mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-06 02:34:03 +00:00
kubeadm: fix the generation of ECDSA keys in kubeconfig files
When the PublicKeysECDSA feature gate is used or the new v1beta4.ClusterConfiguration.EncryptionAlgorithm field is used with "ECDSA-P256" as value, make sure that this is reflected in the "cert spec" used to generate private keys and they end up as "EC keys".
This commit is contained in:
Lubomir I. Ivanov
parent
51f89c3b2d
commit
02ed1aee71
@ -72,6 +72,7 @@ type kubeConfigSpec struct {
|
|||||||
ClientCertNotAfter time.Time
|
ClientCertNotAfter time.Time
|
||||||
TokenAuth *tokenAuth `datapolicy:"token"`
|
TokenAuth *tokenAuth `datapolicy:"token"`
|
||||||
ClientCertAuth *clientCertAuth `datapolicy:"security-key"`
|
ClientCertAuth *clientCertAuth `datapolicy:"security-key"`
|
||||||
|
EncryptionAlgorithm kubeadmapi.EncryptionAlgorithmType
|
||||||
}
|
}
|
||||||
|
|
||||||
// CreateJoinControlPlaneKubeConfigFiles will create and write to disk the kubeconfig files required by kubeadm
|
// CreateJoinControlPlaneKubeConfigFiles will create and write to disk the kubeconfig files required by kubeadm
|
||||||
@ -213,6 +214,7 @@ func newClientCertConfigFromKubeConfigSpec(spec *kubeConfigSpec) pkiutil.CertCon
|
|||||||
Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
|
Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
|
||||||
},
|
},
|
||||||
NotAfter: spec.ClientCertNotAfter,
|
NotAfter: spec.ClientCertNotAfter,
|
||||||
|
EncryptionAlgorithm: spec.EncryptionAlgorithm,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -325,6 +327,7 @@ func WriteKubeConfigWithClientCert(out io.Writer, cfg *kubeadmapi.InitConfigurat
|
|||||||
Organizations: organizations,
|
Organizations: organizations,
|
||||||
},
|
},
|
||||||
ClientCertNotAfter: notAfter,
|
ClientCertNotAfter: notAfter,
|
||||||
|
EncryptionAlgorithm: cfg.ClusterConfiguration.EncryptionAlgorithmType(),
|
||||||
}
|
}
|
||||||
|
|
||||||
return writeKubeConfigFromSpec(out, spec, cfg.ClusterName)
|
return writeKubeConfigFromSpec(out, spec, cfg.ClusterName)
|
||||||
@ -354,6 +357,7 @@ func WriteKubeConfigWithToken(out io.Writer, cfg *kubeadmapi.InitConfiguration,
|
|||||||
Token: token,
|
Token: token,
|
||||||
},
|
},
|
||||||
ClientCertNotAfter: notAfter,
|
ClientCertNotAfter: notAfter,
|
||||||
|
EncryptionAlgorithm: cfg.ClusterConfiguration.EncryptionAlgorithmType(),
|
||||||
}
|
}
|
||||||
|
|
||||||
return writeKubeConfigFromSpec(out, spec, cfg.ClusterName)
|
return writeKubeConfigFromSpec(out, spec, cfg.ClusterName)
|
||||||
@ -453,6 +457,7 @@ func getKubeConfigSpecsBase(cfg *kubeadmapi.InitConfiguration) (map[string]*kube
|
|||||||
Organizations: []string{kubeadmconstants.ClusterAdminsGroupAndClusterRoleBinding},
|
Organizations: []string{kubeadmconstants.ClusterAdminsGroupAndClusterRoleBinding},
|
||||||
},
|
},
|
||||||
ClientCertNotAfter: notAfter,
|
ClientCertNotAfter: notAfter,
|
||||||
|
EncryptionAlgorithm: cfg.ClusterConfiguration.EncryptionAlgorithmType(),
|
||||||
},
|
},
|
||||||
kubeadmconstants.SuperAdminKubeConfigFileName: {
|
kubeadmconstants.SuperAdminKubeConfigFileName: {
|
||||||
APIServer: controlPlaneEndpoint,
|
APIServer: controlPlaneEndpoint,
|
||||||
@ -461,6 +466,7 @@ func getKubeConfigSpecsBase(cfg *kubeadmapi.InitConfiguration) (map[string]*kube
|
|||||||
Organizations: []string{kubeadmconstants.SystemPrivilegedGroup},
|
Organizations: []string{kubeadmconstants.SystemPrivilegedGroup},
|
||||||
},
|
},
|
||||||
ClientCertNotAfter: notAfter,
|
ClientCertNotAfter: notAfter,
|
||||||
|
EncryptionAlgorithm: cfg.ClusterConfiguration.EncryptionAlgorithmType(),
|
||||||
},
|
},
|
||||||
kubeadmconstants.KubeletKubeConfigFileName: {
|
kubeadmconstants.KubeletKubeConfigFileName: {
|
||||||
APIServer: controlPlaneEndpoint,
|
APIServer: controlPlaneEndpoint,
|
||||||
@ -469,18 +475,21 @@ func getKubeConfigSpecsBase(cfg *kubeadmapi.InitConfiguration) (map[string]*kube
|
|||||||
Organizations: []string{kubeadmconstants.NodesGroup},
|
Organizations: []string{kubeadmconstants.NodesGroup},
|
||||||
},
|
},
|
||||||
ClientCertNotAfter: notAfter,
|
ClientCertNotAfter: notAfter,
|
||||||
|
EncryptionAlgorithm: cfg.ClusterConfiguration.EncryptionAlgorithmType(),
|
||||||
},
|
},
|
||||||
kubeadmconstants.ControllerManagerKubeConfigFileName: {
|
kubeadmconstants.ControllerManagerKubeConfigFileName: {
|
||||||
APIServer: localAPIEndpoint,
|
APIServer: localAPIEndpoint,
|
||||||
ClientName: kubeadmconstants.ControllerManagerUser,
|
ClientName: kubeadmconstants.ControllerManagerUser,
|
||||||
ClientCertAuth: &clientCertAuth{},
|
ClientCertAuth: &clientCertAuth{},
|
||||||
ClientCertNotAfter: notAfter,
|
ClientCertNotAfter: notAfter,
|
||||||
|
EncryptionAlgorithm: cfg.ClusterConfiguration.EncryptionAlgorithmType(),
|
||||||
},
|
},
|
||||||
kubeadmconstants.SchedulerKubeConfigFileName: {
|
kubeadmconstants.SchedulerKubeConfigFileName: {
|
||||||
APIServer: localAPIEndpoint,
|
APIServer: localAPIEndpoint,
|
||||||
ClientName: kubeadmconstants.SchedulerUser,
|
ClientName: kubeadmconstants.SchedulerUser,
|
||||||
ClientCertAuth: &clientCertAuth{},
|
ClientCertAuth: &clientCertAuth{},
|
||||||
ClientCertNotAfter: notAfter,
|
ClientCertNotAfter: notAfter,
|
||||||
|
EncryptionAlgorithm: cfg.ClusterConfiguration.EncryptionAlgorithmType(),
|
||||||
},
|
},
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|||||||
@ -85,6 +85,7 @@ func TestGetKubeConfigSpecs(t *testing.T) {
|
|||||||
LocalAPIEndpoint: kubeadmapi.APIEndpoint{AdvertiseAddress: "1.2.3.4", BindPort: 1234},
|
LocalAPIEndpoint: kubeadmapi.APIEndpoint{AdvertiseAddress: "1.2.3.4", BindPort: 1234},
|
||||||
ClusterConfiguration: kubeadmapi.ClusterConfiguration{
|
ClusterConfiguration: kubeadmapi.ClusterConfiguration{
|
||||||
CertificatesDir: pkidir,
|
CertificatesDir: pkidir,
|
||||||
|
EncryptionAlgorithm: kubeadmapi.EncryptionAlgorithmECDSAP256,
|
||||||
},
|
},
|
||||||
NodeRegistration: kubeadmapi.NodeRegistrationOptions{Name: "valid-node-name"},
|
NodeRegistration: kubeadmapi.NodeRegistrationOptions{Name: "valid-node-name"},
|
||||||
},
|
},
|
||||||
@ -180,6 +181,11 @@ func TestGetKubeConfigSpecs(t *testing.T) {
|
|||||||
t.Errorf("getKubeConfigSpecs for %s Organizations is %v, expected %v", assertion.kubeConfigFile, spec.ClientCertAuth.Organizations, assertion.organizations)
|
t.Errorf("getKubeConfigSpecs for %s Organizations is %v, expected %v", assertion.kubeConfigFile, spec.ClientCertAuth.Organizations, assertion.organizations)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Assert EncryptionAlgorithm
|
||||||
|
if spec.EncryptionAlgorithm != cfg.EncryptionAlgorithm {
|
||||||
|
t.Errorf("getKubeConfigSpecs for %s EncryptionAlgorithm is %s, expected %s", assertion.kubeConfigFile, spec.EncryptionAlgorithm, cfg.EncryptionAlgorithm)
|
||||||
|
}
|
||||||
|
|
||||||
// Asserts InitConfiguration values injected into spec
|
// Asserts InitConfiguration values injected into spec
|
||||||
controlPlaneEndpoint, err := kubeadmutil.GetControlPlaneEndpoint(cfg.ControlPlaneEndpoint, &cfg.LocalAPIEndpoint)
|
controlPlaneEndpoint, err := kubeadmutil.GetControlPlaneEndpoint(cfg.ControlPlaneEndpoint, &cfg.LocalAPIEndpoint)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user