Merge pull request #12859 from Karthik-K-N/rsa-key

✨ Add EncryptionAlgorithm to Kubeadmconfig

Author: k8s-ci-robot

api/bootstrap/kubeadm/v1beta1/conversion.go

@@ -81,6 +81,9 @@ func RestoreKubeadmConfigSpec(restored *bootstrapv1.KubeadmConfigSpec, dst *boot
 			dst.ClusterConfiguration.CACertificateValidityPeriodDays = restored.ClusterConfiguration.CACertificateValidityPeriodDays
 		}
 	}
+	if restored.ClusterConfiguration.EncryptionAlgorithm != "" {
+		dst.ClusterConfiguration.EncryptionAlgorithm = restored.ClusterConfiguration.EncryptionAlgorithm
+	}
 }
 
 func RestoreBoolIntentKubeadmConfigSpec(src *KubeadmConfigSpec, dst *bootstrapv1.KubeadmConfigSpec, hasRestored bool, restored *bootstrapv1.KubeadmConfigSpec) error {

api/bootstrap/kubeadm/v1beta1/zz_generated.conversion.go

@@ -72,6 +72,23 @@ const (
 	KubeadmConfigDataSecretNotAvailableReason = clusterv1.NotAvailableReason
 )
 
+// EncryptionAlgorithmType can define an asymmetric encryption algorithm type.
+// +kubebuilder:validation:Enum=ECDSA-P256;ECDSA-P384;RSA-2048;RSA-3072;RSA-4096
+type EncryptionAlgorithmType string
+
+const (
+	// EncryptionAlgorithmECDSAP256 defines the ECDSA encryption algorithm type with curve P256.
+	EncryptionAlgorithmECDSAP256 EncryptionAlgorithmType = "ECDSA-P256"
+	// EncryptionAlgorithmECDSAP384 defines the ECDSA encryption algorithm type with curve P384.
+	EncryptionAlgorithmECDSAP384 EncryptionAlgorithmType = "ECDSA-P384"
+	// EncryptionAlgorithmRSA2048 defines the RSA encryption algorithm type with key size 2048 bits.
+	EncryptionAlgorithmRSA2048 EncryptionAlgorithmType = "RSA-2048"
+	// EncryptionAlgorithmRSA3072 defines the RSA encryption algorithm type with key size 3072 bits.
+	EncryptionAlgorithmRSA3072 EncryptionAlgorithmType = "RSA-3072"
+	// EncryptionAlgorithmRSA4096 defines the RSA encryption algorithm type with key size 4096 bits.
+	EncryptionAlgorithmRSA4096 EncryptionAlgorithmType = "RSA-4096"
+)
+
 // InitConfiguration contains a list of elements that is specific "kubeadm init"-only runtime
 // information.
 // +kubebuilder:validation:MinProperties=1
@@ -199,6 +216,16 @@ type ClusterConfiguration struct {
 	// +kubebuilder:validation:Minimum=1
 	// +kubebuilder:validation:Maximum=36500
 	CACertificateValidityPeriodDays int32 `json:"caCertificateValidityPeriodDays,omitempty"`
+
+	// encryptionAlgorithm holds the type of asymmetric encryption algorithm used for keys and certificates.
+	// Can be one of "RSA-2048", "RSA-3072", "RSA-4096", "ECDSA-P256" or "ECDSA-P384".
+	// For Kubernetes 1.34 or above, "ECDSA-P384" is supported.
+	// If not specified, Cluster API will use RSA-2048 as default.
+	// When this field is modified every certificate generated afterward will use the new
+	// encryptionAlgorithm. Existing CA certificates and service account keys are not rotated.
+	// This field is only supported with Kubernetes v1.31 or above.
+	// +optional
+	EncryptionAlgorithm EncryptionAlgorithmType `json:"encryptionAlgorithm,omitempty"`
 }
 
 // IsDefined returns true if the ClusterConfiguration is defined.

api/bootstrap/kubeadm/v1beta2/kubeadm_types.go

@@ -276,6 +276,7 @@ func hubClusterConfigurationFuzzer(obj *bootstrapv1.ClusterConfiguration, c rand
 
 	obj.CertificateValidityPeriodDays = 0
 	obj.CACertificateValidityPeriodDays = 0
+	obj.EncryptionAlgorithm = ""
 
 	for i, arg := range obj.APIServer.ExtraArgs {
 		if arg.Value == nil {

bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigs.yaml

@@ -67,7 +67,6 @@ func (dst *JoinConfiguration) ConvertFrom(srcRaw conversion.Hub) error {
 func Convert_upstreamv1beta4_ClusterConfiguration_To_v1beta2_ClusterConfiguration(in *ClusterConfiguration, out *bootstrapv1.ClusterConfiguration, s apimachineryconversion.Scope) error {
 	// Following fields do not exist in CABPK v1beta1 version:
 	// - Proxy (Not supported yet)
-	// - EncryptionAlgorithm (Not supported yet)
 	if err := autoConvert_upstreamv1beta4_ClusterConfiguration_To_v1beta2_ClusterConfiguration(in, out, s); err != nil {
 		return err
 	}

bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigtemplates.yaml

@@ -107,7 +107,6 @@ func spokeClusterConfigurationFuzzer(obj *ClusterConfiguration, c randfill.Conti
 	c.FillNoCustom(obj)
 
 	obj.Proxy = Proxy{}
-	obj.EncryptionAlgorithm = ""
 	obj.CertificateValidityPeriod = ptr.To[metav1.Duration](metav1.Duration{Duration: time.Duration(c.Int31n(3*365)+1) * time.Hour * 24})
 	obj.CACertificateValidityPeriod = ptr.To[metav1.Duration](metav1.Duration{Duration: time.Duration(c.Int31n(100*365)+1) * time.Hour * 24})