Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubeadm: enhance encryption algorithm support in v1beta4 #123054

Merged
merged 1 commit into from Feb 2, 2024
Merged

kubeadm: enhance encryption algorithm support in v1beta4 #123054

merged 1 commit into from Feb 2, 2024

Conversation

neolit123
Copy link
Member

@neolit123 neolit123 commented Jan 31, 2024
edited

What type of PR is this?

/kind feature

What this PR does / why we need it:

Previous v1beta4 work added support for
ClusterConfiguration.EncryptionAlgorithm, however the possible values were limited to just "RSA" (2048 key size) and "ECDSA" (P256).

Allow more arbitrary algorithm types, that can also include key size or curve type encoded in the name:
"RSA-2048" (default), "RSA-3072", "RSA-4096" or "ECDSA-P256".

Update the deprecation notice of the PublicKeysECDSA FeatureGate as ideally it should be removed only after v1beta3 is removed.

Which issue(s) this PR fixes:

Fixes kubernetes/kubeadm#3003
see kubernetes/kubeadm#3003 (comment)

Special notes for your reviewer:

NONE

Does this PR introduce a user-facing change?

NONE

(intentionally none)

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jan 31, 2024
@neolit123
Copy link
Member Author

/hold for review
/triage accepted
/priority important-soon
(1.30)

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. triage/accepted Indicates an issue or PR is ready to be actively worked on. approved Indicates a PR has been approved by an approver from all required OWNERS files. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. area/kubeadm sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jan 31, 2024
@neolit123
Copy link
Member Author

/cc @pacoxu @randomvariable
/assign @SataQiu

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jan 31, 2024
This was referenced Jan 31, 2024
Closed
Open
Closed
@randomvariable
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 31, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 9d9695fd56aa0faabfba46fd5fc8b33f06f8aaa3

@neolit123 neolit123 force-pushed the 1.30-v1beta4-encryption-enhance branch from d3810a6 to 9b401c8 Compare January 31, 2024 17:59
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 31, 2024
@neolit123 neolit123 force-pushed the 1.30-v1beta4-encryption-enhance branch from 9b401c8 to 7667221 Compare January 31, 2024 21:40
@neolit123
kubeadm: enhance encryption algorithm support in v1beta4
2cab797 
Previous v1beta4 work added support for
ClusterConfiguration.EncryptionAlgorithm, however the possible
values were limited to just "RSA" (2048 key size) and "ECDSA" (P256).

Allow more arbitrary algorithm types, that can also include key size
or curve type encoded in the name:
"RSA-2048" (default), "RSA-3072", "RSA-4096" or "ECDSA-P256".

Update the deprecation notice of the PublicKeysECDSA FeatureGate
as ideally it should be removed only after v1beta3 is removed.
@neolit123 neolit123 force-pushed the 1.30-v1beta4-encryption-enhance branch from 7667221 to 2cab797 Compare January 31, 2024 21:49
@randomvariable
Copy link
Member

/lgtm
/retest

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 1, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 5d50ace707c57c9a3c2ee4886b9215441083afbf

SataQiu
SataQiu approved these changes Feb 2, 2024
View reviewed changes
Copy link
Member

@SataQiu SataQiu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: neolit123, SataQiu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

neolit123
neolit123 commented Feb 2, 2024
View reviewed changes
Copy link
Member Author

@neolit123 neolit123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 2, 2024
@k8s-ci-robot k8s-ci-robot merged commit 2372837 into kubernetes:master Feb 2, 2024
15 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.30 milestone Feb 2, 2024
@sftim
Copy link
Contributor

sftim commented Feb 9, 2024

Which PR has the changelog entry for this?

@neolit123
Copy link
Member Author

neolit123 commented Feb 9, 2024
edited

Which PR has the changelog entry for this?

none yet, when we are about to release v1beta4 we will push a PR with a bug release note that has all the new features in this API
https://github.com/kubernetes/kubernetes/pull/123054/files#diff-5c925db27fad81e7d11666a4fe0012055a00ebf625f2e7327b20f846ef54d586
target is 1.30 for now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SataQiu SataQiu SataQiu approved these changes

@pacoxu pacoxu Awaiting requested review from pacoxu

@randomvariable randomvariable Awaiting requested review from randomvariable

@chendave chendave Awaiting requested review from chendave

Assignees

@randomvariable randomvariable

@SataQiu SataQiu

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubeadm cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note-none Denotes a PR that doesn't merit a release note. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.30
Development

Successfully merging this pull request may close these issues.

Provide options to use at least 3072-bits RSA to meet German federal BSI Technical Guideline TR-02102-2
5 participants
@neolit123 @randomvariable @k8s-ci-robot @sftim @SataQiu