Allow to specify private key algorithm and size #168
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gardener-robot-ci-1
added
the
reviewed/ok-to-test
|
/invite @timuthy |
gardener-robot-ci-1
added
needs/ok-to-test
gardener-robot
added
kind/api-change
|
@MartinWeindel Command "/invite @timuthy " failed with "Reviews may only be requested from collaborators. One or more of the users or teams you specified is not a collaborator of the gardener/cert-management repository.". Additional Information |
6 tasks
|
/assign |
gardener-robot-ci-3
added
the
reviewed/ok-to-test
gardener-robot-ci-1
removed
the
reviewed/ok-to-test
timuthy
suggested changes
Mar 21, 2024
README.md
Outdated
| @@ -352,6 +354,33 @@ spec: | |||
|
|
|||
| In this case the secret `my-secret` will contains the labels. | |||
|
|
|||
| ### Specifying private key algorithm and size | |||
|
|
|||
| By default, the certificate uses `RSA` with a key size of 2048 bits for the private key | |||
There was a problem hiding this comment.
Suggested change
| By default, the certificate uses `RSA` with a key size of 2048 bits for the private key | |
| By default, the certificate uses `RSA` with a key size of 2048 bits for the private key. |
pkg/apis/cert/v1alpha1/types.go
Outdated
| // key size of 2048 will be used for `RSA` key algorithm and | ||
| // key size of 256 will be used for `ECDSA` key algorithm. | ||
| // +optional | ||
| Algorithm PrivateKeyAlgorithm `json:"algorithm,omitempty"` |
There was a problem hiding this comment.
Suggested change
| Algorithm PrivateKeyAlgorithm `json:"algorithm,omitempty"` | |
| Algorithm *PrivateKeyAlgorithm `json:"algorithm,omitempty"` |
pkg/apis/cert/v1alpha1/types.go
Outdated
| // and will default to `256` if not specified. | ||
| // No other values are allowed. | ||
| // +optional | ||
| Size int `json:"size,omitempty"` |
There was a problem hiding this comment.
Suggested change
| Size int `json:"size,omitempty"` | |
| Size *int32 `json:"size,omitempty"` |
pkg/cert/legobridge/certificate.go
Outdated
| return keyType, nil | ||
| } | ||
|
|
||
| // FromKeyType converts key type back to |
pkg/cert/legobridge/certificate.go
Outdated
| } | ||
| return client.Certificate.Obtain(request) | ||
| } | ||
|
|
||
| func obtainForCSR(client *lego.Client, csr []byte, deactivateAuthz bool, preferredChain string) (*certificate.Resource, error) { | ||
| // ToKeyType extracts the key type from the |
Comment on lines
+121
to
+122
| // key size of 256 will be used for `ECDSA` key algorithm. | ||
| // +optional |
There was a problem hiding this comment.
Can we work with // +kubebuilder:validation:Enum=RSA;ECDSA here, maybe also for the size?
There was a problem hiding this comment.
Interestingly, you can really define an enumeration for numbers.🤩
gardener-robot-ci-2
added
reviewed/ok-to-test
gardener-robot-ci-3
added
the
reviewed/ok-to-test
gardener-robot-ci-2
removed
the
reviewed/ok-to-test
timuthy
reviewed
Mar 21, 2024
| } | ||
| newPrivateKey := createPrivateKey(info.PrivateKeyAlgorithm, info.PrivateKeySize) | ||
| if !reflect.DeepEqual(spec.PrivateKey, newPrivateKey) { | ||
| spec.PrivateKey = newPrivateKey |
There was a problem hiding this comment.
Not sure if I understand the code correctly: Does this mean that the controller writes back the defaulted values to the certificate.spec.privateKey if it's not set before? If yes, won't this cause all existing certificates to be re-generated when this feature is rolled out because the spec checksum changes?
There was a problem hiding this comment.
If the source object has no private key related annotations, the function createPrivateKey returns nil. Even if you would add these annotations with the default values, the generated certificate resource will be updated, but no new certificate would be requested, as the hash code is unchanged.
gardener-robot
added
reviewed/lgtm
gardener-robot
removed
the
needs/second-opinion
gardener-robot-ci-3
added
the
reviewed/ok-to-test
|
@timuthy Thanks for taking the time for a review! |
gardener-robot
added
the
status/closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
The algorithm and size for the private key can now be specified in the certificate spec section to override the default algorithm
RSAwith key size 2048.Supported algorithms are
RSAandECDSA. ForRSAthe allowed key sizes are2048,3072, and4096with2048as default is not specified explicitly. ForECDSAthe allowed key sizes are256and384with256as default.These algorithms and key sizes are supported by Let's encrypt. For other ACME servers please check their documentation for information about supported combinations.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Release note: