcf3937d15..b51c779b376 100644
--- a/systemtest/src/main/java/io/strimzi/systemtest/security/SystemTestCertManager.java
+++ b/systemtest/src/main/java/io/strimzi/systemtest/security/SystemTestCertManager.java
@@ -101,14 +101,6 @@ public static SystemTestCertAndKey generateIntermediateCaCertAndKey(SystemTestCe
                 .build();
     }
 
-    public static SystemTestCertAndKey generateIntermediateCaCertAndKey(final SystemTestCertAndKey rootCert,
-                                                                        final ASN1Encodable[] sanDnsNames) {
-        return intermediateCaCertBuilder(rootCert)
-                .withSubjectDn(STRIMZI_INTERMEDIATE_CA)
-                .withSanDnsNames(sanDnsNames)
-                .build();
-    }
-
     public static SystemTestCertAndKey generateStrimziCaCertAndKey(SystemTestCertAndKey rootCert, String subjectDn) {
         return strimziCaCertBuilder(rootCert)
                 .withSubjectDn(subjectDn)