From 70b75d35b669c320b0897a0293828058584ace0f Mon Sep 17 00:00:00 2001
From: ERIK <bo.jiang@daocloud.io>
Date: Fri, 29 Nov 2024 16:06:58 +0800
Subject: [PATCH] support asymmetric encryption algorithms in
 ClusterConfigration (#11757)

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
---
 .../control-plane/templates/kubeadm-config.v1beta4.yaml.j2   | 1 +
 roles/kubernetes/kubeadm/tasks/main.yml                      | 5 ++++-
 roles/kubespray-defaults/defaults/main/main.yml              | 5 +++++
 tests/files/packet_debian12-calico.yml                       | 1 +
 tests/files/packet_rockylinux9-cilium.yml                    | 1 +
 tests/files/packet_ubuntu20-flannel-ha.yml                   | 1 +
 6 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2 b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
index 1d5ac1d8f..be03b489f 100644
--- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
@@ -37,6 +37,7 @@ patches:
 apiVersion: kubeadm.k8s.io/v1beta4
 kind: ClusterConfiguration
 clusterName: {{ cluster_name }}
+encryptionAlgorithm: {{ kube_asymmetric_encryption_algorithm }}
 etcd:
 {% if etcd_deployment_type != "kubeadm" %}
   external:
diff --git a/roles/kubernetes/kubeadm/tasks/main.yml b/roles/kubernetes/kubeadm/tasks/main.yml
index bc69d7824..a65d34eea 100644
--- a/roles/kubernetes/kubeadm/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/tasks/main.yml
@@ -30,7 +30,10 @@
   run_once: true
 
 - name: Calculate kubeadm CA cert hash
-  shell: set -o pipefail && openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
+  shell: |
+    set -o pipefail && openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | \
+    openssl {% if 'RSA' in kube_asymmetric_encryption_algorithm %}rsa{% elif 'ECDSA' in kube_asymmetric_encryption_algorithm %}ec{% else %}rsa{% endif %} -pubin -outform der 2>/dev/null | \
+    openssl dgst -sha256 -hex | sed 's/^.* //'
   args:
     executable: /bin/bash
   register: kubeadm_ca_hash
diff --git a/roles/kubespray-defaults/defaults/main/main.yml b/roles/kubespray-defaults/defaults/main/main.yml
index 32a78545a..1210287c8 100644
--- a/roles/kubespray-defaults/defaults/main/main.yml
+++ b/roles/kubespray-defaults/defaults/main/main.yml
@@ -62,6 +62,11 @@ kubeadm_join_phases_skip: >-
 # Set to true to remove the role binding to anonymous users created by kubeadm
 remove_anonymous_access: false
 
+# Supported asymmetric encryption algorithm types for the cluster's keys and certificates.
+# can be one of RSA-2048(default), RSA-3072, RSA-4096, ECDSA-P256
+# ref: https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta4/#kubeadm-k8s-io-v1beta4-ClusterConfiguration
+kube_asymmetric_encryption_algorithm: "RSA-2048"
+
 # A string slice of values which specify the addresses to use for NodePorts.
 # Values may be valid IP blocks (e.g. 1.2.3.0/24, 1.2.3.4/32).
 # The default empty string slice ([]) means to use all local addresses.
diff --git a/tests/files/packet_debian12-calico.yml b/tests/files/packet_debian12-calico.yml
index 4896d3ba3..20e3f239f 100644
--- a/tests/files/packet_debian12-calico.yml
+++ b/tests/files/packet_debian12-calico.yml
@@ -6,3 +6,4 @@ mode: default
 # Kubespray settings
 
 dns_mode: coredns_dual
+kube_asymetric_encryption_algorithm: "RSA-3072"
diff --git a/tests/files/packet_rockylinux9-cilium.yml b/tests/files/packet_rockylinux9-cilium.yml
index 2f759f0f5..69d4c7377 100644
--- a/tests/files/packet_rockylinux9-cilium.yml
+++ b/tests/files/packet_rockylinux9-cilium.yml
@@ -11,3 +11,4 @@ cilium_kube_proxy_replacement: strict
 
 # Node Feature Discovery
 node_feature_discovery_enabled: true
+kube_asymmetric_encryption_algorithm: "ECDSA-P256"
diff --git a/tests/files/packet_ubuntu20-flannel-ha.yml b/tests/files/packet_ubuntu20-flannel-ha.yml
index 06a9ffb24..cec99f934 100644
--- a/tests/files/packet_ubuntu20-flannel-ha.yml
+++ b/tests/files/packet_ubuntu20-flannel-ha.yml
@@ -8,3 +8,4 @@ kube_network_plugin: flannel
 etcd_deployment_type: kubeadm
 kubeadm_certificate_key: 3998c58db6497dd17d909394e62d515368c06ec617710d02edea31c06d741085
 skip_non_kubeadm_warning: true
+kube_asymmetric_encryption_algorithm: "RSA-4096"
-- 
GitLab