support asymmetric encryption algorithms in ClusterConfigration (#11757)

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>

support asymmetric encryption algorithms in ClusterConfigration (#11757)
70b75d35 · ERIK · GitHub · 280507ff · 70b75d35 · 70b75d35
Unverified Commit 70b75d35 authored 3 months ago by ERIK Committed by GitHub 3 months ago
--- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
@@ -37,6 +37,7 @@ patches:
 apiVersion: kubeadm.k8s.io/v1beta4
 kind: ClusterConfiguration
 clusterName: {{ cluster_name }}
+encryptionAlgorithm: {{ kube_asymmetric_encryption_algorithm }}
 etcd:
 {% if etcd_deployment_type != "kubeadm" %}
  external:

--- a/roles/kubernetes/kubeadm/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/tasks/main.yml
@@ -30,7 +30,10 @@
  run_once: true

 - name: Calculate kubeadm CA cert hash
-  shell: set -o pipefail && openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
+  shell: |
+    set -o pipefail && openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | \
+    openssl {% if 'RSA' in kube_asymmetric_encryption_algorithm %}rsa{% elif 'ECDSA' in kube_asymmetric_encryption_algorithm %}ec{% else %}rsa{% endif %} -pubin -outform der 2>/dev/null | \
+    openssl dgst -sha256 -hex | sed 's/^.* //'
  args:
    executable: /bin/bash
  register: kubeadm_ca_hash

--- a/roles/kubespray-defaults/defaults/main/main.yml
+++ b/roles/kubespray-defaults/defaults/main/main.yml
@@ -62,6 +62,11 @@ kubeadm_join_phases_skip: >-
 # Set to true to remove the role binding to anonymous users created by kubeadm
 remove_anonymous_access: false

+# Supported asymmetric encryption algorithm types for the cluster's keys and certificates.
+# can be one of RSA-2048(default), RSA-3072, RSA-4096, ECDSA-P256
+# ref: https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta4/#kubeadm-k8s-io-v1beta4-ClusterConfiguration
+kube_asymmetric_encryption_algorithm: "RSA-2048"
+
 # A string slice of values which specify the addresses to use for NodePorts.
 # Values may be valid IP blocks (e.g. 1.2.3.0/24, 1.2.3.4/32).
 # The default empty string slice ([]) means to use all local addresses.

--- a/tests/files/packet_debian12-calico.yml
+++ b/tests/files/packet_debian12-calico.yml
@@ -6,3 +6,4 @@ mode: default
 # Kubespray settings

 dns_mode: coredns_dual
+kube_asymetric_encryption_algorithm: "RSA-3072"
--- a/tests/files/packet_rockylinux9-cilium.yml
+++ b/tests/files/packet_rockylinux9-cilium.yml
@@ -11,3 +11,4 @@ cilium_kube_proxy_replacement: strict

 # Node Feature Discovery
 node_feature_discovery_enabled: true
+kube_asymmetric_encryption_algorithm: "ECDSA-P256"
--- a/tests/files/packet_ubuntu20-flannel-ha.yml
+++ b/tests/files/packet_ubuntu20-flannel-ha.yml
@@ -8,3 +8,4 @@ kube_network_plugin: flannel
 etcd_deployment_type: kubeadm
 kubeadm_certificate_key: 3998c58db6497dd17d909394e62d515368c06ec617710d02edea31c06d741085
 skip_non_kubeadm_warning: true
+kube_asymmetric_encryption_algorithm: "RSA-4096"