diff --git a/go.mod b/go.mod index a9ee08457c..11d6bb57ef 100644 --- a/go.mod +++ b/go.mod @@ -98,7 +98,7 @@ require ( github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect github.com/nxadm/tail v1.4.11 // indirect github.com/openshift/api v0.0.1 - github.com/openshift/library-go v0.0.0-20260326200317-12d8376369b7 + github.com/openshift/library-go v0.0.0-20260515113423-dff948b31ae9 github.com/openshift/machine-config-operator v0.0.1-0.20260410020757-449e78f7ec94 github.com/pborman/uuid v1.2.1 github.com/pkg/errors v0.9.1 diff --git a/go.sum b/go.sum index fdfda79f06..d1985db9d4 100644 --- a/go.sum +++ b/go.sum @@ -278,8 +278,8 @@ github.com/openshift/api v0.0.0-20260331162130-f7b3bd900c75 h1:BcNL7bI9rxRQdDVsb github.com/openshift/api v0.0.0-20260331162130-f7b3bd900c75/go.mod h1:pyVjK0nZ4sRs4fuQVQ4rubsJdahI1PB94LnQ8sGdvxo= github.com/openshift/client-go v0.0.0-20260330134249-7e1499aaacd7 h1:5GSoQlywIwYsRCw3qN+ZDmN6HrXTMZfI33bdRNm2jRQ= github.com/openshift/client-go v0.0.0-20260330134249-7e1499aaacd7/go.mod h1:HhXTUIMhgzxR3Ln/zEkr4QjTL0NN7A+t9Py/we9j2ug= -github.com/openshift/library-go v0.0.0-20260326200317-12d8376369b7 h1:GRQO8uAHckyv3vG02M1AkA+b7RNnMxFqaKGxgwgN1Mw= -github.com/openshift/library-go v0.0.0-20260326200317-12d8376369b7/go.mod h1:3bi4pLpYRdVd1aEhsHfRTJkwxwPLfRZ+ZePn3RmJd2k= +github.com/openshift/library-go v0.0.0-20260515113423-dff948b31ae9 h1:/iQeiiRXLm36MxffTZsFbIhS+fkcu3ZoQuYsLhF6oaA= +github.com/openshift/library-go v0.0.0-20260515113423-dff948b31ae9/go.mod h1:gKG9lctU0yEftSoT3DUyeIWz1oAgF0EHUpwI4pnCo4o= github.com/openshift/machine-config-operator v0.0.1-0.20260410020757-449e78f7ec94 h1:yOOrCtGX3QZ8EOjhwjFrR7fOKoFO9CQhT+iOEvzrbrA= github.com/openshift/machine-config-operator v0.0.1-0.20260410020757-449e78f7ec94/go.mod h1:Yw5V0UkMteEhSKJXzCEiyUwOGJ5944HpEX7W9EECV3g= github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw= diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go index f9ad1fc14b..dbacb066e9 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go @@ -6,13 +6,12 @@ import ( "time" operatorv1 "github.com/openshift/api/operator/v1" - corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/util/wait" - "github.com/openshift/library-go/pkg/controller/factory" "github.com/openshift/library-go/pkg/operator/condition" "github.com/openshift/library-go/pkg/operator/events" "github.com/openshift/library-go/pkg/operator/v1helpers" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/util/wait" ) const ( @@ -80,6 +79,7 @@ func NewCertRotationController( RotatedSelfSignedCertKeySecret: rotatedSelfSignedCertKeySecret, StatusReporter: reporter, } + return factory.New(). ResyncEvery(time.Minute). WithSync(c.Sync). diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go index c2c8b8368f..019cce7d5a 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go @@ -9,6 +9,7 @@ import ( "github.com/openshift/library-go/pkg/crypto" "github.com/openshift/library-go/pkg/operator/events" "github.com/openshift/library-go/pkg/operator/resource/resourcehelper" + "github.com/openshift/library-go/pkg/pki" corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -48,6 +49,13 @@ type RotatedSigningCASecret struct { // AdditionalAnnotations is a collection of annotations set for the secret AdditionalAnnotations AdditionalAnnotations + // CertificateName is the logical name of this certificate for PKI profile resolution. + CertificateName string + + // PKIProfileProvider, when non-nil, enables ConfigurablePKI certificate + // key algorithm resolution. When nil, legacy certificate generation is used. + PKIProfileProvider pki.PKIProfileProvider + // Plumbing: Informer corev1informers.SecretInformer Lister corev1listers.SecretLister @@ -87,12 +95,12 @@ func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (* // run Update if signer content needs changing signerUpdated := false - if needed, reason := needNewSigningCertKeyPair(signingCertKeyPairSecret, c.Refresh, c.RefreshOnlyWhenExpired); needed || creationRequired { + if needed, reason := c.needNewSigningCertKeyPair(signingCertKeyPairSecret); needed || creationRequired { if creationRequired { reason = "secret doesn't exist" } c.EventRecorder.Eventf("SignerUpdateRequired", "%q in %q requires a new signing cert/key pair: %v", c.Name, c.Namespace, reason) - if err = setSigningCertKeyPairSecretAndTLSAnnotations(signingCertKeyPairSecret, c.Validity, c.Refresh, c.AdditionalAnnotations); err != nil { + if err = c.setSigningCertKeyPairSecretAndTLSAnnotations(signingCertKeyPairSecret); err != nil { return nil, false, err } @@ -149,7 +157,7 @@ func ensureOwnerReference(meta *metav1.ObjectMeta, owner *metav1.OwnerReference) return false } -func needNewSigningCertKeyPair(secret *corev1.Secret, refresh time.Duration, refreshOnlyWhenExpired bool) (bool, string) { +func (c RotatedSigningCASecret) needNewSigningCertKeyPair(secret *corev1.Secret) (bool, string) { annotations := secret.Annotations notBefore, notAfter, reason := getValidityFromAnnotations(annotations) if len(reason) > 0 { @@ -160,7 +168,7 @@ func needNewSigningCertKeyPair(secret *corev1.Secret, refresh time.Duration, ref return true, "already expired" } - if refreshOnlyWhenExpired { + if c.RefreshOnlyWhenExpired { return false, "" } @@ -170,7 +178,7 @@ func needNewSigningCertKeyPair(secret *corev1.Secret, refresh time.Duration, ref return true, fmt.Sprintf("past refresh time (80%% of validity): %v", at80Percent) } - developerSpecifiedRefresh := notBefore.Add(refresh) + developerSpecifiedRefresh := notBefore.Add(c.Refresh) if time.Now().After(developerSpecifiedRefresh) { return true, fmt.Sprintf("past its refresh time %v", developerSpecifiedRefresh) } @@ -199,22 +207,67 @@ func getValidityFromAnnotations(annotations map[string]string) (notBefore time.T return notBefore, notAfter, "" } +func (c RotatedSigningCASecret) resolveKeyPairGenerator() (crypto.KeyPairGenerator, error) { + return resolveKeyPairGeneratorWithFallback(c.PKIProfileProvider, pki.CertificateTypeSigner, c.CertificateName) +} + +// resolveKeyPairGeneratorWithFallback resolves the key pair generator from the +// PKI profile provider. Returns nil for Unmanaged mode (no key override). +// +// TODO(sanchezl): Remove the fallback to DefaultPKIProfile() once installer +// support for the PKI resource is in place. Until then, the PKI resource may +// not exist in TechPreview clusters. Once removed, callers can use +// pki.ResolveCertificateConfig directly. +func resolveKeyPairGeneratorWithFallback(provider pki.PKIProfileProvider, certType pki.CertificateType, name string) (crypto.KeyPairGenerator, error) { + cfg, err := pki.ResolveCertificateConfig(provider, certType, name) + if err != nil { + klog.Warningf("Failed to resolve PKI config for %s %q, falling back to default profile: %v", certType, name, err) + defaultProfile := pki.DefaultPKIProfile() + cfg, err = pki.ResolveCertificateConfig(pki.NewStaticPKIProfileProvider(&defaultProfile), certType, name) + if err != nil { + return nil, err + } + } + if cfg == nil { + return nil, nil + } + return cfg.Key, nil +} + // setSigningCertKeyPairSecretAndTLSAnnotations generates a new signing certificate and key pair, // stores them in the specified secret, and adds predefined TLS annotations to that secret. -func setSigningCertKeyPairSecretAndTLSAnnotations(signingCertKeyPairSecret *corev1.Secret, validity, refresh time.Duration, tlsAnnotations AdditionalAnnotations) error { - ca, err := setSigningCertKeyPairSecret(signingCertKeyPairSecret, validity) +func (c RotatedSigningCASecret) setSigningCertKeyPairSecretAndTLSAnnotations(signingCertKeyPairSecret *corev1.Secret) error { + ca, err := c.setSigningCertKeyPairSecret(signingCertKeyPairSecret) if err != nil { return err } - setTLSAnnotationsOnSigningCertKeyPairSecret(signingCertKeyPairSecret, ca, refresh, tlsAnnotations) + c.setTLSAnnotationsOnSigningCertKeyPairSecret(signingCertKeyPairSecret, ca) return nil } -// setSigningCertKeyPairSecret creates a new signing cert/key pair and sets them in the secret -func setSigningCertKeyPairSecret(signingCertKeyPairSecret *corev1.Secret, validity time.Duration) (*crypto.TLSCertificateConfig, error) { +// setSigningCertKeyPairSecret creates a new signing cert/key pair and sets them in the secret. +func (c RotatedSigningCASecret) setSigningCertKeyPairSecret(signingCertKeyPairSecret *corev1.Secret) (*crypto.TLSCertificateConfig, error) { signerName := fmt.Sprintf("%s_%s@%d", signingCertKeyPairSecret.Namespace, signingCertKeyPairSecret.Name, time.Now().Unix()) - ca, err := crypto.MakeSelfSignedCAConfigForDuration(signerName, validity) + + var ca *crypto.TLSCertificateConfig + var err error + if c.PKIProfileProvider != nil { + keyGen, err := c.resolveKeyPairGenerator() + if err != nil { + return nil, err + } + if keyGen != nil { + ca, err = crypto.NewSigningCertificate(signerName, keyGen, crypto.WithLifetime(c.Validity)) + if err != nil { + return nil, err + } + } + // nil keyGen means Unmanaged: fall through to legacy cert generation + } + if ca == nil { + ca, err = crypto.MakeSelfSignedCAConfigForDuration(signerName, c.Validity) + } if err != nil { return nil, err } @@ -243,11 +296,12 @@ func setSigningCertKeyPairSecret(signingCertKeyPairSecret *corev1.Secret, validi // // These assumptions are safe because this function is only called after the secret // has been initialized in setSigningCertKeyPairSecret. -func setTLSAnnotationsOnSigningCertKeyPairSecret(signingCertKeyPairSecret *corev1.Secret, ca *crypto.TLSCertificateConfig, refresh time.Duration, tlsAnnotations AdditionalAnnotations) { +func (c RotatedSigningCASecret) setTLSAnnotationsOnSigningCertKeyPairSecret(signingCertKeyPairSecret *corev1.Secret, ca *crypto.TLSCertificateConfig) { signingCertKeyPairSecret.Annotations[CertificateIssuer] = ca.Certs[0].Issuer.CommonName + tlsAnnotations := c.AdditionalAnnotations tlsAnnotations.NotBefore = ca.Certs[0].NotBefore.Format(time.RFC3339) tlsAnnotations.NotAfter = ca.Certs[0].NotAfter.Format(time.RFC3339) - tlsAnnotations.RefreshPeriod = refresh.String() + tlsAnnotations.RefreshPeriod = c.Refresh.String() _ = tlsAnnotations.EnsureTLSMetadataUpdate(&signingCertKeyPairSecret.ObjectMeta) } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go index 88cd41189e..b76c494402 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go @@ -18,6 +18,7 @@ import ( "github.com/openshift/library-go/pkg/crypto" "github.com/openshift/library-go/pkg/operator/events" "github.com/openshift/library-go/pkg/operator/resource/resourcehelper" + "github.com/openshift/library-go/pkg/pki" corev1informers "k8s.io/client-go/informers/core/v1" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" corev1listers "k8s.io/client-go/listers/core/v1" @@ -64,6 +65,13 @@ type RotatedSelfSignedCertKeySecret struct { // CertCreator does the actual cert generation. CertCreator TargetCertCreator + // CertificateName is the logical name of this certificate for PKI profile resolution. + CertificateName string + + // PKIProfileProvider, when non-nil, enables ConfigurablePKI certificate + // key algorithm resolution. When nil, legacy certificate generation is used. + PKIProfileProvider pki.PKIProfileProvider + // Plumbing: Informer corev1informers.SecretInformer Lister corev1listers.SecretLister @@ -72,12 +80,15 @@ type RotatedSelfSignedCertKeySecret struct { } type TargetCertCreator interface { - // NewCertificate creates a new key-cert pair with the given signer. - NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error) + // NewCertificate creates a new key-cert pair with the given signer. If keyGen + // is non-nil, it is used to generate the key pair; otherwise legacy defaults are used. + NewCertificate(signer *crypto.CA, validity time.Duration, keyGen crypto.KeyPairGenerator) (*crypto.TLSCertificateConfig, error) // NeedNewTargetCertKeyPair decides whether a new cert-key pair is needed. It returns a non-empty reason if it is the case. NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired, creationRequired bool) string // SetAnnotations gives an option to override or set additional annotations SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string + // CertificateType returns the category of certificate this creator produces. + CertificateType() pki.CertificateType } // TargetCertRechecker is an optional interface to be implemented by the TargetCertCreator to enforce @@ -121,7 +132,7 @@ func (c RotatedSelfSignedCertKeySecret) EnsureTargetCertKeyPair(ctx context.Cont if reason := c.CertCreator.NeedNewTargetCertKeyPair(targetCertKeyPairSecret, signingCertKeyPair, caBundleCerts, c.Refresh, c.RefreshOnlyWhenExpired, creationRequired); len(reason) > 0 { c.EventRecorder.Eventf("TargetUpdateRequired", "%q in %q requires a new target cert/key pair: %v", c.Name, c.Namespace, reason) - if err = setTargetCertKeyPairSecretAndTLSAnnotations(targetCertKeyPairSecret, c.Validity, c.Refresh, signingCertKeyPair, c.CertCreator, c.AdditionalAnnotations); err != nil { + if err = c.setTargetCertKeyPairSecretAndTLSAnnotations(targetCertKeyPairSecret, signingCertKeyPair); err != nil { return nil, err } @@ -239,19 +250,19 @@ func needNewTargetCertKeyPairForTime(annotations map[string]string, signer *cryp // setTargetCertKeyPairSecretAndTLSAnnotations generates a new cert/key pair, // stores them in the specified secret, and adds predefined TLS annotations to that secret. -func setTargetCertKeyPairSecretAndTLSAnnotations(targetCertKeyPairSecret *corev1.Secret, validity, refresh time.Duration, signer *crypto.CA, certCreator TargetCertCreator, tlsAnnotations AdditionalAnnotations) error { - certKeyPair, err := setTargetCertKeyPairSecret(targetCertKeyPairSecret, validity, signer, certCreator) +func (c RotatedSelfSignedCertKeySecret) setTargetCertKeyPairSecretAndTLSAnnotations(targetCertKeyPairSecret *corev1.Secret, signer *crypto.CA) error { + certKeyPair, err := c.setTargetCertKeyPairSecret(targetCertKeyPairSecret, signer) if err != nil { return err } - setTLSAnnotationsOnTargetCertKeyPairSecret(targetCertKeyPairSecret, certKeyPair, certCreator, refresh, tlsAnnotations) + c.setTLSAnnotationsOnTargetCertKeyPairSecret(targetCertKeyPairSecret, certKeyPair) return nil } // setTargetCertKeyPairSecret creates a new cert/key pair and sets them in the secret. Only one of client, serving, or signer rotation may be specified. // TODO refactor with an interface for actually signing and move the one-of check higher in the stack. -func setTargetCertKeyPairSecret(targetCertKeyPairSecret *corev1.Secret, validity time.Duration, signer *crypto.CA, certCreator TargetCertCreator) (*crypto.TLSCertificateConfig, error) { +func (c RotatedSelfSignedCertKeySecret) setTargetCertKeyPairSecret(targetCertKeyPairSecret *corev1.Secret, signer *crypto.CA) (*crypto.TLSCertificateConfig, error) { if targetCertKeyPairSecret.Annotations == nil { targetCertKeyPairSecret.Annotations = map[string]string{} } @@ -260,13 +271,22 @@ func setTargetCertKeyPairSecret(targetCertKeyPairSecret *corev1.Secret, validity } // our annotation is based on our cert validity, so we want to make sure that we don't specify something past our signer - targetValidity := validity + targetValidity := c.Validity remainingSignerValidity := signer.Config.Certs[0].NotAfter.Sub(time.Now()) - if remainingSignerValidity < validity { + if remainingSignerValidity < targetValidity { targetValidity = remainingSignerValidity } - certKeyPair, err := certCreator.NewCertificate(signer, targetValidity) + var keyGen crypto.KeyPairGenerator + if c.PKIProfileProvider != nil { + var err error + keyGen, err = c.resolveKeyPairGenerator() + if err != nil { + return nil, err + } + } + + certKeyPair, err := c.CertCreator.NewCertificate(signer, targetValidity, keyGen) if err != nil { return nil, err } @@ -282,22 +302,34 @@ func setTargetCertKeyPairSecret(targetCertKeyPairSecret *corev1.Secret, validity // // These assumptions are safe because this function is only called after the secret // has been initialized in setTargetCertKeyPairSecret. -func setTLSAnnotationsOnTargetCertKeyPairSecret(targetCertKeyPairSecret *corev1.Secret, certKeyPair *crypto.TLSCertificateConfig, certCreator TargetCertCreator, refresh time.Duration, tlsAnnotations AdditionalAnnotations) { +func (c RotatedSelfSignedCertKeySecret) setTLSAnnotationsOnTargetCertKeyPairSecret(targetCertKeyPairSecret *corev1.Secret, certKeyPair *crypto.TLSCertificateConfig) { targetCertKeyPairSecret.Annotations[CertificateIssuer] = certKeyPair.Certs[0].Issuer.CommonName + tlsAnnotations := c.AdditionalAnnotations tlsAnnotations.NotBefore = certKeyPair.Certs[0].NotBefore.Format(time.RFC3339) tlsAnnotations.NotAfter = certKeyPair.Certs[0].NotAfter.Format(time.RFC3339) - tlsAnnotations.RefreshPeriod = refresh.String() + tlsAnnotations.RefreshPeriod = c.Refresh.String() _ = tlsAnnotations.EnsureTLSMetadataUpdate(&targetCertKeyPairSecret.ObjectMeta) - certCreator.SetAnnotations(certKeyPair, targetCertKeyPairSecret.Annotations) + c.CertCreator.SetAnnotations(certKeyPair, targetCertKeyPairSecret.Annotations) +} + +func (c RotatedSelfSignedCertKeySecret) resolveKeyPairGenerator() (crypto.KeyPairGenerator, error) { + return resolveKeyPairGeneratorWithFallback(c.PKIProfileProvider, c.CertCreator.CertificateType(), c.CertificateName) } type ClientRotation struct { UserInfo user.Info } -func (r *ClientRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error) { +func (r *ClientRotation) CertificateType() pki.CertificateType { + return pki.CertificateTypeClient +} + +func (r *ClientRotation) NewCertificate(signer *crypto.CA, validity time.Duration, keyGen crypto.KeyPairGenerator) (*crypto.TLSCertificateConfig, error) { + if keyGen != nil { + return signer.NewClientCertificate(r.UserInfo, keyGen, crypto.WithLifetime(validity)) + } return signer.MakeClientCertificateForDuration(r.UserInfo, validity) } @@ -315,11 +347,23 @@ type ServingRotation struct { HostnamesChanged <-chan struct{} } -func (r *ServingRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error) { - if len(r.Hostnames()) == 0 { +func (r *ServingRotation) CertificateType() pki.CertificateType { + return pki.CertificateTypeServing +} + +func (r *ServingRotation) NewCertificate(signer *crypto.CA, validity time.Duration, keyGen crypto.KeyPairGenerator) (*crypto.TLSCertificateConfig, error) { + hostnames := r.Hostnames() + if len(hostnames) == 0 { return nil, fmt.Errorf("no hostnames set") } - return signer.MakeServerCertForDuration(sets.New(r.Hostnames()...), validity, r.CertificateExtensionFn...) + if keyGen != nil { + return signer.NewServerCertificate( + sets.New(hostnames...), keyGen, + crypto.WithLifetime(validity), + crypto.WithExtensions(r.CertificateExtensionFn...), + ) + } + return signer.MakeServerCertForDuration(sets.New(hostnames...), validity, r.CertificateExtensionFn...) } func (r *ServingRotation) RecheckChannel() <-chan struct{} { @@ -336,18 +380,25 @@ func (r *ServingRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Sec } func (r *ServingRotation) missingHostnames(annotations map[string]string) string { + return missingHostnames(annotations, r.Hostnames()) +} + +func (r *ServingRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string { + return setHostnameAnnotations(cert, annotations) +} + +func missingHostnames(annotations map[string]string, hostnames []string) string { existingHostnames := sets.New(strings.Split(annotations[CertificateHostnames], ",")...) - requiredHostnames := sets.New(r.Hostnames()...) + requiredHostnames := sets.New(hostnames...) if !existingHostnames.Equal(requiredHostnames) { existingNotRequired := existingHostnames.Difference(requiredHostnames) requiredNotExisting := requiredHostnames.Difference(existingHostnames) return fmt.Sprintf("%q are existing and not required, %q are required and not existing", strings.Join(sets.List(existingNotRequired), ","), strings.Join(sets.List(requiredNotExisting), ",")) } - return "" } -func (r *ServingRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string { +func setHostnameAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string { hostnames := sets.Set[string]{} for _, ip := range cert.Certs[0].IPAddresses { hostnames.Insert(ip.String()) @@ -355,7 +406,6 @@ func (r *ServingRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, anno for _, dnsName := range cert.Certs[0].DNSNames { hostnames.Insert(dnsName) } - // List does a sort so that we have a consistent representation annotations[CertificateHostnames] = strings.Join(sets.List(hostnames), ",") return annotations @@ -367,11 +417,81 @@ type SignerRotation struct { SignerName string } -func (r *SignerRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error) { +func (r *SignerRotation) CertificateType() pki.CertificateType { + return pki.CertificateTypeSigner +} + +func (r *SignerRotation) NewCertificate(signer *crypto.CA, validity time.Duration, keyGen crypto.KeyPairGenerator) (*crypto.TLSCertificateConfig, error) { signerName := fmt.Sprintf("%s_@%d", r.SignerName, time.Now().Unix()) + if keyGen != nil { + return crypto.NewSigningCertificate(signerName, keyGen, + crypto.WithSigner(signer), + crypto.WithLifetime(validity), + ) + } return crypto.MakeCAConfigForDuration(signerName, validity, signer) } +// PeerRotation creates certificates used for both server and client authentication +// (e.g., etcd peer certificates). It uses CertificateTypePeer for PKI profile +// resolution, which selects the stronger of the serving and client key configurations. +// +// When keyGen is non-nil (ConfigurablePKI enabled), it calls NewPeerCertificate +// which requires UserInfo for the client identity. When keyGen is nil (legacy), +// it falls back to MakeServerCertForDuration with an extension function that +// sets both ClientAuth and ServerAuth ExtKeyUsages. +type PeerRotation struct { + Hostnames ServingHostnameFunc + UserInfo user.Info + CertificateExtensionFn []crypto.CertificateExtensionFunc + HostnamesChanged <-chan struct{} +} + +func (r *PeerRotation) CertificateType() pki.CertificateType { + return pki.CertificateTypePeer +} + +func (r *PeerRotation) NewCertificate(signer *crypto.CA, validity time.Duration, keyGen crypto.KeyPairGenerator) (*crypto.TLSCertificateConfig, error) { + hostnames := r.Hostnames() + if len(hostnames) == 0 { + return nil, fmt.Errorf("no hostnames set") + } + if keyGen != nil { + if r.UserInfo == nil { + return nil, fmt.Errorf("PeerRotation requires UserInfo for configurable PKI certificates") + } + return signer.NewPeerCertificate( + sets.New(hostnames...), r.UserInfo, keyGen, + crypto.WithLifetime(validity), + crypto.WithExtensions(r.CertificateExtensionFn...), + ) + } + // Legacy path: use server cert template with extension fn to add both ExtKeyUsages. + // The subject CN comes from the first hostname (preserves current behavior). + peerExtFn := func(cert *x509.Certificate) error { + cert.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth} + return nil + } + extensions := append(append([]crypto.CertificateExtensionFunc{}, r.CertificateExtensionFn...), peerExtFn) + return signer.MakeServerCertForDuration(sets.New(hostnames...), validity, extensions...) +} + +func (r *PeerRotation) RecheckChannel() <-chan struct{} { + return r.HostnamesChanged +} + +func (r *PeerRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired, creationRequired bool) string { + reason := needNewTargetCertKeyPair(currentCertSecret, signer, caBundleCerts, refresh, refreshOnlyWhenExpired, creationRequired) + if len(reason) > 0 { + return reason + } + return missingHostnames(currentCertSecret.Annotations, r.Hostnames()) +} + +func (r *PeerRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string { + return setHostnameAnnotations(cert, annotations) +} + func (r *SignerRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired, exists bool) string { return needNewTargetCertKeyPair(currentCertSecret, signer, caBundleCerts, refresh, refreshOnlyWhenExpired, exists) } diff --git a/vendor/github.com/openshift/library-go/pkg/pki/profile.go b/vendor/github.com/openshift/library-go/pkg/pki/profile.go new file mode 100644 index 0000000000..6f534c94f0 --- /dev/null +++ b/vendor/github.com/openshift/library-go/pkg/pki/profile.go @@ -0,0 +1,114 @@ +package pki + +import ( + "fmt" + + configv1alpha1 "github.com/openshift/api/config/v1alpha1" + "github.com/openshift/library-go/pkg/crypto" +) + +// DefaultPKIProfile returns the default PKIProfile for OpenShift. +func DefaultPKIProfile() configv1alpha1.PKIProfile { + return configv1alpha1.PKIProfile{ + Defaults: configv1alpha1.DefaultCertificateConfig{ + Key: configv1alpha1.KeyConfig{ + Algorithm: configv1alpha1.KeyAlgorithmECDSA, + ECDSA: configv1alpha1.ECDSAKeyConfig{Curve: configv1alpha1.ECDSACurveP256}, + }, + }, + SignerCertificates: configv1alpha1.CertificateConfig{ + Key: configv1alpha1.KeyConfig{ + Algorithm: configv1alpha1.KeyAlgorithmECDSA, + ECDSA: configv1alpha1.ECDSAKeyConfig{Curve: configv1alpha1.ECDSACurveP384}, + }, + }, + } +} + +// KeyPairGeneratorFromAPI converts a configv1alpha1.KeyConfig to a +// crypto.KeyPairGenerator. +func KeyPairGeneratorFromAPI(apiKey configv1alpha1.KeyConfig) (crypto.KeyPairGenerator, error) { + switch apiKey.Algorithm { + case configv1alpha1.KeyAlgorithmRSA: + return crypto.RSAKeyPairGenerator{ + Bits: int(apiKey.RSA.KeySize), + }, nil + case configv1alpha1.KeyAlgorithmECDSA: + curve, err := ecdsaCurveFromAPI(apiKey.ECDSA.Curve) + if err != nil { + return nil, err + } + return crypto.ECDSAKeyPairGenerator{ + Curve: curve, + }, nil + default: + return nil, fmt.Errorf("unknown key algorithm: %q", apiKey.Algorithm) + } +} + +// ecdsaCurveFromAPI converts an API ECDSA curve name to the crypto package's ECDSACurve. +func ecdsaCurveFromAPI(c configv1alpha1.ECDSACurve) (crypto.ECDSACurve, error) { + switch c { + case configv1alpha1.ECDSACurveP256: + return crypto.P256, nil + case configv1alpha1.ECDSACurveP384: + return crypto.P384, nil + case configv1alpha1.ECDSACurveP521: + return crypto.P521, nil + default: + return "", fmt.Errorf("unknown ECDSA curve: %q", c) + } +} + +// securityBits returns the NIST security strength in bits for a given +// KeyPairGenerator. For RSA, values come from the rsaSecurityStrength table. +// For ECDSA, security strength is half the key size (fixed per curve). +func securityBits(g crypto.KeyPairGenerator) int { + switch g := g.(type) { + case crypto.RSAKeyPairGenerator: + return rsaSecurityStrength[g.Bits] + case crypto.ECDSAKeyPairGenerator: + switch g.Curve { + case crypto.P256: + return 128 + case crypto.P384: + return 192 + case crypto.P521: + return 256 + } + } + return 0 +} + +// rsaSecurityStrength maps RSA key sizes (2048-8192 in 1024-bit increments) +// to their security strengths from NIST SP 800-56B Rev 2 Table 2 or +// pre-calculated from the GNFS complexity estimate. +var rsaSecurityStrength = map[int]int{ + 2048: 112, + 3072: 128, + 4096: 152, + 5120: 168, + 6144: 176, + 7168: 192, + 8192: 200, +} + +// strongerKeyPairGenerator returns whichever of a or b provides higher NIST +// security strength. In case of a tie, ECDSA is preferred over RSA. +func strongerKeyPairGenerator(a, b crypto.KeyPairGenerator) crypto.KeyPairGenerator { + sa, sb := securityBits(a), securityBits(b) + if sb > sa { + return b + } + if sa > sb { + return a + } + // Equal strength: prefer ECDSA over RSA. + if _, ok := a.(crypto.ECDSAKeyPairGenerator); ok { + return a + } + if _, ok := b.(crypto.ECDSAKeyPairGenerator); ok { + return b + } + return a +} diff --git a/vendor/github.com/openshift/library-go/pkg/pki/provider.go b/vendor/github.com/openshift/library-go/pkg/pki/provider.go new file mode 100644 index 0000000000..2007aa890e --- /dev/null +++ b/vendor/github.com/openshift/library-go/pkg/pki/provider.go @@ -0,0 +1,75 @@ +package pki + +import ( + "fmt" + + configv1alpha1 "github.com/openshift/api/config/v1alpha1" + configv1alpha1listers "github.com/openshift/client-go/config/listers/config/v1alpha1" +) + +// PKIProfileProvider provides the PKIProfile that determines certificate key +// configuration. A nil profile indicates Unmanaged mode where the caller +// should use its own defaults. +type PKIProfileProvider interface { + PKIProfile() (*configv1alpha1.PKIProfile, error) +} + +// StaticPKIProfileProvider is a PKIProfileProvider backed by a fixed PKIProfile. +type StaticPKIProfileProvider struct { + profile *configv1alpha1.PKIProfile +} + +// NewStaticPKIProfileProvider returns a PKIProfileProvider backed by the given +// profile. A nil profile signals Unmanaged mode. +func NewStaticPKIProfileProvider(profile *configv1alpha1.PKIProfile) *StaticPKIProfileProvider { + return &StaticPKIProfileProvider{profile: profile} +} + +// PKIProfile returns the static PKIProfile. +func (s *StaticPKIProfileProvider) PKIProfile() (*configv1alpha1.PKIProfile, error) { + return s.profile, nil +} + +// ListerPKIProfileProvider is a PKIProfileProvider that reads a named +// cluster-scoped PKI resource via a lister. +type ListerPKIProfileProvider struct { + lister configv1alpha1listers.PKILister + resourceName string +} + +// NewClusterPKIProfileProvider creates a PKIProfileProvider that resolves the +// PKIProfile from the OpenShift cluster configuration PKI resource. +func NewClusterPKIProfileProvider(lister configv1alpha1listers.PKILister) *ListerPKIProfileProvider { + return NewListerPKIProfileProvider(lister, "cluster") +} + +// NewListerPKIProfileProvider returns a PKIProfileProvider that reads the +// named cluster-scoped PKI resource via a lister. +func NewListerPKIProfileProvider(lister configv1alpha1listers.PKILister, resourceName string) *ListerPKIProfileProvider { + return &ListerPKIProfileProvider{ + lister: lister, + resourceName: resourceName, + } +} + +// PKIProfile reads the PKI resource and returns the profile based on its +// certificate management mode. Returns nil for Unmanaged mode. +func (l *ListerPKIProfileProvider) PKIProfile() (*configv1alpha1.PKIProfile, error) { + pki, err := l.lister.Get(l.resourceName) + if err != nil { + return nil, fmt.Errorf("failed to get PKI resource %q: %w", l.resourceName, err) + } + + switch pki.Spec.CertificateManagement.Mode { + case configv1alpha1.PKICertificateManagementModeUnmanaged: + return nil, nil + case configv1alpha1.PKICertificateManagementModeDefault: + profile := DefaultPKIProfile() + return &profile, nil + case configv1alpha1.PKICertificateManagementModeCustom: + profile := pki.Spec.CertificateManagement.Custom.PKIProfile + return &profile, nil + default: + return nil, fmt.Errorf("unknown PKI certificate management mode: %q", pki.Spec.CertificateManagement.Mode) + } +} diff --git a/vendor/github.com/openshift/library-go/pkg/pki/resolve.go b/vendor/github.com/openshift/library-go/pkg/pki/resolve.go new file mode 100644 index 0000000000..1154fd48ea --- /dev/null +++ b/vendor/github.com/openshift/library-go/pkg/pki/resolve.go @@ -0,0 +1,77 @@ +package pki + +import ( + "fmt" + + configv1alpha1 "github.com/openshift/api/config/v1alpha1" + "github.com/openshift/library-go/pkg/crypto" +) + +// CertificateConfig holds the resolved configuration for a specific certificate. +// Currently contains key configuration; will grow as the PKI API expands to +// include additional certificate properties. +type CertificateConfig struct { + // Key is the resolved key pair generator. + Key crypto.KeyPairGenerator +} + +// ResolveCertificateConfig resolves the effective certificate configuration +// for a given certificate type and name from the PKI profile. +// +// Returns nil if the provider returns a nil profile (Unmanaged mode), +// indicating that the caller should use its own default behavior. +// +// The name parameter is reserved for future per-certificate overrides and +// can be used for metrics and logging. +func ResolveCertificateConfig(provider PKIProfileProvider, certType CertificateType, name string) (*CertificateConfig, error) { + profile, err := provider.PKIProfile() + if err != nil { + return nil, fmt.Errorf("resolving PKI profile for %s certificate %q: %w", certType, name, err) + } + if profile == nil { + return nil, nil + } + + switch certType { + case CertificateTypeSigner: + return resolveKeyConfig(profile.Defaults, profile.SignerCertificates) + case CertificateTypeServing: + return resolveKeyConfig(profile.Defaults, profile.ServingCertificates) + case CertificateTypeClient: + return resolveKeyConfig(profile.Defaults, profile.ClientCertificates) + case CertificateTypePeer: + return resolvePeerKeyConfig(profile) + default: + return nil, fmt.Errorf("unknown certificate type: %q", certType) + } +} + +// resolveKeyConfig returns the override KeyConfig if its Algorithm is set, +// otherwise falls back to the default. +func resolveKeyConfig(defaults configv1alpha1.DefaultCertificateConfig, override configv1alpha1.CertificateConfig) (*CertificateConfig, error) { + apiKey := defaults.Key + if override.Key.Algorithm != "" { + apiKey = override.Key + } + g, err := KeyPairGeneratorFromAPI(apiKey) + if err != nil { + return nil, err + } + return &CertificateConfig{Key: g}, nil +} + +// resolvePeerKeyConfig resolves both the serving and client configs and +// returns whichever has higher NIST security strength. +func resolvePeerKeyConfig(profile *configv1alpha1.PKIProfile) (*CertificateConfig, error) { + servingCfg, err := resolveKeyConfig(profile.Defaults, profile.ServingCertificates) + if err != nil { + return nil, fmt.Errorf("resolving serving config for peer: %w", err) + } + clientCfg, err := resolveKeyConfig(profile.Defaults, profile.ClientCertificates) + if err != nil { + return nil, fmt.Errorf("resolving client config for peer: %w", err) + } + return &CertificateConfig{ + Key: strongerKeyPairGenerator(servingCfg.Key, clientCfg.Key), + }, nil +} diff --git a/vendor/github.com/openshift/library-go/pkg/pki/types.go b/vendor/github.com/openshift/library-go/pkg/pki/types.go new file mode 100644 index 0000000000..2cf8282255 --- /dev/null +++ b/vendor/github.com/openshift/library-go/pkg/pki/types.go @@ -0,0 +1,23 @@ +package pki + +// CertificateType identifies the category of a certificate for profile resolution. +type CertificateType string + +const ( + // CertificateTypeSigner identifies certificate authority (CA) certificates + // that sign other certificates. + CertificateTypeSigner CertificateType = "signer" + + // CertificateTypeServing identifies TLS server certificates used to serve + // HTTPS endpoints. + CertificateTypeServing CertificateType = "serving" + + // CertificateTypeClient identifies client authentication certificates used + // to authenticate to servers. + CertificateTypeClient CertificateType = "client" + + // CertificateTypePeer identifies certificates used for both server and client + // authentication. The resolved key configuration is the stronger of the + // serving and client configurations. + CertificateTypePeer CertificateType = "peer" +) diff --git a/vendor/modules.txt b/vendor/modules.txt index 9376b5a739..b9f2a1a280 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -677,7 +677,7 @@ github.com/openshift/client-go/route/informers/externalversions/internalinterfac github.com/openshift/client-go/route/informers/externalversions/route github.com/openshift/client-go/route/informers/externalversions/route/v1 github.com/openshift/client-go/route/listers/route/v1 -# github.com/openshift/library-go v0.0.0-20260326200317-12d8376369b7 +# github.com/openshift/library-go v0.0.0-20260515113423-dff948b31ae9 ## explicit; go 1.25.0 github.com/openshift/library-go/pkg/apiserver/jsonpatch github.com/openshift/library-go/pkg/certs @@ -700,6 +700,7 @@ github.com/openshift/library-go/pkg/operator/resource/resourcemerge github.com/openshift/library-go/pkg/operator/resource/resourceread github.com/openshift/library-go/pkg/operator/resourcesynccontroller github.com/openshift/library-go/pkg/operator/v1helpers +github.com/openshift/library-go/pkg/pki # github.com/openshift/machine-config-operator v0.0.1-0.20260410020757-449e78f7ec94 ## explicit; go 1.25.3 github.com/openshift/machine-config-operator/internal/clients