strimzi
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎api/src/main/java/io/strimzi/api/kafka/model/user/KafkaUserAuthentication.java‎
Lines changed: 15 additions & 0 deletions b/‎api/src/main/java/io/strimzi/api/kafka/model/user/KafkaUserAuthentication.java‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎api/src/main/java/io/strimzi/api/kafka/model/user/KafkaUserTlsClientAuthentication.java‎
Lines changed: 36 additions & 1 deletion b/‎api/src/main/java/io/strimzi/api/kafka/model/user/KafkaUserTlsClientAuthentication.java‎
Lines changed: 36 additions & 1 deletion
diff --git a/‎api/src/test/java/io/strimzi/api/kafka/model/CelValidationIT.java‎
Lines changed: 11 additions & 1 deletion b/‎api/src/test/java/io/strimzi/api/kafka/model/CelValidationIT.java‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎api/src/test/resources/io/strimzi/api/kafka/model/user/KafkaUser-cel-missing-renewal-days.yaml‎
Lines changed: 9 additions & 0 deletions b/‎api/src/test/resources/io/strimzi/api/kafka/model/user/KafkaUser-cel-missing-renewal-days.yaml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎api/src/test/resources/io/strimzi/api/kafka/model/user/KafkaUser-cel-missing-validity-days.yaml‎
Lines changed: 9 additions & 0 deletions b/‎api/src/test/resources/io/strimzi/api/kafka/model/user/KafkaUser-cel-missing-validity-days.yaml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎api/src/test/resources/io/strimzi/api/kafka/model/user/KafkaUser-cel-renewal-higher-than-validity.yaml‎
Lines changed: 10 additions & 0 deletions b/‎api/src/test/resources/io/strimzi/api/kafka/model/user/KafkaUser-cel-renewal-higher-than-validity.yaml‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎api/src/test/resources/io/strimzi/api/kafka/model/user/KafkaUser-cel-validity-renewal-configured-outside-tls.yaml‎
Lines changed: 10 additions & 0 deletions b/‎api/src/test/resources/io/strimzi/api/kafka/model/user/KafkaUser-cel-validity-renewal-configured-outside-tls.yaml‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎development-docs/systemtests/io.strimzi.systemtest.operators.user.UserST.md‎
Lines changed: 22 additions & 0 deletions b/‎development-docs/systemtests/io.strimzi.systemtest.operators.user.UserST.md‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎development-docs/systemtests/labels/user-operator.md‎
Lines changed: 1 addition & 0 deletions b/‎development-docs/systemtests/labels/user-operator.md‎
Lines changed: 1 addition & 0 deletions
@@ -12,6 +12,7 @@
 * Add `UseBackgroundPodDeletion` feature gate (alpha, disabled by default) to use background deletion propagation when deleting pods during rolling updates. 
 * Strimzi Drain Cleaner updated to 1.6.0 (included in the Strimzi installation files)
 * Strimzi Access Operator updated to 0.3.0 - included in Strimzi installation files, examples, and documentation
+* It's now possible to configure mTLS `validityDays` and `renewalDays` for each `KafkaUser`
 
 ### Major changes, deprecations, and removals
 
 
@@ -8,13 +8,28 @@
 import com.fasterxml.jackson.annotation.JsonSubTypes;
 import com.fasterxml.jackson.annotation.JsonTypeInfo;
 import io.strimzi.api.kafka.model.common.UnknownPropertyPreserving;
+import io.strimzi.crdgenerator.annotations.CelValidation;
 import io.strimzi.crdgenerator.annotations.Description;
 import lombok.EqualsAndHashCode;
 import lombok.ToString;
 
 import java.util.HashMap;
 import java.util.Map;
 
+@CelValidation(rules = {
+    @CelValidation.CelValidationRule(
+        rule = "self.type == 'tls' || (!has(self.validityDays) && !has(self.renewalDays))",
+        message = "'validityDays' and 'renewalDays' can be configured only with 'type: tls'"
+        ),
+    @CelValidation.CelValidationRule(
+        rule = "self.type != 'tls' || (has(self.renewalDays) == has(self.validityDays))",
+        message = "Both 'validityDays' and 'renewalDays' must be set together, or both must be unset."
+        ),
+    @CelValidation.CelValidationRule(
+        rule = "self.type != 'tls' || !has(self.renewalDays) || !has(self.validityDays) || self.renewalDays < self.validityDays",
+        message = "'renewalDays' must be less than 'validityDays'."
+        )
+})
 @JsonTypeInfo(use = JsonTypeInfo.Id.NAME,
         include = JsonTypeInfo.As.EXISTING_PROPERTY,
         property = "type")
 
@@ -8,6 +8,7 @@
 import com.fasterxml.jackson.annotation.JsonPropertyOrder;
 import io.strimzi.api.kafka.model.common.Constants;
 import io.strimzi.crdgenerator.annotations.Description;
+import io.strimzi.crdgenerator.annotations.Minimum;
 import io.sundr.builder.annotations.Buildable;
 import lombok.EqualsAndHashCode;
 import lombok.ToString;
@@ -17,18 +18,52 @@
         builderPackage = Constants.FABRIC8_KUBERNETES_API
 )
 @JsonInclude(JsonInclude.Include.NON_NULL)
-@JsonPropertyOrder({"type"})
+@JsonPropertyOrder({"type", "validityDays", "renewalDays"})
 @EqualsAndHashCode(callSuper = true)
 @ToString(callSuper = true)
 public class KafkaUserTlsClientAuthentication extends KafkaUserAuthentication {
     public static final String TYPE_TLS = "tls";
 
+    private Integer validityDays;
+    private Integer renewalDays;
+
     @Description("Must be `" + TYPE_TLS + "`")
     @JsonInclude(JsonInclude.Include.NON_NULL)
     @Override
     public String getType() {
         return TYPE_TLS;
     }
 
+    @Description(
+        "Number of days for which the user certificate is valid. " +
+        "Both this property and `renewalDays` must be configured together." +
+        "The value must be greater than 0 and greater than `renewalDays`." +
+        "If not configured, the Clients CA configuration is used."
+    )
+    @Minimum(1)
+    @JsonInclude(value = JsonInclude.Include.NON_NULL)
+    public Integer getValidityDays() {
+        return this.validityDays;
+    }
+
+    public void setValidityDays(Integer validityDays) {
+        this.validityDays = validityDays;
+    }
+
+    @Description(
+        "Number of days before certificate expiration when the user certificate is renewed. " +
+        "Both this property and `validityDays` must be configured together." +
+        "The value must be greater than 0 and less than `validityDays`." +
+        "If not configured, the Clients CA configuration is used."
+    )
+    @Minimum(1)
+    @JsonInclude(value = JsonInclude.Include.NON_NULL)
+    public Integer getRenewalDays() {
+        return renewalDays;
+    }
+
+    public void setRenewalDays(Integer renewalDays) {
+        this.renewalDays = renewalDays;
+    }
 
 }
@@ -13,6 +13,7 @@
 import io.strimzi.api.kafka.model.connect.KafkaConnect;
 import io.strimzi.api.kafka.model.kafka.Kafka;
 import io.strimzi.api.kafka.model.mirrormaker2.KafkaMirrorMaker2;
+import io.strimzi.api.kafka.model.user.KafkaUser;
 import io.strimzi.test.CrdUtils;
 import io.strimzi.test.ReadWriteUtils;
 import io.strimzi.test.TestUtils;
@@ -61,6 +62,10 @@ static Stream<Arguments> celRules() {
         final String valueFromRequired = "valueFrom property is required";
         final String ccStrimziTypeNotSupported = "value type not supported";
 
+        final String validityRenewalDaysSetTogether = "Both 'validityDays' and 'renewalDays' must be set together, or both must be unset.";
+        final String renewalMustBeLessThanValidity = "'renewalDays' must be less than 'validityDays'.";
+        final String validityRenewalMustBeSetUnderTls = "'validityDays' and 'renewalDays' can be configured only with 'type: tls'";
+
         return Stream.of(
                 Arguments.of(Kafka.class, "Kafka-cel-rack-topology-label-missing-key.yaml", topologyKeyRequired),
                 Arguments.of(Kafka.class, "Kafka-cel-rack-environment-variable-missing-name.yaml", envVarNameRequired),
@@ -78,7 +83,12 @@ static Stream<Arguments> celRules() {
 
                 Arguments.of(KafkaMirrorMaker2.class, "KafkaMirrorMaker2-cel-rack-topology-label-missing-key.yaml", topologyKeyRequired),
                 Arguments.of(KafkaMirrorMaker2.class, "KafkaMirrorMaker2-cel-rack-environment-variable-missing-name.yaml", envVarNameRequired),
-                Arguments.of(KafkaMirrorMaker2.class, "KafkaMirrorMaker2-cel-metrics-jmx-missing-valueFrom.yaml", valueFromRequired)
+                Arguments.of(KafkaMirrorMaker2.class, "KafkaMirrorMaker2-cel-metrics-jmx-missing-valueFrom.yaml", valueFromRequired),
+
+                Arguments.of(KafkaUser.class, "KafkaUser-cel-missing-renewal-days.yaml", validityRenewalDaysSetTogether),
+                Arguments.of(KafkaUser.class, "KafkaUser-cel-missing-validity-days.yaml", validityRenewalDaysSetTogether),
+                Arguments.of(KafkaUser.class, "KafkaUser-cel-renewal-higher-than-validity.yaml", renewalMustBeLessThanValidity),
+                Arguments.of(KafkaUser.class, "KafkaUser-cel-validity-renewal-configured-outside-tls.yaml", validityRenewalMustBeSetUnderTls)
         );
     }
 
 
@@ -0,0 +1,9 @@
+---
+apiVersion: "kafka.strimzi.io/v1"
+kind: "KafkaUser"
+metadata:
+  name: my-user
+spec:
+  authentication:
+    type: tls
+    validityDays: 10
@@ -0,0 +1,9 @@
+---
+apiVersion: "kafka.strimzi.io/v1"
+kind: "KafkaUser"
+metadata:
+  name: my-user
+spec:
+  authentication:
+    type: tls
+    renewalDays: 10
@@ -0,0 +1,10 @@
+---
+apiVersion: "kafka.strimzi.io/v1"
+kind: "KafkaUser"
+metadata:
+  name: my-user
+spec:
+  authentication:
+    type: tls
+    renewalDays: 10
+    validityDays: 9
@@ -0,0 +1,10 @@
+---
+apiVersion: "kafka.strimzi.io/v1"
+kind: "KafkaUser"
+metadata:
+  name: my-user
+spec:
+  authentication:
+    type: scram-sha-512
+    renewalDays: 10
+    validityDays: 20
@@ -97,6 +97,28 @@
 * [user-operator](labels/user-operator.md)
 
 
+## testTlsValidityDays
+
+**Description:** Verifies functionality of the mTLS `validityDays` and `renewalDays` configured inside each KafkaUser.
+
+**Steps:**
+
+| Step | Action | Result |
+| - | - | - |
+| 1. | Create a `KafkaTopic` in the existing Kafka cluster to send and receive messages. | `KafkaTopic` is created. |
+| 2. | Create a `KafkaUser` with TLS authentication without configuring `validityDays` and `renewalDays`. The values from the User Operator are used. | `KafkaUser` is created with values from the User Operator. |
+| 3. | Obtain the `KafkaUser`'s `Secret` and check the validity period of the user certificate. | The default validity period is 200 days. |
+| 4. | Send and receive messages to verify connection to the Kafka cluster using the TLS `KafkaUser`. | Messages are successfully sent and received. |
+| 5. | Change the `validityDays` and `renewalDays` in `KafkaUser` `.spec.authentication` to 40 and 20. | The `validityDays` and `renewalDays` are updated in the `KafkaUser`. |
+| 6. | The certificate is renewed automatically after the `validityDays` and `renewalDays` values are updated. | The user certificate is renewed. |
+| 7. | Obtain the `KafkaUser` `Secret` again and check the validity period of the user certificate. | Validity period is 40 days. |
+| 8. | Send and receive messages again to verify connection to the Kafka cluster using the new user certificate. | Messages are successfully sent and received using the new certificate. |
+
+**Labels:**
+
+* [user-operator](labels/user-operator.md)
+
+
 ## testUpdateUser
 
 **Description:** Verifies updating a Kafka user from TLS to SCRAM-SHA-512 authentication and validates user secret contents.
 
@@ -15,6 +15,7 @@ They verify user authentication mechanisms (TLS, SCRAM-SHA-512, external TLS), a
 - [testTlsExternalUser](../io.strimzi.systemtest.operators.user.UserST.md)
 - [testTlsExternalUserWithQuotas](../io.strimzi.systemtest.operators.user.UserST.md)
 - [testTlsUserWithQuotas](../io.strimzi.systemtest.operators.user.UserST.md)
+- [testTlsValidityDays](../io.strimzi.systemtest.operators.user.UserST.md)
 - [testUpdateUser](../io.strimzi.systemtest.operators.user.UserST.md)
 - [testUserWithNameMoreThan64Chars](../io.strimzi.systemtest.operators.user.UserST.md)
 - [testUserWithQuotas](../io.strimzi.systemtest.operators.user.UserST.md)