strimzi
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 9 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 9 deletions
diff --git a/‎api/src/main/java/io/strimzi/api/kafka/model/user/KafkaUserAuthentication.java‎
Lines changed: 7 additions & 0 deletions b/‎api/src/main/java/io/strimzi/api/kafka/model/user/KafkaUserAuthentication.java‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎api/src/main/java/io/strimzi/api/kafka/model/user/KafkaUserTlsClientAuthentication.java‎
Lines changed: 44 additions & 1 deletion b/‎api/src/main/java/io/strimzi/api/kafka/model/user/KafkaUserTlsClientAuthentication.java‎
Lines changed: 44 additions & 1 deletion
diff --git a/‎api/src/test/resources/crds/v1/044-Crd-kafkauser.yaml‎
Lines changed: 15 additions & 0 deletions b/‎api/src/test/resources/crds/v1/044-Crd-kafkauser.yaml‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎api/src/test/resources/crds/v1beta2/044-Crd-kafkauser.yaml‎
Lines changed: 54 additions & 0 deletions b/‎api/src/test/resources/crds/v1beta2/044-Crd-kafkauser.yaml‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎development-docs/systemtests/io.strimzi.systemtest.operators.user.UserST.md‎
Lines changed: 22 additions & 0 deletions b/‎development-docs/systemtests/io.strimzi.systemtest.operators.user.UserST.md‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎development-docs/systemtests/labels/user-operator.md‎
Lines changed: 1 addition & 0 deletions b/‎development-docs/systemtests/labels/user-operator.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎documentation/modules/appendix_crds.adoc‎
Lines changed: 6 additions & 0 deletions b/‎documentation/modules/appendix_crds.adoc‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎operator-common/src/main/java/io/strimzi/operator/common/model/Ca.java‎
Lines changed: 35 additions & 0 deletions b/‎operator-common/src/main/java/io/strimzi/operator/common/model/Ca.java‎
Lines changed: 35 additions & 0 deletions
@@ -2,7 +2,7 @@
 
 ## 1.1.0
 
-* _Nothing here yet, but we will surely develop something new pretty soon_ 😉
+* Add possibility to configure mTLS `validityDays` and `renewalDays` for each `KafkaUser`
 
 ### Major changes, deprecations, and removals
 
@@ -42,14 +42,6 @@
 * Update HTTP bridge to 1.0.0.
   * `/metrics` endpoint is no longer available on the regular HTTP interface (port 8080 by default). It is now available on the HTTP management interface, 8081.
     Users upgrading to Strimzi 1.0.0+ should check all monitoring configurations that scrape Kafka Bridge metrics and update them to use port 8081 instead of 8080 or any other non-default port before or immediately after the upgrade to avoid metrics collection failures.
-* Standalone Topic Operator now reads certificates directly from the Kubernetes Secrets in PEM format instead of using JKS/P12 keystore and truststore files.
-  If you use the standalone Topic Operator and you have any custom configuration related to TLS certificates, you might need to update it during the upgrade to Strimzi 1.0.0.
-  * Make sure the Topic Operator has the Kubernetes RBAC rights to read the certificate Secrets
-  * Use the environment variable `STRIMZI_TLS_TRUSTED_CERTS_SECRET_NAME` to configure the CA certificates for TLS encryption when connecting to the Apache Kafka cluster.
-  * Use the environment variables `STRIMZI_TLS_SECRET_NAME`, `STRIMZI_TLS_KEY_NAME`, and `STRIMZI_TLS_CERT_NAME` to configure client certificate for the mTLS authentication when connecting to the Apache Kafka cluster.
-  * Use the environment variable `STRIMZI_CLUSTER_NAMESPACE` to define the namespace where the TLS Secrets are.
-  * If you want to use TLS encryption with an Apache Kafka cluster using server certificates signed by a public CA, you just need to use the `STRIMZI_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM` variable and set it to `TLS`.
-  * The `STRIMZI_TLS_ENABLED`, `STRIMZI_TLS_AUTH_ENABLED`, `STRIMZI_PUBLIC_CA`, `STRIMZI_TRUSTSTORE_LOCATION`, `STRIMZI_TRUSTSTORE_PASSWORD`, `STRIMZI_KEYSTORE_LOCATION`, and `STRIMZI_KEYSTORE_PASSWORD` environment variables are not used anymore and will be ignored if set.
 
 ## 0.51.0
 
 
@@ -8,13 +8,20 @@
 import com.fasterxml.jackson.annotation.JsonSubTypes;
 import com.fasterxml.jackson.annotation.JsonTypeInfo;
 import io.strimzi.api.kafka.model.common.UnknownPropertyPreserving;
+import io.strimzi.crdgenerator.annotations.CelValidation;
 import io.strimzi.crdgenerator.annotations.Description;
 import lombok.EqualsAndHashCode;
 import lombok.ToString;
 
 import java.util.HashMap;
 import java.util.Map;
 
+@CelValidation(rules = {
+    @CelValidation.CelValidationRule(
+        rule = "self.type == 'tls' || (!has(self.validityDays) && !has(self.renewalDays))",
+        message = "'validityDays' and 'renewalDays' can be configured only with 'type: tls'"
+        )
+})
 @JsonTypeInfo(use = JsonTypeInfo.Id.NAME,
         include = JsonTypeInfo.As.EXISTING_PROPERTY,
         property = "type")
 
@@ -7,6 +7,7 @@
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonPropertyOrder;
 import io.strimzi.api.kafka.model.common.Constants;
+import io.strimzi.crdgenerator.annotations.CelValidation;
 import io.strimzi.crdgenerator.annotations.Description;
 import io.sundr.builder.annotations.Buildable;
 import lombok.EqualsAndHashCode;
@@ -17,18 +18,60 @@
         builderPackage = Constants.FABRIC8_KUBERNETES_API
 )
 @JsonInclude(JsonInclude.Include.NON_NULL)
-@JsonPropertyOrder({"type"})
+@JsonPropertyOrder({"type", "validityDays", "renewalDays"})
 @EqualsAndHashCode(callSuper = true)
 @ToString(callSuper = true)
 public class KafkaUserTlsClientAuthentication extends KafkaUserAuthentication {
     public static final String TYPE_TLS = "tls";
 
+    private Integer validityDays;
+    private Integer renewalDays;
+
     @Description("Must be `" + TYPE_TLS + "`")
     @JsonInclude(JsonInclude.Include.NON_NULL)
     @Override
     public String getType() {
         return TYPE_TLS;
     }
 
+    @CelValidation(rules = {
+        @CelValidation.CelValidationRule(
+            rule = "self > 0",
+            message = "'validityDays' has to be higher than 0."
+            )
+    })
+    @Description(
+        "Number of days for which the user certificate should be valid. " +
+        "If not configured, default User Operator value is used. " +
+        "If new validity policy would make the current certificate expired or current certificate's validity period would exceed new policy, " +
+        "the certificate is immediately renewed, without waiting for maintenance window. "
+    )
+    @JsonInclude(value = JsonInclude.Include.NON_NULL)
+    public Integer getValidityDays() {
+        return this.validityDays;
+    }
+
+    public void setValidityDays(Integer validityDays) {
+        this.validityDays = validityDays;
+    }
+
+    @CelValidation(rules = {
+        @CelValidation.CelValidationRule(
+            rule = "self > 0",
+            message = "'renewalDays' has to be higher than 0."
+            )
+    })
+    @Description(
+        "Configures how many days before the certificate expiration should be the user certificate renewed. " +
+        "If not configured, default User Operator value is used."
+    )
+    @JsonInclude(value = JsonInclude.Include.NON_NULL)
+    public Integer getRenewalDays() {
+        return renewalDays;
+    }
+
+    public void setRenewalDays(Integer renewalDays) {
+        this.renewalDays = renewalDays;
+    }
 
 }
@@ -80,16 +80,31 @@ spec:
                     required:
                     - valueFrom
                     description: "Specify the password for the user. If not set, a new password is generated by the User Operator."
+                  renewalDays:
+                    type: integer
+                    description: "Configures how many days before the certificate expiration should be the user certificate renewed. If not configured, default User Operator value is used."
+                    x-kubernetes-validations:
+                    - rule: self > 0
+                      message: '''renewalDays'' has to be higher than 0.'
                   type:
                     type: string
                     enum:
                     - tls
                     - tls-external
                     - scram-sha-512
                     description: Authentication type.
+                  validityDays:
+                    type: integer
+                    description: "Number of days for which the user certificate should be valid. If not configured, default User Operator value is used. If new validity policy would make the current certificate expired or current certificate's validity period would exceed new policy, the certificate is immediately renewed, without waiting for maintenance window. "
+                    x-kubernetes-validations:
+                    - rule: self > 0
+                      message: '''validityDays'' has to be higher than 0.'
                 required:
                 - type
                 description: "Authentication mechanism enabled for this Kafka user. The supported authentication mechanisms are `scram-sha-512`, `tls`, and `tls-external`. \n\n* `scram-sha-512` generates a secret with SASL SCRAM-SHA-512 credentials.\n* `tls` generates a secret with user certificate for mutual TLS authentication.\n* `tls-external` does not generate a user certificate.   But prepares the user for using mutual TLS authentication using a user certificate generated outside the User Operator.\n  ACLs and quotas set for this user are configured in the `CN=<username>` format.\n\nAuthentication is optional. If authentication is not configured, no credentials are generated. ACLs and quotas set for the user are configured in the `<username>` format suitable for SASL authentication."
+                x-kubernetes-validations:
+                - rule: self.type == 'tls' || (!has(self.validityDays) && !has(self.renewalDays))
+                  message: "'validityDays' and 'renewalDays' can be configured only with 'type: tls'"
               authorization:
                 type: object
                 properties:
 
@@ -80,16 +80,31 @@ spec:
                     required:
                     - valueFrom
                     description: "Specify the password for the user. If not set, a new password is generated by the User Operator."
+                  renewalDays:
+                    type: integer
+                    description: "Configures how many days before the certificate expiration should be the user certificate renewed. If not configured, default User Operator value is used."
+                    x-kubernetes-validations:
+                    - rule: self > 0
+                      message: '''renewalDays'' has to be higher than 0.'
                   type:
                     type: string
                     enum:
                     - tls
                     - tls-external
                     - scram-sha-512
                     description: Authentication type.
+                  validityDays:
+                    type: integer
+                    description: "Number of days for which the user certificate should be valid. If not configured, default User Operator value is used. If new validity policy would make the current certificate expired or current certificate's validity period would exceed new policy, the certificate is immediately renewed, without waiting for maintenance window. "
+                    x-kubernetes-validations:
+                    - rule: self > 0
+                      message: '''validityDays'' has to be higher than 0.'
                 required:
                 - type
                 description: "Authentication mechanism enabled for this Kafka user. The supported authentication mechanisms are `scram-sha-512`, `tls`, and `tls-external`. \n\n* `scram-sha-512` generates a secret with SASL SCRAM-SHA-512 credentials.\n* `tls` generates a secret with user certificate for mutual TLS authentication.\n* `tls-external` does not generate a user certificate.   But prepares the user for using mutual TLS authentication using a user certificate generated outside the User Operator.\n  ACLs and quotas set for this user are configured in the `CN=<username>` format.\n\nAuthentication is optional. If authentication is not configured, no credentials are generated. ACLs and quotas set for the user are configured in the `<username>` format suitable for SASL authentication."
+                x-kubernetes-validations:
+                - rule: self.type == 'tls' || (!has(self.validityDays) && !has(self.renewalDays))
+                  message: "'validityDays' and 'renewalDays' can be configured only with 'type: tls'"
               authorization:
                 type: object
                 properties:
@@ -298,14 +313,27 @@ spec:
                                 type: boolean
                     required:
                     - valueFrom
+                  renewalDays:
+                    type: integer
+                    x-kubernetes-validations:
+                    - rule: self > 0
+                      message: '''renewalDays'' has to be higher than 0.'
                   type:
                     type: string
                     enum:
                     - tls
                     - tls-external
                     - scram-sha-512
+                  validityDays:
+                    type: integer
+                    x-kubernetes-validations:
+                    - rule: self > 0
+                      message: '''validityDays'' has to be higher than 0.'
                 required:
                 - type
+                x-kubernetes-validations:
+                - rule: self.type == 'tls' || (!has(self.validityDays) && !has(self.renewalDays))
+                  message: "'validityDays' and 'renewalDays' can be configured only with 'type: tls'"
               authorization:
                 type: object
                 properties:
@@ -494,14 +522,27 @@ spec:
                                 type: boolean
                     required:
                     - valueFrom
+                  renewalDays:
+                    type: integer
+                    x-kubernetes-validations:
+                    - rule: self > 0
+                      message: '''renewalDays'' has to be higher than 0.'
                   type:
                     type: string
                     enum:
                     - tls
                     - tls-external
                     - scram-sha-512
+                  validityDays:
+                    type: integer
+                    x-kubernetes-validations:
+                    - rule: self > 0
+                      message: '''validityDays'' has to be higher than 0.'
                 required:
                 - type
+                x-kubernetes-validations:
+                - rule: self.type == 'tls' || (!has(self.validityDays) && !has(self.renewalDays))
+                  message: "'validityDays' and 'renewalDays' can be configured only with 'type: tls'"
               authorization:
                 type: object
                 properties:
@@ -690,14 +731,27 @@ spec:
                                 type: boolean
                     required:
                     - valueFrom
+                  renewalDays:
+                    type: integer
+                    x-kubernetes-validations:
+                    - rule: self > 0
+                      message: '''renewalDays'' has to be higher than 0.'
                   type:
                     type: string
                     enum:
                     - tls
                     - tls-external
                     - scram-sha-512
+                  validityDays:
+                    type: integer
+                    x-kubernetes-validations:
+                    - rule: self > 0
+                      message: '''validityDays'' has to be higher than 0.'
                 required:
                 - type
+                x-kubernetes-validations:
+                - rule: self.type == 'tls' || (!has(self.validityDays) && !has(self.renewalDays))
+                  message: "'validityDays' and 'renewalDays' can be configured only with 'type: tls'"
               authorization:
                 type: object
                 properties:
 
@@ -97,6 +97,28 @@
 * [user-operator](labels/user-operator.md)
 
 
+## testTlsValidityDays
+
+**Description:** Verifies functionality of the mTLS `validityDays` and `renewalDays` configured inside each KafkaUser.
+
+**Steps:**
+
+| Step | Action | Result |
+| - | - | - |
+| 1. | Create `KafkaTopic` to which we will send (and from which we will receive) messages - created in existing Kafka cluster. | `KafkaTopic` is created. |
+| 2. | Create `KafkaUser` with TLS authentication; together with default `validityDays` (200 days) and `renewalDays` (20 days) - configured in User operator. | `KafkaUser` is created with defaults. |
+| 3. | Obtain the `KafkaUser`'s `Secret` and check validity period of the user certificate. | Validity period should be default - 200 days. |
+| 4. | Do message transmission to verify, that we are able to connect to Kafka cluster with the TLS `KafkaUser`. | Messages are successfully sent and received. |
+| 5. | Change the `validityDays` and `renewalDays` in the `KafkaUser` `.spec.authentication` to 60 and 10. | The `validityDays` and `renewalDays` should be changed in the `KafkaUser`. |
+| 6. | Because the current certificate would exceed the new validity period, `KafkaUser`'s `Secret` and user certificate should be renewed - we are waiting for the certificate change. | The user certificate was changed. |
+| 7. | Obtain the `KafkaUser`'s `Secret` again and check the validity period of the user certificate. | Validity period should be 60 days. |
+| 8. | Do message transmission again to verify, that we are able to connect to Kafka cluster with the new user's certificate. | Messages are successfully sent and received using new certificate. |
+
+**Labels:**
+
+* [user-operator](labels/user-operator.md)
+
+
 ## testUpdateUser
 
 **Description:** Verifies updating a Kafka user from TLS to SCRAM-SHA-512 authentication and validates user secret contents.
 
@@ -15,6 +15,7 @@ They verify user authentication mechanisms (TLS, SCRAM-SHA-512, external TLS), a
 - [testTlsExternalUser](../io.strimzi.systemtest.operators.user.UserST.md)
 - [testTlsExternalUserWithQuotas](../io.strimzi.systemtest.operators.user.UserST.md)
 - [testTlsUserWithQuotas](../io.strimzi.systemtest.operators.user.UserST.md)
+- [testTlsValidityDays](../io.strimzi.systemtest.operators.user.UserST.md)
 - [testUpdateUser](../io.strimzi.systemtest.operators.user.UserST.md)
 - [testUserWithNameMoreThan64Chars](../io.strimzi.systemtest.operators.user.UserST.md)
 - [testUserWithQuotas](../io.strimzi.systemtest.operators.user.UserST.md)
@@ -2675,6 +2675,12 @@ It must have the value `tls` for the type `KafkaUserTlsClientAuthentication`.
 |type
 |string
 |Must be `tls`.
+|validityDays
+|integer
+|Number of days for which the user certificate should be valid. If not configured, default User Operator value is used. If new validity policy would make the current certificate expired or current certificate's validity period would exceed new policy, the certificate is immediately renewed, without waiting for maintenance window. 
+|renewalDays
+|integer
+|Configures how many days before the certificate expiration should be the user certificate renewed. If not configured, default User Operator value is used.
 |====
 
 [id='type-KafkaUserTlsExternalClientAuthentication-{context}']
 
@@ -542,6 +542,41 @@ public boolean isExpiring(Secret secret, String certKey)  {
         return certNeedsRenewal(currentCert);
     }
 
+    /**
+     * Checks if the validityDays configuration is different from previous state.
+     * If yes, the method checks if the new configuration of validityDays would make the certificate expired
+     * or if the current Certificate's validity period exceeds the new policy.
+     *
+     * @param secret    Secret with the certificate
+     * @param certKey   Key under which is the certificate stored
+     *
+     * @return  True if the certificate should be renewed due to new validity period. False otherwise.
+     */
+    public boolean requiresImmediateRenewalDueToValidityChange(Secret secret, String certKey) {
+        X509Certificate currentCert = cert(secret, certKey);
+
+        Instant notBefore = currentCert.getNotBefore().toInstant();
+        Instant notAfter = currentCert.getNotAfter().toInstant();
+        int currentValidityDays = (int) ChronoUnit.DAYS.between(notBefore, notAfter);
+
+        if (currentValidityDays != validityDays) {
+            Instant wouldExpireUnderNewPolicy = notBefore.plus(validityDays, ChronoUnit.DAYS);
+
+            if (!this.clock.instant().isBefore(wouldExpireUnderNewPolicy)) {
+                LOGGER.infoCr(reconciliation, "Certificate of Secret {}/{} would be expired under new validity policy, it will be renewed",
+                    secret.getMetadata().getNamespace(), secret.getMetadata().getName());
+                return true;
+            }
+            if (currentValidityDays > validityDays) {
+                LOGGER.infoCr(reconciliation, "Certificate's current validity period of Secret {}/{} exceeds new policy, it will be renewed",
+                    secret.getMetadata().getNamespace(), secret.getMetadata().getName());
+                return true;
+            }
+        }
+
+        return false;
+    }
+
     /**
      * Returns whether the certificate is expiring or not
      *