-
Story
-
Resolution: Unresolved
-
Critical
-
None
-
None
-
None
-
None
-
Product / Portfolio Work
-
False
-
-
False
-
None
-
None
-
None
-
None
In order to support RSA (2048, 3072, 4096) and ECDSA (P-256, P-384, P-521) the library-go certrotation, crypto, and any other pkgs must be updated to be able to handle full customization in terms of specifying the key algorithm and key size or curve.
Currently, the OpenShift cluster operators generate certs hardcoded to RSA 2048-bit keys.
The operators using library-go use primitives like RotatedSigningCASecret (pkg/operator/certrotation)
Key operators that use these primitives: * cluster-kube-apiserver-operator - API server serving and client certificates
- cluster-etcd-operator - etcd peer and client certificates
- cluster-kube-controller-manager-operator - Controller manager client certificates
- service-ca-operator - Service CA and service serving certificates (see special note below)
- machine-config-operator - Kubelet certificates
- cluster-authentication-operator - OAuth server certificates
For example: * The etcd-operator uses certrotation.RotatedSigningCASecret it here https://github.com/openshift/cluster-etcd-operator/blob/af150da84801ba0a1b4b0d94644da02d717ec7c6/pkg/tlshelpers/tlshelpers.go#L122
- The cluster-kube-apiserver-operator uses it here https://github.com/openshift/cluster-kube-apiserver-operator/blob/57b8b8705fdaab6aa4a45a0353cbfd0217fc57f9/pkg/operator/certrotationcontroller/certrotationcontroller.go#L155
Where the call chain in library-go is:
- RotatedSigningCASecret.EnsureSigningCertKeyPair() calls setSigningCertKeyPairSecret()
- setSigningCertKeyPairSecret() calls crypto.MakeSelfSignedCAConfigForDuration()
- That delegates to makeSelfSignedCAConfigForSubjectAndDuration() which calls newKeyPairWithHash()
- newKeyPairWithHash() explicitly calls newRSAKeyPair()
There is an existing PR https://github.com/openshift/library-go/pull/2116 that extends the crypto package to generate ECDSA P-256 key pairs and certificates in addition to existing RSA support.
But that doesn't the full use case from the PKI enhancement for all key sizes and curves.
Our goal is to build on top of that PR to allow us to support full key customization.
This change would then unblock the post-installation PKI configuration (Day-2) for cluster-operators.
https://github.com/sanchezl/enhancements/blob/8b54be1e2588fd28ba4e85ec0358996f6117744c/enhancements/security/internal-pki-config.md#post-installation-configuration-day-2
1.
|
Migrate controllercmd dev server certs to configurable PKI |
|
To Do | 
|
Unassigned |
