Skip to content
Snippets Groups Projects
Unverified Commit 70b75d35 authored by ERIK's avatar ERIK Committed by GitHub
Browse files

support asymmetric encryption algorithms in ClusterConfigration (#11757)


Signed-off-by: default avatarbo.jiang <bo.jiang@daocloud.io>
parent 280507ff
No related branches found
No related tags found
No related merge requests found
...@@ -37,6 +37,7 @@ patches: ...@@ -37,6 +37,7 @@ patches:
apiVersion: kubeadm.k8s.io/v1beta4 apiVersion: kubeadm.k8s.io/v1beta4
kind: ClusterConfiguration kind: ClusterConfiguration
clusterName: {{ cluster_name }} clusterName: {{ cluster_name }}
encryptionAlgorithm: {{ kube_asymmetric_encryption_algorithm }}
etcd: etcd:
{% if etcd_deployment_type != "kubeadm" %} {% if etcd_deployment_type != "kubeadm" %}
external: external:
......
...@@ -30,7 +30,10 @@ ...@@ -30,7 +30,10 @@
run_once: true run_once: true
- name: Calculate kubeadm CA cert hash - name: Calculate kubeadm CA cert hash
shell: set -o pipefail && openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //' shell: |
set -o pipefail && openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | \
openssl {% if 'RSA' in kube_asymmetric_encryption_algorithm %}rsa{% elif 'ECDSA' in kube_asymmetric_encryption_algorithm %}ec{% else %}rsa{% endif %} -pubin -outform der 2>/dev/null | \
openssl dgst -sha256 -hex | sed 's/^.* //'
args: args:
executable: /bin/bash executable: /bin/bash
register: kubeadm_ca_hash register: kubeadm_ca_hash
......
...@@ -62,6 +62,11 @@ kubeadm_join_phases_skip: >- ...@@ -62,6 +62,11 @@ kubeadm_join_phases_skip: >-
# Set to true to remove the role binding to anonymous users created by kubeadm # Set to true to remove the role binding to anonymous users created by kubeadm
remove_anonymous_access: false remove_anonymous_access: false
# Supported asymmetric encryption algorithm types for the cluster's keys and certificates.
# can be one of RSA-2048(default), RSA-3072, RSA-4096, ECDSA-P256
# ref: https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta4/#kubeadm-k8s-io-v1beta4-ClusterConfiguration
kube_asymmetric_encryption_algorithm: "RSA-2048"
# A string slice of values which specify the addresses to use for NodePorts. # A string slice of values which specify the addresses to use for NodePorts.
# Values may be valid IP blocks (e.g. 1.2.3.0/24, 1.2.3.4/32). # Values may be valid IP blocks (e.g. 1.2.3.0/24, 1.2.3.4/32).
# The default empty string slice ([]) means to use all local addresses. # The default empty string slice ([]) means to use all local addresses.
......
...@@ -6,3 +6,4 @@ mode: default ...@@ -6,3 +6,4 @@ mode: default
# Kubespray settings # Kubespray settings
dns_mode: coredns_dual dns_mode: coredns_dual
kube_asymetric_encryption_algorithm: "RSA-3072"
...@@ -11,3 +11,4 @@ cilium_kube_proxy_replacement: strict ...@@ -11,3 +11,4 @@ cilium_kube_proxy_replacement: strict
# Node Feature Discovery # Node Feature Discovery
node_feature_discovery_enabled: true node_feature_discovery_enabled: true
kube_asymmetric_encryption_algorithm: "ECDSA-P256"
...@@ -8,3 +8,4 @@ kube_network_plugin: flannel ...@@ -8,3 +8,4 @@ kube_network_plugin: flannel
etcd_deployment_type: kubeadm etcd_deployment_type: kubeadm
kubeadm_certificate_key: 3998c58db6497dd17d909394e62d515368c06ec617710d02edea31c06d741085 kubeadm_certificate_key: 3998c58db6497dd17d909394e62d515368c06ec617710d02edea31c06d741085
skip_non_kubeadm_warning: true skip_non_kubeadm_warning: true
kube_asymmetric_encryption_algorithm: "RSA-4096"
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment