Add support for ed25519 keys in AWS

[aclevername]

AWS EC2 supports ed25519 keys from the start of this year (blog), updating the ComputeAWSKeyFingerprint func to match this.

Implementation notes

I trimmed the "SHA256" prefix that the ssh.FingerprintSHA256 call adds to keep it consistent with the fingerprint format presented both in the console and the API. Happy to undo this if folks think this is incorrect 😄

$ aws ec2 describe-key-pairs --key-names jake-test-ed25519
{
    "KeyPairs": [
        {
            ...
            "KeyFingerprint": "HvE7+gmH78VS53+iPuRDh/gKjVo26OzYU/qOnJWAgyk=",
            "KeyName": "jake-test-ed25519",
            "KeyType": "ed25519",
        }
    ]
}

This issue was originally discovered here eksctl-io/eksctl#4779

[linux-foundation-easycla]

The committers are authorized under a signed CLA.

• ✅ Jake Klein (9e78234)

[k8s-ci-robot]

Welcome @aclevername!

It looks like this is your first PR to kubernetes/kops 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/kops has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @aclevername. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[hakman]

/ok-to-test

[olemarkus]

Is there a reason for using SHA256 for ed keys, but MD5 for RSA?
Perhaps use MD5 for both, optionally add a flag for hash type (like ssh-add -l does).

[aclevername]

Just following the same method the AWS API use to calculate the fingerprint. I added an example in the PR description 😃

[olemarkus]

Fair enough. I think we should keep the prefix so we know what hash algo is actually used.

[aclevername]

Done 😄

[olemarkus]

Awesome. Thanks for this. Feel free to cherry-pick this to the 1.23 branch.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: olemarkus

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [olemarkus]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[olemarkus]

/hold
Looks like you may need a rebase or something.

[aclevername]

/hold Looks like you may need a rebase or something.

already have @olemarkus 🤔

-> % git pull origin master
From github.com:kubernetes/kops
 * branch                  master     -> FETCH_HEAD
Already up to date.

-> % git co ed25519
Switched to branch 'ed25519'
Your branch is up to date with 'aclevername/ed25519'.

-> % git rebase origin/master
Successfully rebased and updated refs/heads/ed25519.

-> % git push --force
Everything up-to-date

-> % git remote -v
aclevername     git@github.com:aclevername/kops.git (fetch)
aclevername     git@github.com:aclevername/kops.git (push)
origin  git@github.com:kubernetes/kops.git (fetch)
origin  git@github.com:kubernetes/kops.git (push)

[olemarkus]

/retest

[aclevername]

Awesome. Thanks for this. Feel free to cherry-pick this to the 1.23 branch.

Thanks, just to clarify you mean open an identical PR to merge into the release-1.23 branch? Are older versions also open for back patching? We currently use 1.21 which would be great to have it in

[olemarkus]

Awesome. Thanks for this. Feel free to cherry-pick this to the 1.23 branch.

Thanks, just to clarify you mean open an identical PR to merge into the release-1.23 branch? Are older versions also open for back patching? We currently use 1.21 which would be great to have it in

You can always cherry-pick back to 1.21, but not sure if we will do another release.
See https://kops.sigs.k8s.io/contributing/proposing-a-cherry-pick/ and https://github.com/kubernetes/community/blob/master/contributors/devel/sig-release/cherry-picks.md

[olemarkus]

/hold cancel

flake it seems