Merge pull request #125388 from neolit123/1.31-fix-kubeconfig-ecdsa
kubeadm: fix the generation of ECDSA keys in kubeconfig files
This commit is contained in:
Kubernetes Prow Robot
71
cmd/kubeadm/app/apis/kubeadm/types_test.go
Normal file
71
cmd/kubeadm/app/apis/kubeadm/types_test.go
Normal file
@@ -0,0 +1,71 @@
|
||||
/*
|
||||
Copyright 2024 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package kubeadm
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"k8s.io/kubernetes/cmd/kubeadm/app/features"
|
||||
)
|
||||
|
||||
func TestClusterConfigurationEncryptionAlgorithmType(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
cfg *ClusterConfiguration
|
||||
expectedResult EncryptionAlgorithmType
|
||||
}{
|
||||
{
|
||||
name: "feature gate is set to true, return ECDSA-P256",
|
||||
cfg: &ClusterConfiguration{
|
||||
FeatureGates: map[string]bool{
|
||||
features.PublicKeysECDSA: true,
|
||||
},
|
||||
EncryptionAlgorithm: EncryptionAlgorithmRSA4096,
|
||||
},
|
||||
expectedResult: EncryptionAlgorithmECDSAP256,
|
||||
},
|
||||
{
|
||||
name: "feature gate is set to false, return the default RSA-2048",
|
||||
cfg: &ClusterConfiguration{
|
||||
FeatureGates: map[string]bool{
|
||||
features.PublicKeysECDSA: false,
|
||||
},
|
||||
},
|
||||
expectedResult: EncryptionAlgorithmRSA2048,
|
||||
},
|
||||
{
|
||||
name: "feature gate is not set, return the field value",
|
||||
cfg: &ClusterConfiguration{
|
||||
EncryptionAlgorithm: EncryptionAlgorithmRSA4096,
|
||||
},
|
||||
expectedResult: EncryptionAlgorithmRSA4096,
|
||||
},
|
||||
{
|
||||
name: "feature gate and field are not set, return empty string",
|
||||
cfg: &ClusterConfiguration{},
|
||||
expectedResult: "",
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range tests {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
if result := tc.cfg.EncryptionAlgorithmType(); result != tc.expectedResult {
|
||||
t.Errorf("expected result: %s, got: %s", tc.expectedResult, result)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
@@ -72,6 +72,7 @@ type kubeConfigSpec struct {
|
||||
ClientCertNotAfter time.Time
|
||||
TokenAuth *tokenAuth `datapolicy:"token"`
|
||||
ClientCertAuth *clientCertAuth `datapolicy:"security-key"`
|
||||
EncryptionAlgorithm kubeadmapi.EncryptionAlgorithmType
|
||||
}
|
||||
|
||||
// CreateJoinControlPlaneKubeConfigFiles will create and write to disk the kubeconfig files required by kubeadm
|
||||
@@ -213,6 +214,7 @@ func newClientCertConfigFromKubeConfigSpec(spec *kubeConfigSpec) pkiutil.CertCon
|
||||
Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
|
||||
},
|
||||
NotAfter: spec.ClientCertNotAfter,
|
||||
EncryptionAlgorithm: spec.EncryptionAlgorithm,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -325,6 +327,7 @@ func WriteKubeConfigWithClientCert(out io.Writer, cfg *kubeadmapi.InitConfigurat
|
||||
Organizations: organizations,
|
||||
},
|
||||
ClientCertNotAfter: notAfter,
|
||||
EncryptionAlgorithm: cfg.ClusterConfiguration.EncryptionAlgorithmType(),
|
||||
}
|
||||
|
||||
return writeKubeConfigFromSpec(out, spec, cfg.ClusterName)
|
||||
@@ -354,6 +357,7 @@ func WriteKubeConfigWithToken(out io.Writer, cfg *kubeadmapi.InitConfiguration,
|
||||
Token: token,
|
||||
},
|
||||
ClientCertNotAfter: notAfter,
|
||||
EncryptionAlgorithm: cfg.ClusterConfiguration.EncryptionAlgorithmType(),
|
||||
}
|
||||
|
||||
return writeKubeConfigFromSpec(out, spec, cfg.ClusterName)
|
||||
@@ -453,6 +457,7 @@ func getKubeConfigSpecsBase(cfg *kubeadmapi.InitConfiguration) (map[string]*kube
|
||||
Organizations: []string{kubeadmconstants.ClusterAdminsGroupAndClusterRoleBinding},
|
||||
},
|
||||
ClientCertNotAfter: notAfter,
|
||||
EncryptionAlgorithm: cfg.ClusterConfiguration.EncryptionAlgorithmType(),
|
||||
},
|
||||
kubeadmconstants.SuperAdminKubeConfigFileName: {
|
||||
APIServer: controlPlaneEndpoint,
|
||||
@@ -461,6 +466,7 @@ func getKubeConfigSpecsBase(cfg *kubeadmapi.InitConfiguration) (map[string]*kube
|
||||
Organizations: []string{kubeadmconstants.SystemPrivilegedGroup},
|
||||
},
|
||||
ClientCertNotAfter: notAfter,
|
||||
EncryptionAlgorithm: cfg.ClusterConfiguration.EncryptionAlgorithmType(),
|
||||
},
|
||||
kubeadmconstants.KubeletKubeConfigFileName: {
|
||||
APIServer: controlPlaneEndpoint,
|
||||
@@ -469,18 +475,21 @@ func getKubeConfigSpecsBase(cfg *kubeadmapi.InitConfiguration) (map[string]*kube
|
||||
Organizations: []string{kubeadmconstants.NodesGroup},
|
||||
},
|
||||
ClientCertNotAfter: notAfter,
|
||||
EncryptionAlgorithm: cfg.ClusterConfiguration.EncryptionAlgorithmType(),
|
||||
},
|
||||
kubeadmconstants.ControllerManagerKubeConfigFileName: {
|
||||
APIServer: localAPIEndpoint,
|
||||
ClientName: kubeadmconstants.ControllerManagerUser,
|
||||
ClientCertAuth: &clientCertAuth{},
|
||||
ClientCertNotAfter: notAfter,
|
||||
EncryptionAlgorithm: cfg.ClusterConfiguration.EncryptionAlgorithmType(),
|
||||
},
|
||||
kubeadmconstants.SchedulerKubeConfigFileName: {
|
||||
APIServer: localAPIEndpoint,
|
||||
ClientName: kubeadmconstants.SchedulerUser,
|
||||
ClientCertAuth: &clientCertAuth{},
|
||||
ClientCertNotAfter: notAfter,
|
||||
EncryptionAlgorithm: cfg.ClusterConfiguration.EncryptionAlgorithmType(),
|
||||
},
|
||||
}, nil
|
||||
}
|
||||
|
||||
@@ -85,6 +85,7 @@ func TestGetKubeConfigSpecs(t *testing.T) {
|
||||
LocalAPIEndpoint: kubeadmapi.APIEndpoint{AdvertiseAddress: "1.2.3.4", BindPort: 1234},
|
||||
ClusterConfiguration: kubeadmapi.ClusterConfiguration{
|
||||
CertificatesDir: pkidir,
|
||||
EncryptionAlgorithm: kubeadmapi.EncryptionAlgorithmECDSAP256,
|
||||
},
|
||||
NodeRegistration: kubeadmapi.NodeRegistrationOptions{Name: "valid-node-name"},
|
||||
},
|
||||
@@ -180,6 +181,11 @@ func TestGetKubeConfigSpecs(t *testing.T) {
|
||||
t.Errorf("getKubeConfigSpecs for %s Organizations is %v, expected %v", assertion.kubeConfigFile, spec.ClientCertAuth.Organizations, assertion.organizations)
|
||||
}
|
||||
|
||||
// Assert EncryptionAlgorithm
|
||||
if spec.EncryptionAlgorithm != cfg.EncryptionAlgorithm {
|
||||
t.Errorf("getKubeConfigSpecs for %s EncryptionAlgorithm is %s, expected %s", assertion.kubeConfigFile, spec.EncryptionAlgorithm, cfg.EncryptionAlgorithm)
|
||||
}
|
||||
|
||||
// Asserts InitConfiguration values injected into spec
|
||||
controlPlaneEndpoint, err := kubeadmutil.GetControlPlaneEndpoint(cfg.ControlPlaneEndpoint, &cfg.LocalAPIEndpoint)
|
||||
if err != nil {
|
||||
|
||||
Reference in New Issue
Block a user