FEATURE REQUEST
I was trying to deploy a new cluster with autogenerated EC CAs when I discovered that kubeadm waits for CA key to be in RSA format.
I thought maybe there is no capabilities to generate EC certificates in kubeadm, so I've generated whole chain: ca, frontproxy-ca, apiserver, apiserver-kubelet-client, front-proxy-client and sa private and public keys.
Now kubeadm stopped on private key to apiserver certificate (while accepting ECDSA certificate itself)
So the feature request: please add support for EC keys if underlying infrastructure is able to support it.
Unb9rn
All 12 comments
i need to do some investigation for the stakes here, but for now my answer is that EC will not be supported any time soon (don't quote me on that).
neolit123
on 11 Jul 2018
To repro:
ca-config.json
{"signing":{"default":{"expiry":"43800h"},"profiles":{"server":{"expiry":"43800h","usages":["signing","key encipherment","server auth","client auth"]},"client":{"expiry":"43800h","usages":["signing","key encipherment","client auth"]},"peer":{"expiry":"43800h","usages":["signing","key encipherment","server auth","client auth"]}}}}
ca-csr.json
{"CN":"etcd","key":{"algo":"ecdsa","size":256}}
Then use cfssl:
cfssl gencert -initca -config ca-config.json ca-csr.json | cfssljson -bare ca -
mv ca.pem ca.crt
mv ca-key.pem ca.key
Now try to use this CA cert:
kubeadm alpha phase certs all --cert-dir $PWD
failure loading ca certificate: the private key file /home/foo/test/ca.key isn't in RSA format
joejulian
on 24 Jul 2018
@neolit123 What led you to your expectation that this would not be coming soon? Do you see some specific blocker?
joejulian
on 24 Jul 2018
~@andrewrynhard Your PR (kubernetes/kubernetes#41295) removed EC key support. I can't find any specific reasoning for that in the PR or the related issue. Is there any reason that you know of not to just re-add the EC support to pki_helpers?~
After _actually looking_ at that PR, there was no working code removed, just some placeholders.
joejulian
on 24 Jul 2018
@joejulian
@neolit123 What led you to your expectation that this would not be coming soon? Do you see some specific blocker?
i think the biggest blocker is that this is a relatively low priority task and the kubeadm team is busy.
i did some investigation and it feels like the rest of kubernetes is ECDSA "ready".
PRs for kubeadm are welcome!
neolit123
on 24 Jul 2018
/assign @liztio
timothysc
on 11 Oct 2018
Looks like the certutil.NewSignedCert functions have been updated to use crypto.Signer as of https://github.com/kubernetes/client-go/commit/30575d7a9fdb0e1f9014cf1b6c453f34d2cfe87f
geoffgarside
on 6 Nov 2018
I'd like to tackle this if nobody is working on it.
rojkov
on 9 Apr 2019
@rojkov great
/assign @rojkov
/lifecycle active
fabriziopandini
on 11 Apr 2019
@fabriziopandini: GitHub didn't allow me to assign the following users: rojkov.
Note that only kubernetes members and repo collaborators can be assigned and that issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide
In response to this:
@rojkov great
/assign @rojkov
/lifecycle active
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
k8s-ci-robot
on 11 Apr 2019
/assign @rojkov
rojkov
on 17 Apr 2019
The corresponding PR is https://github.com/kubernetes/kubernetes/pull/76390.
rojkov
on 25 Apr 2019
Related issues
chuckha
路
3Comments
cnmade
路
4Comments
tmjd
路
4Comments
bruceauyeung
路
4Comments
RakeshNagarajan
路
4Comments
Most helpful comment
@joejulian
i think the biggest blocker is that this is a relatively low priority task and the kubeadm team is busy.
i did some investigation and it feels like the rest of kubernetes is ECDSA "ready".
PRs for kubeadm are welcome!