support asymmetric encryption algorithms in ClusterConfigration (#11757)

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
2025-12-14 13:54:37 +03:00 · 2024-11-29 16:06:58 +08:00
parent 280507ff70
commit 70b75d35b6
6 changed files with 13 additions and 1 deletions
--- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
@@ -37,6 +37,7 @@ patches:
 apiVersion: kubeadm.k8s.io/v1beta4
 kind: ClusterConfiguration
 clusterName: {{ cluster_name }}
 encryptionAlgorithm: {{ kube_asymmetric_encryption_algorithm }}
 etcd:
 {% if etcd_deployment_type != "kubeadm" %}
  external:
--- a/roles/kubernetes/kubeadm/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/tasks/main.yml
@@ -30,7 +30,10 @@
  run_once: true
 - name: Calculate kubeadm CA cert hash
-  shell: set -o pipefail && openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
+  shell: |
    set -o pipefail && openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | \
    openssl {% if 'RSA' in kube_asymmetric_encryption_algorithm %}rsa{% elif 'ECDSA' in kube_asymmetric_encryption_algorithm %}ec{% else %}rsa{% endif %} -pubin -outform der 2>/dev/null | \
    openssl dgst -sha256 -hex | sed 's/^.* //'
  args:
    executable: /bin/bash
  register: kubeadm_ca_hash
--- a/roles/kubespray-defaults/defaults/main/main.yml
+++ b/roles/kubespray-defaults/defaults/main/main.yml
@@ -62,6 +62,11 @@ kubeadm_join_phases_skip: >-
 # Set to true to remove the role binding to anonymous users created by kubeadm
 remove_anonymous_access: false
 # Supported asymmetric encryption algorithm types for the cluster's keys and certificates.
 # can be one of RSA-2048(default), RSA-3072, RSA-4096, ECDSA-P256
 # ref: https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta4/#kubeadm-k8s-io-v1beta4-ClusterConfiguration
 kube_asymmetric_encryption_algorithm: "RSA-2048"
 # A string slice of values which specify the addresses to use for NodePorts.
 # Values may be valid IP blocks (e.g. 1.2.3.0/24, 1.2.3.4/32).
 # The default empty string slice ([]) means to use all local addresses.
--- a/tests/files/packet_debian12-calico.yml
+++ b/tests/files/packet_debian12-calico.yml
@@ -6,3 +6,4 @@ mode: default
 # Kubespray settings
 dns_mode: coredns_dual
 kube_asymetric_encryption_algorithm: "RSA-3072"
--- a/tests/files/packet_rockylinux9-cilium.yml
+++ b/tests/files/packet_rockylinux9-cilium.yml
@@ -11,3 +11,4 @@ cilium_kube_proxy_replacement: strict
 # Node Feature Discovery
 node_feature_discovery_enabled: true
 kube_asymmetric_encryption_algorithm: "ECDSA-P256"
--- a/tests/files/packet_ubuntu20-flannel-ha.yml
+++ b/tests/files/packet_ubuntu20-flannel-ha.yml
@@ -8,3 +8,4 @@ kube_network_plugin: flannel
 etcd_deployment_type: kubeadm
 kubeadm_certificate_key: 3998c58db6497dd17d909394e62d515368c06ec617710d02edea31c06d741085
 skip_non_kubeadm_warning: true
 kube_asymmetric_encryption_algorithm: "RSA-4096"