From a34f569b88987cc3b373fd2a40e81efb09adbcbd Mon Sep 17 00:00:00 2001
From: David Kornel <kornys@outlook.com>
Date: Fri, 15 May 2026 10:29:45 +0200
Subject: [PATCH 1/3] Few updates of dependencies

Signed-off-by: David Kornel <kornys@outlook.com>
---
 pom.xml                                                   | 8 ++++----
 src/test/java/io/streams/e2e/flink/sql/SqlExampleST.java  | 4 ++--
 .../java/io/streams/e2e/flink/sql/SqlJobRunnerST.java     | 2 +-
 src/test/java/io/streams/e2e/flink/sql/SqlSecurityST.java | 2 +-
 src/test/java/io/streams/unit/SqlWithTest.java            | 2 +-
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/pom.xml b/pom.xml
index a069ef7..39f1473 100644
--- a/pom.xml
+++ b/pom.xml
@@ -24,7 +24,7 @@
         <maven.compiler.release>21</maven.compiler.release>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 
-        <kubetest4j.version>1.0.0</kubetest4j.version>
+        <kubetest4j.version>1.1.0</kubetest4j.version>
         <skodjob-doc.version>0.6.0</skodjob-doc.version>
         <fabric8.version>7.6.1</fabric8.version>
         <log4j.version>2.25.3</log4j.version>
@@ -57,15 +57,15 @@
         <debezium.operator.files.destination>debezium</debezium.operator.files.destination>
         <keycloak.operator.files.destination>keycloak</keycloak.operator.files.destination>
         <!-- Operators versions -->
-        <strimzi.version>0.51.0</strimzi.version>
+        <strimzi.version>1.0.0</strimzi.version>
         <flink.version>1.12.1</flink.version>
         <cert.manager.version>1.18.2</cert.manager.version>
         <apicurio.registry.version>1.1.3-v2.6.4.final</apicurio.registry.version>
-        <apicurio.api.version>1.1.2</apicurio.api.version>
+        <apicurio.api.version>1.1.3</apicurio.api.version>
         <apicurio.lib.version>2.6.13.Final</apicurio.lib.version>
         <debezium.operator.version>3.1.1</debezium.operator.version>
         <kafka.version>4.2.0</kafka.version>
-        <keycloak.version>26.3.3</keycloak.version>
+        <keycloak.version>26.6.1</keycloak.version>
     </properties>
 
     <dependencyManagement>
diff --git a/src/test/java/io/streams/e2e/flink/sql/SqlExampleST.java b/src/test/java/io/streams/e2e/flink/sql/SqlExampleST.java
index c9535ce..bfb9ec8 100644
--- a/src/test/java/io/streams/e2e/flink/sql/SqlExampleST.java
+++ b/src/test/java/io/streams/e2e/flink/sql/SqlExampleST.java
@@ -62,7 +62,7 @@
         @Label(value = FLINK),
     }
 )
-public class SqlExampleST extends Abstract {
+class SqlExampleST extends Abstract {
 
     String namespace = "flink";
     Path exampleFiles = TestConstants.YAML_MANIFEST_PATH.resolve("examples").resolve("sql-example");
@@ -99,7 +99,7 @@ void prepareOperators() {
         }
     )
     @Test
-    void testRecommendationApp() throws IOException {
+    void testRecommendationApp() {
         Allure.step("Prepare " + namespace + " namespace", () -> {
             // Create namespace
             KubeResourceManager.get().createOrUpdateResourceWithWait(
diff --git a/src/test/java/io/streams/e2e/flink/sql/SqlJobRunnerST.java b/src/test/java/io/streams/e2e/flink/sql/SqlJobRunnerST.java
index 4af97dd..38bad38 100644
--- a/src/test/java/io/streams/e2e/flink/sql/SqlJobRunnerST.java
+++ b/src/test/java/io/streams/e2e/flink/sql/SqlJobRunnerST.java
@@ -72,7 +72,7 @@
         @Label(value = FLINK),
     }
 )
-public class SqlJobRunnerST extends Abstract {
+class SqlJobRunnerST extends Abstract {
     final String kafkaClusterName = "my-cluster";
 
     @BeforeAll
diff --git a/src/test/java/io/streams/e2e/flink/sql/SqlSecurityST.java b/src/test/java/io/streams/e2e/flink/sql/SqlSecurityST.java
index 6b8dbde..f84d450 100644
--- a/src/test/java/io/streams/e2e/flink/sql/SqlSecurityST.java
+++ b/src/test/java/io/streams/e2e/flink/sql/SqlSecurityST.java
@@ -79,7 +79,7 @@
         @Label(value = FLINK),
     }
 )
-public class SqlSecurityST extends Abstract {
+class SqlSecurityST extends Abstract {
     final String kafkaClusterName = "my-cluster";
 
     @BeforeAll
diff --git a/src/test/java/io/streams/unit/SqlWithTest.java b/src/test/java/io/streams/unit/SqlWithTest.java
index bebc6ee..eb11592 100644
--- a/src/test/java/io/streams/unit/SqlWithTest.java
+++ b/src/test/java/io/streams/unit/SqlWithTest.java
@@ -13,7 +13,7 @@
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
-public class SqlWithTest {
+class SqlWithTest {
     @Test
     void testCreateTableWithFilesystemConnector() {
         String expectedSql = "CREATE TABLE ProductInventoryTable ( product_id STRING, category STRING, stock STRING, rating STRING ) " +

From 2c41a3e2bf301f03d056c332201cd1bed5363444 Mon Sep 17 00:00:00 2001
From: David Kornel <kornys@outlook.com>
Date: Fri, 15 May 2026 10:37:14 +0200
Subject: [PATCH 2/3] Update docker file

Signed-off-by: David Kornel <kornys@outlook.com>
---
 Containerfile | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/Containerfile b/Containerfile
index 4d525df..f610d42 100644
--- a/Containerfile
+++ b/Containerfile
@@ -10,28 +10,31 @@ LABEL name='streams-e2e' \
 ENV STREAMS_HOME=/opt/streams-e2e
 ENV KUBECONFIG=/opt/kubeconfig/config
 ENV OPERATOR_SDK_VERSION=1.41.1
+ENV HELM_VERSION=3.17.3
 
 COPY . /opt/streams-e2e
 
 USER root
-RUN microdnf --setopt=install_weak_deps=0 --setopt=tsflags=nodocs install -y unzip git && microdnf clean all
+RUN microdnf --setopt=install_weak_deps=0 --setopt=tsflags=nodocs install -y unzip git bsdtar && microdnf clean all
 
-# Install kubectl, oc, operator-sdk and helm3 clients
+# Install kubectl, oc, operator-sdk and helm clients
 RUN export ARCH=$(case $(uname -m) in x86_64) echo -n amd64 ;; aarch64) echo -n arm64 ;; *) echo -n $(uname -m) ;; esac) && \
     export OS=$(uname | awk '{print tolower($0)}') && \
     export OPERATOR_SDK_DL_URL=https://github.com/operator-framework/operator-sdk/releases/download/v${OPERATOR_SDK_VERSION} && \
     curl -L "https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable/openshift-client-linux-${ARCH}-rhel9.tar.gz" -o openshift-client-linux.tar.gz && \
-    tar -xzf openshift-client-linux.tar.gz && \
+    bsdtar -xzf openshift-client-linux.tar.gz && \
     chmod +x oc kubectl && \
     mv oc /usr/local/bin/ && \
     mv kubectl /usr/local/bin/ && \
     rm -f openshift-client-linux.tar.gz README.md && \
     curl -LO ${OPERATOR_SDK_DL_URL}/operator-sdk_${OS}_${ARCH} && \
     chmod +x operator-sdk_${OS}_${ARCH} && \
-    mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk  && \
-    curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && \
-    chmod 700 get_helm.sh && \
-    ./get_helm.sh
+    mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk && \
+    curl -L "https://get.helm.sh/helm-v${HELM_VERSION}-${OS}-${ARCH}.tar.gz" -o helm.tar.gz && \
+    bsdtar -xzf helm.tar.gz && \
+    mv ${OS}-${ARCH}/helm /usr/local/bin/helm && \
+    chmod +x /usr/local/bin/helm && \
+    rm -rf helm.tar.gz ${OS}-${ARCH}
 
 
 RUN mkdir -p /opt/kubeconfig && chown 185:0 /opt/kubeconfig && \

From d927bee9174c5473b8c52df03c4457e8f21a4a00 Mon Sep 17 00:00:00 2001
From: David Kornel <kornys@outlook.com>
Date: Fri, 15 May 2026 11:52:33 +0200
Subject: [PATCH 3/3] fixes

Signed-off-by: David Kornel <kornys@outlook.com>
---
 Containerfile                                 | 20 +++++---
 .../streams/e2e/flink/sql/SqlSecurityST.java  | 47 ++++++++++++++-----
 2 files changed, 49 insertions(+), 18 deletions(-)

diff --git a/Containerfile b/Containerfile
index f610d42..1e0b076 100644
--- a/Containerfile
+++ b/Containerfile
@@ -12,8 +12,6 @@ ENV KUBECONFIG=/opt/kubeconfig/config
 ENV OPERATOR_SDK_VERSION=1.41.1
 ENV HELM_VERSION=3.17.3
 
-COPY . /opt/streams-e2e
-
 USER root
 RUN microdnf --setopt=install_weak_deps=0 --setopt=tsflags=nodocs install -y unzip git bsdtar && microdnf clean all
 
@@ -36,19 +34,27 @@ RUN export ARCH=$(case $(uname -m) in x86_64) echo -n amd64 ;; aarch64) echo -n
     chmod +x /usr/local/bin/helm && \
     rm -rf helm.tar.gz ${OS}-${ARCH}
 
-
 RUN mkdir -p /opt/kubeconfig && chown 185:0 /opt/kubeconfig && \
-    chown -R 185:0 /opt/streams-e2e && chmod +x /opt/streams-e2e/mvnw
+    mkdir -p /opt/streams-e2e && chown -R 185:0 /opt/streams-e2e
+
+# Copy only build definition files first to cache dependency resolution
+COPY --chown=185:0 pom.xml mvnw /opt/streams-e2e/
+COPY --chown=185:0 .mvn /opt/streams-e2e/.mvn
 
 USER 185
 
 WORKDIR $STREAMS_HOME
 
+# Cache dependencies - only re-runs when pom.xml or wrapper changes
+RUN ./mvnw dependency:go-offline -B -q
+
+# Copy full source
+COPY --chown=185:0 . /opt/streams-e2e
+
 VOLUME ["/opt/kubeconfig"]
 VOLUME ["${STREAMS_HOME}/operator-install-files"]
 
-RUN ./mvnw dependency:go-offline -B -q \
-    && ./mvnw install -Pget-operator-files \
-    && ./mvnw compile test-compile -B -q -Dcheckstyle.skip=true
+# Download operator files (generate-sources) + compile main and test in one pass
+RUN ./mvnw test-compile -Pget-operator-files -B -q -Dcheckstyle.skip=true
 
 CMD ["./mvnw", "verify", "-Ptest"]
diff --git a/src/test/java/io/streams/e2e/flink/sql/SqlSecurityST.java b/src/test/java/io/streams/e2e/flink/sql/SqlSecurityST.java
index f84d450..70211fa 100644
--- a/src/test/java/io/streams/e2e/flink/sql/SqlSecurityST.java
+++ b/src/test/java/io/streams/e2e/flink/sql/SqlSecurityST.java
@@ -9,6 +9,8 @@
 import io.fabric8.kubernetes.api.model.NamespaceBuilder;
 import io.fabric8.kubernetes.api.model.Secret;
 import io.fabric8.kubernetes.api.model.SecretBuilder;
+import io.fabric8.kubernetes.api.model.SecretVolumeSourceBuilder;
+import io.fabric8.kubernetes.api.model.VolumeMountBuilder;
 import io.qameta.allure.Allure;
 import io.skodjob.annotations.Desc;
 import io.skodjob.annotations.Label;
@@ -36,9 +38,8 @@
 import io.streams.sql.TestStatements;
 import io.streams.utils.StrimziClientUtils;
 import io.streams.utils.TestUtils;
-import io.strimzi.api.kafka.model.common.CertSecretSourceBuilder;
 import io.strimzi.api.kafka.model.kafka.listener.GenericKafkaListenerBuilder;
-import io.strimzi.api.kafka.model.kafka.listener.KafkaListenerAuthenticationOAuthBuilder;
+import io.strimzi.api.kafka.model.kafka.listener.KafkaListenerAuthenticationCustomBuilder;
 import io.strimzi.api.kafka.model.kafka.listener.KafkaListenerAuthenticationScramSha512;
 import io.strimzi.api.kafka.model.kafka.listener.KafkaListenerAuthenticationTls;
 import io.strimzi.api.kafka.model.kafka.listener.KafkaListenerType;
@@ -222,18 +223,42 @@ void testOauthWithTls() {
                             .withTls(true)
                             .withType(KafkaListenerType.INTERNAL)
                             .withPort((9093))
-                            .withAuth(new KafkaListenerAuthenticationOAuthBuilder()
-                                .withValidIssuerUri(keycloakUrl + "/realms/streams-e2e")
-                                .withJwksEndpointUri(keycloakUrl + "/realms/streams-e2e/protocol/openid-connect/certs")
-                                .withUserNameClaim("preferred_username")
-                                .withTlsTrustedCertificates(new CertSecretSourceBuilder()
-                                    .withSecretName("keycloak-tls-secret")
-                                    .withCertificate("tls.crt")
-                                    .build()
-                                )
+                            .withAuth(new KafkaListenerAuthenticationCustomBuilder()
+                                .withSasl(true)
+                                .addToListenerConfig("sasl.enabled.mechanisms", "OAUTHBEARER")
+                                .addToListenerConfig("oauthbearer.sasl.server.callback.handler.class",
+                                    "io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler")
+                                .addToListenerConfig("oauthbearer.sasl.jaas.config",
+                                    "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required"
+                                        + " unsecuredLoginStringClaim_sub=\"thePrincipalName\""
+                                        + " oauth.valid.issuer.uri=\"" + keycloakUrl + "/realms/streams-e2e\""
+                                        + " oauth.jwks.endpoint.uri=\""
+                                        + keycloakUrl + "/realms/streams-e2e/protocol/openid-connect/certs\""
+                                        + " oauth.username.claim=\"preferred_username\""
+                                        + " oauth.ssl.truststore.location=\"/mnt/oauth-certs/tls.crt\""
+                                        + " oauth.ssl.truststore.type=\"PEM\";")
+                                .addToListenerConfig("connections.max.reauth.ms", 3600000)
                                 .build())
                             .build()
                     )
+                    .addToConfig("principal.builder.class",
+                        "io.strimzi.kafka.oauth.server.OAuthKafkaPrincipalBuilder")
+                    .editOrNewTemplate()
+                    .editOrNewPod()
+                    .addNewVolume()
+                    .withName("oauth-certs")
+                    .withSecret(new SecretVolumeSourceBuilder()
+                        .withSecretName("keycloak-tls-secret")
+                        .build())
+                    .endVolume()
+                    .endPod()
+                    .editOrNewKafkaContainer()
+                    .addToVolumeMounts(new VolumeMountBuilder()
+                        .withName("oauth-certs")
+                        .withMountPath("/mnt/oauth-certs")
+                        .build())
+                    .endKafkaContainer()
+                    .endTemplate()
                     .endKafka()
                     .endSpec()
                     .build());