update API docs and add ST for this change

im-konge · im-konge · commit 16e3c12fb1f4 · 2026-04-21T13:09:15.000+02:00
Signed-off-by: Lukas Kral &lt;lukywill16@gmail.com&gt;
diff --git a/api/src/main/java/io/strimzi/api/kafka/model/user/KafkaUserTlsClientAuthentication.java b/api/src/main/java/io/strimzi/api/kafka/model/user/KafkaUserTlsClientAuthentication.java
@@ -42,7 +42,9 @@ public String getType() {
     })
     @Description(
         "Number of days for which the user certificate should be valid. " +
-            "If not configured, default User Operator value is used."
+        "If not configured, default User Operator value is used. " +
+        "If new validity policy would make the current certificate expired or current certificate's validity period would exceed new policy, " +
+        "the certificate is immediately renewed, without waiting for maintenance window. "
     )
     @JsonInclude(value = JsonInclude.Include.NON_NULL)
     public Integer getValidityDays() {
@@ -61,7 +63,7 @@ public void setValidityDays(Integer validityDays) {
     })
     @Description(
         "Configures how many days before the certificate expiration should be the user certificate renewed. " +
-            "If not configured, default User Operator value is used."
+        "If not configured, default User Operator value is used."
     )
     @JsonInclude(value = JsonInclude.Include.NON_NULL)
     public Integer getRenewalDays() {
diff --git a/api/src/test/resources/crds/v1/044-Crd-kafkauser.yaml b/api/src/test/resources/crds/v1/044-Crd-kafkauser.yaml
@@ -95,7 +95,7 @@ spec:
                     description: Authentication type.
                   validityDays:
                     type: integer
-                    description: "Number of days for which the user certificate should be valid. If not configured, default User Operator value is used."
+                    description: "Number of days for which the user certificate should be valid. If not configured, default User Operator value is used. If new validity policy would make the current certificate expired or current certificate's validity period would exceed new policy, the certificate is immediately renewed, without waiting for maintenance window. "
                     x-kubernetes-validations:
                     - rule: self > 0
                       message: '''validityDays'' has to be higher than 0.'
diff --git a/api/src/test/resources/crds/v1beta2/044-Crd-kafkauser.yaml b/api/src/test/resources/crds/v1beta2/044-Crd-kafkauser.yaml
@@ -95,7 +95,7 @@ spec:
                     description: Authentication type.
                   validityDays:
                     type: integer
-                    description: "Number of days for which the user certificate should be valid. If not configured, default User Operator value is used."
+                    description: "Number of days for which the user certificate should be valid. If not configured, default User Operator value is used. If new validity policy would make the current certificate expired or current certificate's validity period would exceed new policy, the certificate is immediately renewed, without waiting for maintenance window. "
                     x-kubernetes-validations:
                     - rule: self > 0
                       message: '''validityDays'' has to be higher than 0.'
diff --git a/development-docs/systemtests/io.strimzi.systemtest.operators.user.UserST.md b/development-docs/systemtests/io.strimzi.systemtest.operators.user.UserST.md
@@ -97,6 +97,28 @@
 * [user-operator](labels/user-operator.md)
 
 
+## testTlsValidityDays
+
+**Description:** Verifies functionality of the mTLS `validityDays` and `renewalDays` configured inside each KafkaUser.
+
+**Steps:**
+
+| Step | Action | Result |
+| - | - | - |
+| 1. | Create `KafkaTopic` to which we will send (and from which we will receive) messages - created in existing Kafka cluster. | `KafkaTopic` is created. |
+| 2. | Create `KafkaUser` with TLS authentication; together with default `validityDays` (200 days) and `renewalDays` (20 days) - configured in User operator. | `KafkaUser` is created with defaults. |
+| 3. | Obtain the `KafkaUser`'s `Secret` and check validity period of the user certificate. | Validity period should be default - 200 days. |
+| 4. | Do message transmission to verify, that we are able to connect to Kafka cluster with the TLS `KafkaUser`. | Messages are successfully sent and received. |
+| 5. | Change the `validityDays` and `renewalDays` in the `KafkaUser` `.spec.authentication` to 60 and 10. | The `validityDays` and `renewalDays` should be changed in the `KafkaUser`. |
+| 6. | Because the current certificate would exceed the new validity period, `KafkaUser`'s `Secret` and user certificate should be renewed - we are waiting for the certificate change. | The user certificate was changed. |
+| 7. | Obtain the `KafkaUser`'s `Secret` again and check the validity period of the user certificate. | Validity period should be 60 days. |
+| 8. | Do message transmission again to verify, that we are able to connect to Kafka cluster with the new user's certificate. | Messages are successfully sent and received using new certificate. |
+
+**Labels:**
+
+* [user-operator](labels/user-operator.md)
+
+
 ## testUpdateUser
 
 **Description:** Verifies updating a Kafka user from TLS to SCRAM-SHA-512 authentication and validates user secret contents.
diff --git a/development-docs/systemtests/labels/user-operator.md b/development-docs/systemtests/labels/user-operator.md
@@ -15,6 +15,7 @@ They verify user authentication mechanisms (TLS, SCRAM-SHA-512, external TLS), a
 - [testTlsExternalUser](../io.strimzi.systemtest.operators.user.UserST.md)
 - [testTlsExternalUserWithQuotas](../io.strimzi.systemtest.operators.user.UserST.md)
 - [testTlsUserWithQuotas](../io.strimzi.systemtest.operators.user.UserST.md)
+- [testTlsValidityDays](../io.strimzi.systemtest.operators.user.UserST.md)
 - [testUpdateUser](../io.strimzi.systemtest.operators.user.UserST.md)
 - [testUserWithNameMoreThan64Chars](../io.strimzi.systemtest.operators.user.UserST.md)
 - [testUserWithQuotas](../io.strimzi.systemtest.operators.user.UserST.md)
diff --git a/documentation/modules/appendix_crds.adoc b/documentation/modules/appendix_crds.adoc
@@ -2677,7 +2677,7 @@ It must have the value `tls` for the type `KafkaUserTlsClientAuthentication`.
 |Must be `tls`.
 |validityDays
 |integer
-|Number of days for which the user certificate should be valid. If not configured, default User Operator value is used.
+|Number of days for which the user certificate should be valid. If not configured, default User Operator value is used. If new validity policy would make the current certificate expired or current certificate's validity period would exceed new policy, the certificate is immediately renewed, without waiting for maintenance window. 
 |renewalDays
 |integer
 |Configures how many days before the certificate expiration should be the user certificate renewed. If not configured, default User Operator value is used.
diff --git a/packaging/helm-charts/helm3/strimzi-kafka-operator/crds/044-Crd-kafkauser.yaml b/packaging/helm-charts/helm3/strimzi-kafka-operator/crds/044-Crd-kafkauser.yaml
@@ -96,7 +96,7 @@ spec:
                       description: Authentication type.
                     validityDays:
                       type: integer
-                      description: "Number of days for which the user certificate should be valid. If not configured, default User Operator value is used."
+                      description: "Number of days for which the user certificate should be valid. If not configured, default User Operator value is used. If new validity policy would make the current certificate expired or current certificate's validity period would exceed new policy, the certificate is immediately renewed, without waiting for maintenance window. "
                       x-kubernetes-validations:
                         - rule: self > 0
                           message: '''validityDays'' has to be higher than 0.'
diff --git a/packaging/install/cluster-operator/044-Crd-kafkauser.yaml b/packaging/install/cluster-operator/044-Crd-kafkauser.yaml
@@ -95,7 +95,7 @@ spec:
                     description: Authentication type.
                   validityDays:
                     type: integer
-                    description: "Number of days for which the user certificate should be valid. If not configured, default User Operator value is used."
+                    description: "Number of days for which the user certificate should be valid. If not configured, default User Operator value is used. If new validity policy would make the current certificate expired or current certificate's validity period would exceed new policy, the certificate is immediately renewed, without waiting for maintenance window. "
                     x-kubernetes-validations:
                     - rule: self > 0
                       message: '''validityDays'' has to be higher than 0.'
diff --git a/packaging/install/user-operator/04-Crd-kafkauser.yaml b/packaging/install/user-operator/04-Crd-kafkauser.yaml
@@ -95,7 +95,7 @@ spec:
                     description: Authentication type.
                   validityDays:
                     type: integer
-                    description: "Number of days for which the user certificate should be valid. If not configured, default User Operator value is used."
+                    description: "Number of days for which the user certificate should be valid. If not configured, default User Operator value is used. If new validity policy would make the current certificate expired or current certificate's validity period would exceed new policy, the certificate is immediately renewed, without waiting for maintenance window. "
                     x-kubernetes-validations:
                     - rule: self > 0
                       message: '''validityDays'' has to be higher than 0.'
diff --git a/systemtest/src/main/java/io/strimzi/systemtest/utils/kafkaUtils/KafkaUserUtils.java b/systemtest/src/main/java/io/strimzi/systemtest/utils/kafkaUtils/KafkaUserUtils.java
@@ -15,6 +15,7 @@
 import io.strimzi.api.kafka.model.user.KafkaUser;
 import io.strimzi.api.kafka.model.user.KafkaUserScramSha512ClientAuthenticationBuilder;
 import io.strimzi.api.kafka.model.user.KafkaUserSpec;
+import io.strimzi.operator.common.Util;
 import io.strimzi.systemtest.TestConstants;
 import io.strimzi.systemtest.resources.ResourceConditions;
 import io.strimzi.systemtest.resources.ResourceOperation;
@@ -23,8 +24,13 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
+import java.io.ByteArrayInputStream;
 import java.io.File;
 import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.time.temporal.ChronoUnit;
 import java.util.List;
 import java.util.Random;
 import java.util.function.Consumer;
@@ -255,4 +261,17 @@ public static void waitForUserWithPrefixDeletion(String namespaceName, String us
                 }
             });
     }
+
+    public static int getValidityDaysOfCertificate(String certificate) {
+        try {
+            byte[] certBytes = Util.decodeFromBase64(certificate).getBytes();
+            CertificateFactory cf = CertificateFactory.getInstance("X.509");
+            X509Certificate cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(certBytes));
+
+            return (int) ChronoUnit.DAYS.between(cert.getNotBefore().toInstant(), cert.getNotAfter().toInstant());
+        } catch (CertificateException e) {
+            LOGGER.error("Failed to parse certificate due to: {}", e.getMessage());
+            throw new RuntimeException(e);
+        }
+    }
 }
diff --git a/systemtest/src/main/java/io/strimzi/systemtest/utils/kubeUtils/objects/SecretUtils.java b/systemtest/src/main/java/io/strimzi/systemtest/utils/kubeUtils/objects/SecretUtils.java
@@ -170,12 +170,12 @@ public static void updateCustomCertSecret(String namespaceName, String clusterNa
         waitForSecretReady(namespaceName, name, () -> { });
     }
 
-    public static void waitForCertToChange(String namespaceName, String originalCert, String secretName) {
+    public static void waitForCertToChange(String namespaceName, String originalCert, String secretName, String fieldName) {
         LOGGER.info("Waiting for Secret: {}/{} certificate to be replaced", namespaceName, secretName);
         TestUtils.waitFor("cert to be replaced", TestConstants.GLOBAL_POLL_INTERVAL, TestConstants.TIMEOUT_FOR_CLUSTER_STABLE, () -> {
             Secret secret = KubeResourceManager.get().kubeClient().getClient().secrets().inNamespace(namespaceName).withName(secretName).get();
-            if (secret != null && secret.getData() != null && secret.getData().containsKey("ca.crt")) {
-                String currentCert = Util.decodeFromBase64((secret.getData().get("ca.crt")));
+            if (secret != null && secret.getData() != null && secret.getData().containsKey(fieldName)) {
+                String currentCert = Util.decodeFromBase64((secret.getData().get(fieldName)));
                 boolean changed = !originalCert.equals(currentCert);
                 if (changed) {
                     LOGGER.info("Certificate in Secret: {}/{} changed, was: {}, is now: {}", namespaceName, secretName, originalCert, currentCert);
diff --git a/systemtest/src/test/java/io/strimzi/systemtest/operators/user/UserST.java b/systemtest/src/test/java/io/strimzi/systemtest/operators/user/UserST.java
diff --git a/systemtest/src/test/java/io/strimzi/systemtest/security/SecurityST.java b/systemtest/src/test/java/io/strimzi/systemtest/security/SecurityST.java
