Util changes

Author: Karthik-K-N

util/certs/certs.go

@@ -19,18 +19,33 @@ package certs
 
 import (
 	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
+	"fmt"
 
 	"github.com/pkg/errors"
 	kerrors "k8s.io/apimachinery/pkg/util/errors"
+
+	bootstrapv1 "sigs.k8s.io/cluster-api/api/bootstrap/kubeadm/v1beta2"
 )
 
-// NewPrivateKey creates an RSA private key.
-func NewPrivateKey() (*rsa.PrivateKey, error) {
-	pk, err := rsa.GenerateKey(rand.Reader, DefaultRSAKeySize)
+// NewPrivateKey creates a private key based on the provided keyAlgorithm.
+func NewPrivateKey(keyEncryptionAlgorithm bootstrapv1.EncryptionAlgorithmType) (crypto.Signer, error) {
+	switch keyEncryptionAlgorithm {
+	case bootstrapv1.EncryptionAlgorithmECDSAP256:
+		return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	case bootstrapv1.EncryptionAlgorithmECDSAP384:
+		return ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+	}
+	rsaKeySize := rsaKeySizeFromAlgorithmType(keyEncryptionAlgorithm)
+	if rsaKeySize == 0 {
+		return nil, errors.Errorf("cannot obtain key size from unknown RSA algorithm: %q", keyEncryptionAlgorithm)
+	}
+	pk, err := rsa.GenerateKey(rand.Reader, rsaKeySize)
 	return pk, errors.WithStack(err)
 }
 
@@ -44,18 +59,23 @@ func EncodeCertPEM(cert *x509.Certificate) []byte {
 }
 
 // EncodePrivateKeyPEM returns PEM-encoded private key data.
-func EncodePrivateKeyPEM(key *rsa.PrivateKey) []byte {
+func EncodePrivateKeyPEM(key crypto.Signer) ([]byte, error) {
+	privateBytes, err := x509.MarshalPKCS8PrivateKey(key)
+	if err != nil {
+		return nil, fmt.Errorf("unable to marshal private key: %v", err)
+	}
+
 	block := pem.Block{
 		Type:  "RSA PRIVATE KEY",
-		Bytes: x509.MarshalPKCS1PrivateKey(key),
+		Bytes: privateBytes,
 	}
 
-	return pem.EncodeToMemory(&block)
+	return pem.EncodeToMemory(&block), nil
 }
 
 // EncodePublicKeyPEM returns PEM-encoded public key data.
-func EncodePublicKeyPEM(key *rsa.PublicKey) ([]byte, error) {
-	der, err := x509.MarshalPKIXPublicKey(key)
+func EncodePublicKeyPEM(key crypto.Signer) ([]byte, error) {
+	der, err := x509.MarshalPKIXPublicKey(key.Public())
 	if err != nil {
 		return []byte{}, errors.WithStack(err)
 	}
@@ -113,3 +133,19 @@ func DecodePrivateKeyPEM(encoded []byte) (crypto.Signer, error) {
 
 	return nil, kerrors.NewAggregate(errs)
 }
+
+// rsaKeySizeFromAlgorithmType takes a known RSA algorithm defined in the kubeadm API
+// and returns its key size. For unknown types it returns 0. For an empty type it returns
+// the default size of 2048.
+func rsaKeySizeFromAlgorithmType(keyEncryptionAlgorithm bootstrapv1.EncryptionAlgorithmType) int {
+	switch keyEncryptionAlgorithm {
+	case bootstrapv1.EncryptionAlgorithmRSA2048, "":
+		return 2048
+	case bootstrapv1.EncryptionAlgorithmRSA3072:
+		return 3072
+	case bootstrapv1.EncryptionAlgorithmRSA4096:
+		return 4096
+	default:
+		return 0
+	}
+}

util/certs/types.go

@@ -19,7 +19,6 @@ package certs
 import (
 	"crypto"
 	"crypto/rand"
-	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"math"
@@ -49,7 +48,7 @@ type Config struct {
 }
 
 // NewSignedCert creates a signed certificate using the given CA certificate and key.
-func (cfg *Config) NewSignedCert(key *rsa.PrivateKey, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
+func (cfg *Config) NewSignedCert(key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
 	serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to generate random integer for signed cerficate")

util/kubeconfig/kubeconfig.go

@@ -33,6 +33,7 @@ import (
 	"k8s.io/client-go/tools/clientcmd/api"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
+	bootstrapv1 "sigs.k8s.io/cluster-api/api/bootstrap/kubeadm/v1beta2"
 	clusterv1 "sigs.k8s.io/cluster-api/api/core/v1beta2"
 	"sigs.k8s.io/cluster-api/util"
 	"sigs.k8s.io/cluster-api/util/certs"
@@ -54,14 +55,14 @@ func FromSecret(ctx context.Context, c client.Reader, cluster client.ObjectKey)
 }
 
 // New creates a new Kubeconfig using the cluster name and specified endpoint.
-func New(clusterName, endpoint string, caCert *x509.Certificate, caKey crypto.Signer) (*api.Config, error) {
+func New(clusterName, endpoint string, caCert *x509.Certificate, caKey crypto.Signer, keyEncryptionAlgorithm bootstrapv1.EncryptionAlgorithmType) (*api.Config, error) {
 	cfg := &certs.Config{
 		CommonName:   "kubernetes-admin",
 		Organization: []string{"system:masters"},
 		Usages:       []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 	}
 
-	clientKey, err := certs.NewPrivateKey()
+	clientKey, err := certs.NewPrivateKey(keyEncryptionAlgorithm)
 	if err != nil {
 		return nil, errors.Wrap(err, "unable to create private key")
 	}
@@ -74,6 +75,11 @@ func New(clusterName, endpoint string, caCert *x509.Certificate, caKey crypto.Si
 	userName := fmt.Sprintf("%s-admin", clusterName)
 	contextName := fmt.Sprintf("%s@%s", userName, clusterName)
 
+	encodedClientKey, err := certs.EncodePrivateKeyPEM(clientKey)
+	if err != nil {
+		return nil, errors.Wrap(err, "unable to encode private key")
+	}
+
 	return &api.Config{
 		Clusters: map[string]*api.Cluster{
 			clusterName: {
@@ -89,7 +95,7 @@ func New(clusterName, endpoint string, caCert *x509.Certificate, caKey crypto.Si
 		},
 		AuthInfos: map[string]*api.AuthInfo{
 			userName: {
-				ClientKeyData:         certs.EncodePrivateKeyPEM(clientKey),
+				ClientKeyData:         encodedClientKey,
 				ClientCertificateData: certs.EncodeCertPEM(clientCert),
 			},
 		},
@@ -98,23 +104,23 @@ func New(clusterName, endpoint string, caCert *x509.Certificate, caKey crypto.Si
 }
 
 // CreateSecret creates the Kubeconfig secret for the given cluster.
-func CreateSecret(ctx context.Context, c client.Client, cluster *clusterv1.Cluster) error {
+func CreateSecret(ctx context.Context, c client.Client, cluster *clusterv1.Cluster, keyEncryptionAlgorithm bootstrapv1.EncryptionAlgorithmType) error {
 	name := util.ObjectKey(cluster)
 	return CreateSecretWithOwner(ctx, c, name, cluster.Spec.ControlPlaneEndpoint.String(), metav1.OwnerReference{
 		APIVersion: clusterv1.GroupVersion.String(),
 		Kind:       "Cluster",
 		Name:       cluster.Name,
 		UID:        cluster.UID,
-	})
+	}, keyEncryptionAlgorithm)
 }
 
 // CreateSecretWithOwner creates the Kubeconfig secret for the given cluster name, namespace, endpoint, and owner reference.
-func CreateSecretWithOwner(ctx context.Context, c client.Client, clusterName client.ObjectKey, endpoint string, owner metav1.OwnerReference) error {
+func CreateSecretWithOwner(ctx context.Context, c client.Client, clusterName client.ObjectKey, endpoint string, owner metav1.OwnerReference, keyEncryptionAlgorithm bootstrapv1.EncryptionAlgorithmType) error {
 	server, err := url.JoinPath("https://", endpoint)
 	if err != nil {
 		return err
 	}
-	out, err := generateKubeconfig(ctx, c, clusterName, server)
+	out, err := generateKubeconfig(ctx, c, clusterName, server, keyEncryptionAlgorithm)
 	if err != nil {
 		return err
 	}
@@ -181,7 +187,7 @@ func NeedsClientCertRotation(configSecret *corev1.Secret, threshold time.Duratio
 }
 
 // RegenerateSecret creates and stores a new Kubeconfig in the given secret.
-func RegenerateSecret(ctx context.Context, c client.Client, configSecret *corev1.Secret) error {
+func RegenerateSecret(ctx context.Context, c client.Client, configSecret *corev1.Secret, keyEncryptionAlgorithm bootstrapv1.EncryptionAlgorithmType) error {
 	clusterName, _, err := secret.ParseSecretName(configSecret.Name)
 	if err != nil {
 		return errors.Wrap(err, "failed to parse secret name")
@@ -197,15 +203,15 @@ func RegenerateSecret(ctx context.Context, c client.Client, configSecret *corev1
 	}
 	endpoint := config.Clusters[clusterName].Server
 	key := client.ObjectKey{Name: clusterName, Namespace: configSecret.Namespace}
-	out, err := generateKubeconfig(ctx, c, key, endpoint)
+	out, err := generateKubeconfig(ctx, c, key, endpoint, keyEncryptionAlgorithm)
 	if err != nil {
 		return err
 	}
 	configSecret.Data[secret.KubeconfigDataName] = out
 	return c.Update(ctx, configSecret)
 }
 
-func generateKubeconfig(ctx context.Context, c client.Client, clusterName client.ObjectKey, endpoint string) ([]byte, error) {
+func generateKubeconfig(ctx context.Context, c client.Client, clusterName client.ObjectKey, endpoint string, keyEncryptionAlgorithm bootstrapv1.EncryptionAlgorithmType) ([]byte, error) {
 	clusterCA, err := secret.GetFromNamespacedName(ctx, c, clusterName, secret.ClusterCA)
 	if err != nil {
 		if apierrors.IsNotFound(err) {
@@ -228,7 +234,7 @@ func generateKubeconfig(ctx context.Context, c client.Client, clusterName client
 		return nil, errors.New("CA private key not found")
 	}
 
-	cfg, err := New(clusterName.Name, endpoint, cert, key)
+	cfg, err := New(clusterName.Name, endpoint, cert, key, keyEncryptionAlgorithm)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to generate a kubeconfig")
 	}