Open
Conversation
Add configurable PKI support to InstallConfig behind the ConfigurablePKI
feature gate, allowing users to specify cryptographic parameters for
installer-generated signer certificates.
Key changes:
- Define custom PKIConfig type with only signerCertificates field
- Add PKI *PKIConfig field to InstallConfig
- Add ConfigurablePKI feature gate entry in GatedFeatures()
- Create pkg/types/pki/ with validation functions
- Wire PKI validation into ValidateInstallConfig()
- Require signerCertificates.key when pki is present (pki: {} is invalid)
Assisted-by: Claude Code (Opus 4.6)
Update pkg/asset/tls/ to generate signer certificates with either RSA or ECDSA keys based on the PKI config from InstallConfig. Leaf certificates continue to use RSA 2048. Key changes: - Add DefaultRSAKeySize/DefaultKeyAlgorithm constants - Add RSA/ECDSA key generation functions and PEM encode/decode support - Change SelfSignedCertificate to accept crypto.Signer - Change SignedCertificate/GenerateSignedCertificate caKey to crypto.PrivateKey - Add pkiConfig parameter to SelfSignedCertKey.Generate() - Update PKIConfigToKeyParams to accept *types.PKIConfig - Set algorithm-appropriate KeyUsage (ECDSA omits KeyEncipherment) - All signer assets now depend on InstallConfig and pass PKI config - Add type assertion in BoundSASigningKey.Load() for RSA requirement Assisted-by: Claude Code (Opus 4.6)
Add tests covering PKI validation, feature gate enforcement, certificate generation with PKI configs, and cross-algorithm certificate signing. Key additions: - Test ValidatePKIConfig catches invalid configs and empty PKI - Test ConfigurablePKI feature gate with TechPreview and CustomNoUpgrade - Test ValidateInstallConfig catches invalid PKI with field paths - Test SelfSignedCertKey.Generate() with non-nil PKI configs - Test ECDSA CA signing RSA leaf certificate with chain verification - Test RSA/ECDSA key generation, KeyUsage flags, signature algorithm detection - Test PEM encode/decode roundtrip for RSA and ECDSA keys Assisted-by: Claude Code (Opus 4.6)
Document the configurable PKI feature in docs/user/customization.md, following the existing inline documentation pattern for install-config properties. Key additions: - Add pki field entry with nested signerCertificates structure - Add RSA 4096 and ECDSA P-384 install-config example fragments - Document ConfigurablePKI feature gate requirement - Note scope: signer certificates only, leaf certs unaffected Assisted-by: Claude Code (Opus 4.6)
…abled When the ConfigurablePKI feature gate is active, the installer now generates a config.openshift.io/v1alpha1 PKI custom resource manifest (manifests/cluster-pki-02-config.yaml) that is applied to the cluster during bootstrap. This CR provides day-2 operators with the certificate parameters to use when rotating certificates. The PKI CR uses mode: Custom with DefaultPKIProfile as the base (defaults: ECDSA P-256, signerCertificates: ECDSA P-384). User overrides from install-config pki.signerCertificates are layered on top. When the feature gate is enabled but pki is not specified in install-config, the installer also aligns its own signer cert generation to ECDSA P-384 (matching DefaultPKIProfile) instead of the legacy RSA-2048 default. Assisted-by: Claude Code (Opus 4.6)
Contributor
|
Skipping CI for Draft Pull Request. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Important Review skippedAuto reviews are limited based on label configuration. 🚫 Review skipped — only excluded labels are configured. (1)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
openshift-ci
bot
added
the
needs-rebase
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
openshift-ci
bot
removed
the
needs-rebase
Contributor
Author
|
/test |
Contributor
Author
|
/test all |
sanchezl
force-pushed
the
install-config-pki-review
branch
from
e9f8ba0 to
a41ad19
Compare
openshift-ci
bot
added
the
needs-rebase
Replace configv1alpha1.CertificateConfig embedding in types.PKIConfig with installer-local types (CertificateConfig, KeyConfig, RSAKeyConfig, ECDSAKeyConfig, KeyAlgorithm, ECDSACurve). This prevents accidentally picking up new fields from the upstream API type. The JSON serialization shape is unchanged, so install-config YAML parsing and the CRD remain compatible. Conversion to upstream API types happens at the boundary when building the PKI CR manifest.
Add SignerPKIConfig asset to the dependency graph that resolves the effective PKI profile for certificate generation. The profile is never nil: feature gate off returns explicit RSA 2048, feature gate on returns library-go's DefaultPKIProfile with user overrides. EffectiveSignerPKIProfile now returns configv1alpha1.PKIProfile (never nil) instead of *types.PKIConfig (nullable). The local DefaultPKIProfile copy is replaced by an import from library-go/pkg/pki. The deprecated EffectiveSignerPKIConfig shim is retained temporarily for callers not yet migrated.
SelfSignedCertKey.Generate() now accepts a libcrypto.KeyPairGenerator and delegates to library-go's NewSigningCertificate for CA certs. Non-CA self-signed certs (IronicTLSCert) fall back to the legacy path. All 11 signer assets now depend on SignerPKIConfig and resolve their KeyPairGenerator via libpki.ResolveCertificateConfig with the <component>.<purpose> certificate naming convention.
sanchezl
force-pushed
the
install-config-pki-review
branch
from
a41ad19 to
f5e4533
Compare
openshift-ci
bot
removed
the
needs-rebase
Contributor
Author
|
/retest required |
Contributor
Author
|
/test all |
SignedCertKey.Generate() now uses library-go's GetCAFromBytes to reconstruct the CA, then dispatches to NewServerCertificate, NewClientCertificate, or NewPeerCertificate based on an explicit CertificateType field on CertCfg. Each leaf cert asset now depends on SignerPKIConfig and resolves its KeyPairGenerator via libpki.ResolveCertificateConfig. When ConfigurablePKI is enabled, leaves follow the profile defaults (ECDSA P-256). When disabled, they use RSA 2048. AppendParent is handled by selectively encoding only the leaf cert (DoNotAppendParent) or the full chain (AppendParent) from the library-go TLSCertificateConfig.
PrivateKeyToPem now delegates to libcrypto.EncodeKey and CertToPem delegates to libcrypto.EncodeCertificates. Both are marked as deprecated in favor of using library-go directly. PemToPrivateKey and PemToCertificate retain their implementations since library-go doesn't expose standalone PEM parsing functions, but are also marked deprecated.
PKIConfiguration now depends on tls.SignerPKIConfig instead of InstallConfig directly. It uses the pre-resolved Profile to build the PKI CR, and gates manifest emission on ConfigurablePKIEnabled. This eliminates duplicate config resolution logic and the local toAPICertificateConfig conversion function.
Replace the forked selfSignedCertificate, generateSelfSignedCertificate, generateSubjectKeyID, and rsaPublicKey with a single call to libcrypto.NewSigningCertificate. The forked code existed to allow empty OU in the Subject, which library-go handles natively. This removes ~80 lines of duplicated crypto code including a SHA-1 SubjectKeyId implementation.
sanchezl
force-pushed
the
install-config-pki-review
branch
from
fb0bf42 to
b4808ea
Compare
openshift-ci
bot
added
the
needs-rebase
…review # Conflicts: # go.mod # go.sum # vendor/modules.txt
openshift-ci
bot
removed
the
needs-rebase
Contributor
Author
|
/test all |
Files like .idea/, .envrc, dev-retest*.sh, CLAUDE-luis.md, and docs/design/ drafts were untracked local files that got swept up by git add -A during the merge conflict resolution.
Contributor
Author
|
/retest-required |
Contributor
Author
|
/retest-required |
Contributor
Author
|
/test all |
The tls_assets testscript test runs "openshift-install agent create certificates" which now requires InstallConfig in the dependency chain (via SignerPKIConfig). Previously signer assets like KubeAPIServerLBSignerCertKey had no dependencies, but now they depend on SignerPKIConfig which depends on InstallConfig. Add a minimal install-config.yaml and agent-config.yaml to the test, matching the pattern used by other agent image asset tests.
Contributor
Author
|
/retest-required |
The "agent create certificates" command generates signer certs at runtime on the bootstrap node (for the agent UI flow) without an install-config.yaml present. Before the library-go migration, these signers had zero dependencies and always generated RSA 2048 keys. The SignerPKIConfig asset now implements WritableAsset with a Load() method that checks for install-config on disk. When install-config is absent, Load() returns the default RSA 2048 profile, bypassing the Generate() dependency chain entirely. When install-config is present, Load() returns false and the normal Generate() path resolves the profile from InstallConfig. This also reverts the install-config addition to the tls_assets integration test, since the test should work without it.
Contributor
Author
|
/retest-required |
1 similar comment
Contributor
Author
|
/retest-required |
sanchezl
force-pushed
the
install-config-pki-review
branch
from
eba946f to
88daf8f
Compare
Contributor
Author
|
/retest-required |
Contributor
Author
|
/retest |
Contributor
Author
|
/test all |
Contributor
Author
|
/retest |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
Contributor
Author
|
/label do-not-merge/work-in-progress |
Contributor
|
@sanchezl: The label(s) DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Contributor
Author
|
/hold work-in-progress |
openshift-ci
bot
added
the
do-not-merge/hold
Contributor
|
@sanchezl: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.