Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Configuring EncryptionAlgorithm in Kubeadm v1beta4 #11757

Merged
merged 1 commit into from
Nov 29, 2024
Merged

Support Configuring EncryptionAlgorithm in Kubeadm v1beta4 #11757

merged 1 commit into from
Nov 29, 2024

Conversation

ErikJiang
Copy link
Member

@ErikJiang ErikJiang commented Nov 28, 2024
edited by k8s-ci-robot
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

add ClusterConfiguration.encryptionAlgorithm to specify an asymmetric encryption algorithm for the cluster's certificates and keys.

Which issue(s) this PR fixes:

Fixes #11749

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Support Configuring EncryptionAlgorithm in Kubeadm v1beta4

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Nov 28, 2024
@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Nov 28, 2024
@ErikJiang ErikJiang force-pushed the add_kube_encryption_algorithm branch from 2f2a242 to af28739 Compare November 28, 2024 14:45
@ErikJiang ErikJiang changed the title support asymmetric encryption algorithms in ClusterConfigration Support Configuring EncryptionAlgorithm in Kubeadm v1beta4 Nov 28, 2024
@VannTen
Copy link
Contributor

VannTen commented Nov 28, 2024

/ok-to-test

@k8s-ci-robot k8s-ci-robot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label Nov 28, 2024
@ErikJiang ErikJiang force-pushed the add_kube_encryption_algorithm branch from af28739 to 02f6985 Compare November 28, 2024 15:27
@yankay
Copy link
Member

yankay commented Nov 29, 2024

/test all

@k8s-ci-robot
Copy link
Contributor

@ErikJiang: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

  • /test pull-kubespray-yamllint

Use /test all to run all jobs.

In response to this:

/test packet_ubuntu20-flannel-ha

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@yankay
Copy link
Member

yankay commented Nov 29, 2024

Thanks @ErikJiang
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 29, 2024
@tico88612
Copy link
Member

/release-note-edit

Support Configuring EncryptionAlgorithm in Kubeadm v1beta4

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Nov 29, 2024
@tico88612
Copy link
Member

Because #11751 has been reverted. Release note re-add this.

VannTen
VannTen reviewed Nov 29, 2024
View reviewed changes
Copy link
Contributor

@VannTen VannTen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

roles/kubernetes/kubeadm/tasks/main.yml
Comment on lines -33 to +36
shell: set -o pipefail && openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
shell: |
set -o pipefail && openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | \
openssl {% if 'RSA' in kube_asymmetric_encryption_algorithm %}rsa{% elif 'ECDSA' in kube_asymmetric_encryption_algorithm %}ec{% else %}rsa{% endif %} -pubin -outform der 2>/dev/null | \
openssl dgst -sha256 -hex | sed 's/^.* //'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ouch. We really need to switch to community.crypto at some point ^.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😊 I tried to optimize this hash calculation logic. #11758

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ErikJiang, VannTen

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 29, 2024
@k8s-ci-robot k8s-ci-robot merged commit 70b75d3 into kubernetes-sigs:master Nov 29, 2024
42 checks passed
@tico88612 tico88612 mentioned this pull request Nov 30, 2024
Closed
kpoxo6op pushed a commit to kpoxo6op/kubespray that referenced this pull request Dec 27, 2024
@ErikJiang @kpoxo6op
support asymmetric encryption algorithms in ClusterConfigration (kube…
41dc822 
…rnetes-sigs#11757)

Signed-off-by: bo.jiang <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@VannTen VannTen VannTen left review comments

@yankay yankay Awaiting requested review from yankay

Assignees

@yankay yankay

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support Configuring EncryptionAlgorithm in Kubeadm v1beta4
5 participants
@ErikJiang @VannTen @yankay @k8s-ci-robot @tico88612