Merge pull request #125388 from neolit123/1.31-fix-kubeconfig-ecdsa

kubeadm: fix the generation of ECDSA keys in kubeconfig files
2025-07-29 22:46:12 +00:00 · 2024-06-11 09:18:35 -07:00 · 2024-06-11 09:18:35 -07:00 · c77d954273
commit c77d954273
parent 39f7fe0f4c 40d185637c
3 changed files with 107 additions and 21 deletions
--- a/cmd/kubeadm/app/apis/kubeadm/types_test.go
+++ b/cmd/kubeadm/app/apis/kubeadm/types_test.go
@ -0,0 +1,71 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kubeadm
+
+import (
+	"testing"
+
+	"k8s.io/kubernetes/cmd/kubeadm/app/features"
+)
+
+func TestClusterConfigurationEncryptionAlgorithmType(t *testing.T) {
+	tests := []struct {
+		name           string
+		cfg            *ClusterConfiguration
+		expectedResult EncryptionAlgorithmType
+	}{
+		{
+			name: "feature gate is set to true, return ECDSA-P256",
+			cfg: &ClusterConfiguration{
+				FeatureGates: map[string]bool{
+					features.PublicKeysECDSA: true,
+				},
+				EncryptionAlgorithm: EncryptionAlgorithmRSA4096,
+			},
+			expectedResult: EncryptionAlgorithmECDSAP256,
+		},
+		{
+			name: "feature gate is set to false, return the default RSA-2048",
+			cfg: &ClusterConfiguration{
+				FeatureGates: map[string]bool{
+					features.PublicKeysECDSA: false,
+				},
+			},
+			expectedResult: EncryptionAlgorithmRSA2048,
+		},
+		{
+			name: "feature gate is not set, return the field value",
+			cfg: &ClusterConfiguration{
+				EncryptionAlgorithm: EncryptionAlgorithmRSA4096,
+			},
+			expectedResult: EncryptionAlgorithmRSA4096,
+		},
+		{
+			name:           "feature gate and field are not set, return empty string",
+			cfg:            &ClusterConfiguration{},
+			expectedResult: "",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			if result := tc.cfg.EncryptionAlgorithmType(); result != tc.expectedResult {
+				t.Errorf("expected result: %s, got: %s", tc.expectedResult, result)
+			}
+		})
+	}
+}
--- a/cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go
+++ b/cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go
@ -66,12 +66,13 @@ type tokenAuth struct {

 // kubeConfigSpec struct holds info required to build a KubeConfig object
 type kubeConfigSpec struct {
-	CACert             *x509.Certificate
-	APIServer          string
-	ClientName         string
-	ClientCertNotAfter time.Time
-	TokenAuth          *tokenAuth      `datapolicy:"token"`
-	ClientCertAuth     *clientCertAuth `datapolicy:"security-key"`
+	CACert              *x509.Certificate
+	APIServer           string
+	ClientName          string
+	ClientCertNotAfter  time.Time
+	TokenAuth           *tokenAuth      `datapolicy:"token"`
+	ClientCertAuth      *clientCertAuth `datapolicy:"security-key"`
+	EncryptionAlgorithm kubeadmapi.EncryptionAlgorithmType
 }

 // CreateJoinControlPlaneKubeConfigFiles will create and write to disk the kubeconfig files required by kubeadm
@ -212,7 +213,8 @@ func newClientCertConfigFromKubeConfigSpec(spec *kubeConfigSpec) pkiutil.CertCon
 			Organization: spec.ClientCertAuth.Organizations,
 			Usages:       []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 		},
-		NotAfter: spec.ClientCertNotAfter,
+		NotAfter:            spec.ClientCertNotAfter,
+		EncryptionAlgorithm: spec.EncryptionAlgorithm,
 	}
 }

@ -324,7 +326,8 @@ func WriteKubeConfigWithClientCert(out io.Writer, cfg *kubeadmapi.InitConfigurat
 			CAKey:         caKey,
 			Organizations: organizations,
 		},
-		ClientCertNotAfter: notAfter,
+		ClientCertNotAfter:  notAfter,
+		EncryptionAlgorithm: cfg.ClusterConfiguration.EncryptionAlgorithmType(),
 	}

 	return writeKubeConfigFromSpec(out, spec, cfg.ClusterName)
@ -353,7 +356,8 @@ func WriteKubeConfigWithToken(out io.Writer, cfg *kubeadmapi.InitConfiguration,
 		TokenAuth: &tokenAuth{
 			Token: token,
 		},
-		ClientCertNotAfter: notAfter,
+		ClientCertNotAfter:  notAfter,
+		EncryptionAlgorithm: cfg.ClusterConfiguration.EncryptionAlgorithmType(),
 	}

 	return writeKubeConfigFromSpec(out, spec, cfg.ClusterName)
@ -452,7 +456,8 @@ func getKubeConfigSpecsBase(cfg *kubeadmapi.InitConfiguration) (map[string]*kube
 			ClientCertAuth: &clientCertAuth{
 				Organizations: []string{kubeadmconstants.ClusterAdminsGroupAndClusterRoleBinding},
 			},
-			ClientCertNotAfter: notAfter,
+			ClientCertNotAfter:  notAfter,
+			EncryptionAlgorithm: cfg.ClusterConfiguration.EncryptionAlgorithmType(),
 		},
 		kubeadmconstants.SuperAdminKubeConfigFileName: {
 			APIServer:  controlPlaneEndpoint,
@ -460,7 +465,8 @@ func getKubeConfigSpecsBase(cfg *kubeadmapi.InitConfiguration) (map[string]*kube
 			ClientCertAuth: &clientCertAuth{
 				Organizations: []string{kubeadmconstants.SystemPrivilegedGroup},
 			},
-			ClientCertNotAfter: notAfter,
+			ClientCertNotAfter:  notAfter,
+			EncryptionAlgorithm: cfg.ClusterConfiguration.EncryptionAlgorithmType(),
 		},
 		kubeadmconstants.KubeletKubeConfigFileName: {
 			APIServer:  controlPlaneEndpoint,
@ -468,19 +474,22 @@ func getKubeConfigSpecsBase(cfg *kubeadmapi.InitConfiguration) (map[string]*kube
 			ClientCertAuth: &clientCertAuth{
 				Organizations: []string{kubeadmconstants.NodesGroup},
 			},
-			ClientCertNotAfter: notAfter,
+			ClientCertNotAfter:  notAfter,
+			EncryptionAlgorithm: cfg.ClusterConfiguration.EncryptionAlgorithmType(),
 		},
 		kubeadmconstants.ControllerManagerKubeConfigFileName: {
-			APIServer:          localAPIEndpoint,
-			ClientName:         kubeadmconstants.ControllerManagerUser,
-			ClientCertAuth:     &clientCertAuth{},
-			ClientCertNotAfter: notAfter,
+			APIServer:           localAPIEndpoint,
+			ClientName:          kubeadmconstants.ControllerManagerUser,
+			ClientCertAuth:      &clientCertAuth{},
+			ClientCertNotAfter:  notAfter,
+			EncryptionAlgorithm: cfg.ClusterConfiguration.EncryptionAlgorithmType(),
 		},
 		kubeadmconstants.SchedulerKubeConfigFileName: {
-			APIServer:          localAPIEndpoint,
-			ClientName:         kubeadmconstants.SchedulerUser,
-			ClientCertAuth:     &clientCertAuth{},
-			ClientCertNotAfter: notAfter,
+			APIServer:           localAPIEndpoint,
+			ClientName:          kubeadmconstants.SchedulerUser,
+			ClientCertAuth:      &clientCertAuth{},
+			ClientCertNotAfter:  notAfter,
+			EncryptionAlgorithm: cfg.ClusterConfiguration.EncryptionAlgorithmType(),
 		},
 	}, nil
 }
--- a/cmd/kubeadm/app/phases/kubeconfig/kubeconfig_test.go
+++ b/cmd/kubeadm/app/phases/kubeconfig/kubeconfig_test.go
@ -84,7 +84,8 @@ func TestGetKubeConfigSpecs(t *testing.T) {
 		{
 			LocalAPIEndpoint: kubeadmapi.APIEndpoint{AdvertiseAddress: "1.2.3.4", BindPort: 1234},
 			ClusterConfiguration: kubeadmapi.ClusterConfiguration{
-				CertificatesDir: pkidir,
+				CertificatesDir:     pkidir,
+				EncryptionAlgorithm: kubeadmapi.EncryptionAlgorithmECDSAP256,
 			},
 			NodeRegistration: kubeadmapi.NodeRegistrationOptions{Name: "valid-node-name"},
 		},
@ -180,6 +181,11 @@ func TestGetKubeConfigSpecs(t *testing.T) {
 					t.Errorf("getKubeConfigSpecs for %s Organizations is %v, expected %v", assertion.kubeConfigFile, spec.ClientCertAuth.Organizations, assertion.organizations)
 				}

+				// Assert EncryptionAlgorithm
+				if spec.EncryptionAlgorithm != cfg.EncryptionAlgorithm {
+					t.Errorf("getKubeConfigSpecs for %s EncryptionAlgorithm is %s, expected %s", assertion.kubeConfigFile, spec.EncryptionAlgorithm, cfg.EncryptionAlgorithm)
+				}
+
 				// Asserts InitConfiguration values injected into spec
 				controlPlaneEndpoint, err := kubeadmutil.GetControlPlaneEndpoint(cfg.ControlPlaneEndpoint, &cfg.LocalAPIEndpoint)
 				if err != nil {