From 09dad084ac3e792a43d326b2c2136f9dbf2bed83 Mon Sep 17 00:00:00 2001 From: Martin Weindel Date: Wed, 24 Apr 2024 09:51:32 +0200 Subject: [PATCH] adjustments for gateways and configuration of default private key sizes --- .../templates/deployment.yaml | 9 +++ .../shoot-cert-management-seed/values.yaml | 4 ++ .../templates/rbac.yaml | 22 +++++- hack/api-reference/service.md | 69 +++++++++++++++++++ pkg/apis/service/types.go | 13 ++++ pkg/apis/service/v1alpha1/types.go | 17 +++++ .../v1alpha1/zz_generated.conversion.go | 36 ++++++++++ .../service/v1alpha1/zz_generated.deepcopy.go | 36 ++++++++++ pkg/apis/service/zz_generated.deepcopy.go | 36 ++++++++++ pkg/controller/actuator.go | 14 ++++ 10 files changed, 255 insertions(+), 1 deletion(-) diff --git a/charts/internal/shoot-cert-management-seed/templates/deployment.yaml b/charts/internal/shoot-cert-management-seed/templates/deployment.yaml index 5b17b8e06..b6c182340 100644 --- a/charts/internal/shoot-cert-management-seed/templates/deployment.yaml +++ b/charts/internal/shoot-cert-management-seed/templates/deployment.yaml @@ -90,6 +90,15 @@ spec: {{- range $idx, $flag := .Values.additionalConfiguration }} - {{ $flag }} {{- end }} + {{- if .Values.configuration.privateKeyDefaults.algorithm }} + - --default-private-key-algorithm={{ .Values.configuration.privateKeyDefaults.algorithm }} + {{- end }} + {{- if .Values.configuration.privateKeyDefaults.sizeRSA }} + - --default-rsa-private-key-size={{ .Values.configuration.privateKeyDefaults.sizeRSA }} + {{- end }} + {{- if .Values.configuration.privateKeyDefaults.sizeECDSA }} + - --default-ecdsa-private-key-size={{ .Values.configuration.privateKeyDefaults.sizeECDSA }} + {{- end }} {{- if .Values.configuration.caCertificates }} env: - name: LEGO_CA_SYSTEM_CERT_POOL diff --git a/charts/internal/shoot-cert-management-seed/values.yaml b/charts/internal/shoot-cert-management-seed/values.yaml index 7b7e5ae43..21a26c901 100644 --- a/charts/internal/shoot-cert-management-seed/values.yaml +++ b/charts/internal/shoot-cert-management-seed/values.yaml @@ -77,6 +77,10 @@ configuration: # -----END CERTIFICATE----- deactivateAuthorizations: true certExpirationAlertDays: 15 + privateKeyDefaults: + algorithm: RSA + sizeRSA: 3072 + sizeECDSA: 384 additionalConfiguration: - --kubeconfig.disable-deploy-crds diff --git a/charts/internal/shoot-cert-management-shoot/templates/rbac.yaml b/charts/internal/shoot-cert-management-shoot/templates/rbac.yaml index d6eb5f151..6f1fda19e 100644 --- a/charts/internal/shoot-cert-management-shoot/templates/rbac.yaml +++ b/charts/internal/shoot-cert-management-shoot/templates/rbac.yaml @@ -8,7 +8,6 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} rules: - apiGroups: - - "extensions" - "networking.k8s.io" resources: - ingresses @@ -17,6 +16,26 @@ rules: - list - update - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gateways + - httproutes + verbs: + - get + - list + - update + - watch +- apiGroups: + - "networking.istio.io" + resources: + - gateways + - virtualservices + verbs: + - get + - list + - update + - watch - apiGroups: - "" resources: @@ -84,6 +103,7 @@ rules: - list - update - create + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/hack/api-reference/service.md b/hack/api-reference/service.md index 4f59f2ad1..d84433efa 100644 --- a/hack/api-reference/service.md +++ b/hack/api-reference/service.md @@ -112,6 +112,20 @@ Alerting

Alerting contains configuration for alerting of certificate expiration.

+ + +privateKeyDefaults
+ + +PrivateKeyDefaults + + + + +(Optional) +

PrivateKeyDefaults default algorithm and sizes for certificate private keys.

+ +

ACMEExternalAccountBinding @@ -409,6 +423,61 @@ Format host or host:port, e.g. “8.8.8.8” s +

PrivateKeyDefaults +

+

+(Appears on: +CertConfig) +

+

+

PrivateKeyDefaults default algorithm and sizes for certificate private keys.

+

+ + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+algorithm
+ +string + +		 +(Optional) +

Algorithm is the default algorithm (‘RSA’ or ‘ECDSA’)

+
+sizeRSA
+ +int + +		 +(Optional) +

SizeRSA is the default size for RSA algorithm.

+
+sizeECDSA
+ +int + +		 +(Optional) +

SizeECDSA is the default size for ECDSA algorithm.

+

ShootIssuers

diff --git a/pkg/apis/service/types.go b/pkg/apis/service/types.go index 3228dd948..c77f7b866 100644 --- a/pkg/apis/service/types.go +++ b/pkg/apis/service/types.go @@ -31,6 +31,19 @@ type CertConfig struct { // Alerting contains configuration for alerting of certificate expiration. Alerting *Alerting + + // PrivateKeyDefaults default algorithm and sizes for certificate private keys. + PrivateKeyDefaults *PrivateKeyDefaults +} + +// PrivateKeyDefaults default algorithm and sizes for certificate private keys. +type PrivateKeyDefaults struct { + // Algorithm is the default algorithm ('RSA' or 'ECDSA') + Algorithm *string + // SizeRSA is the default size for RSA algorithm. + SizeRSA *int + // SizeECDSA is the default size for ECDSA algorithm. + SizeECDSA *int } // Alerting contains configuration for alerting of certificate expiration. diff --git a/pkg/apis/service/v1alpha1/types.go b/pkg/apis/service/v1alpha1/types.go index e3bb85a8f..f1862d01f 100644 --- a/pkg/apis/service/v1alpha1/types.go +++ b/pkg/apis/service/v1alpha1/types.go @@ -57,6 +57,23 @@ type CertConfig struct { // Alerting contains configuration for alerting of certificate expiration. // +optional Alerting *Alerting `json:"alerting,omitempty"` + + // PrivateKeyDefaults default algorithm and sizes for certificate private keys. + // +optional + PrivateKeyDefaults *PrivateKeyDefaults `json:"privateKeyDefaults,omitempty"` +} + +// PrivateKeyDefaults default algorithm and sizes for certificate private keys. +type PrivateKeyDefaults struct { + // Algorithm is the default algorithm ('RSA' or 'ECDSA') + // +optional + Algorithm *string `json:"algorithm,omitempty"` + // SizeRSA is the default size for RSA algorithm. + // +optional + SizeRSA *int `json:"sizeRSA,omitempty"` + // SizeECDSA is the default size for ECDSA algorithm. + // +optional + SizeECDSA *int `json:"sizeECDSA,omitempty"` } // Alerting contains configuration for alerting of certificate expiration. diff --git a/pkg/apis/service/v1alpha1/zz_generated.conversion.go b/pkg/apis/service/v1alpha1/zz_generated.conversion.go index 5607c241f..04afbe7d4 100644 --- a/pkg/apis/service/v1alpha1/zz_generated.conversion.go +++ b/pkg/apis/service/v1alpha1/zz_generated.conversion.go @@ -84,6 +84,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*PrivateKeyDefaults)(nil), (*service.PrivateKeyDefaults)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_PrivateKeyDefaults_To_service_PrivateKeyDefaults(a.(*PrivateKeyDefaults), b.(*service.PrivateKeyDefaults), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*service.PrivateKeyDefaults)(nil), (*PrivateKeyDefaults)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_service_PrivateKeyDefaults_To_v1alpha1_PrivateKeyDefaults(a.(*service.PrivateKeyDefaults), b.(*PrivateKeyDefaults), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*ShootIssuers)(nil), (*service.ShootIssuers)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha1_ShootIssuers_To_service_ShootIssuers(a.(*ShootIssuers), b.(*service.ShootIssuers), scope) }); err != nil { @@ -145,6 +155,7 @@ func autoConvert_v1alpha1_CertConfig_To_service_CertConfig(in *CertConfig, out * out.ShootIssuers = (*service.ShootIssuers)(unsafe.Pointer(in.ShootIssuers)) out.PrecheckNameservers = (*string)(unsafe.Pointer(in.PrecheckNameservers)) out.Alerting = (*service.Alerting)(unsafe.Pointer(in.Alerting)) + out.PrivateKeyDefaults = (*service.PrivateKeyDefaults)(unsafe.Pointer(in.PrivateKeyDefaults)) return nil } @@ -159,6 +170,7 @@ func autoConvert_service_CertConfig_To_v1alpha1_CertConfig(in *service.CertConfi out.ShootIssuers = (*ShootIssuers)(unsafe.Pointer(in.ShootIssuers)) out.PrecheckNameservers = (*string)(unsafe.Pointer(in.PrecheckNameservers)) out.Alerting = (*Alerting)(unsafe.Pointer(in.Alerting)) + out.PrivateKeyDefaults = (*PrivateKeyDefaults)(unsafe.Pointer(in.PrivateKeyDefaults)) return nil } @@ -249,6 +261,30 @@ func Convert_service_IssuerConfig_To_v1alpha1_IssuerConfig(in *service.IssuerCon return autoConvert_service_IssuerConfig_To_v1alpha1_IssuerConfig(in, out, s) } +func autoConvert_v1alpha1_PrivateKeyDefaults_To_service_PrivateKeyDefaults(in *PrivateKeyDefaults, out *service.PrivateKeyDefaults, s conversion.Scope) error { + out.Algorithm = (*string)(unsafe.Pointer(in.Algorithm)) + out.SizeRSA = (*int)(unsafe.Pointer(in.SizeRSA)) + out.SizeECDSA = (*int)(unsafe.Pointer(in.SizeECDSA)) + return nil +} + +// Convert_v1alpha1_PrivateKeyDefaults_To_service_PrivateKeyDefaults is an autogenerated conversion function. +func Convert_v1alpha1_PrivateKeyDefaults_To_service_PrivateKeyDefaults(in *PrivateKeyDefaults, out *service.PrivateKeyDefaults, s conversion.Scope) error { + return autoConvert_v1alpha1_PrivateKeyDefaults_To_service_PrivateKeyDefaults(in, out, s) +} + +func autoConvert_service_PrivateKeyDefaults_To_v1alpha1_PrivateKeyDefaults(in *service.PrivateKeyDefaults, out *PrivateKeyDefaults, s conversion.Scope) error { + out.Algorithm = (*string)(unsafe.Pointer(in.Algorithm)) + out.SizeRSA = (*int)(unsafe.Pointer(in.SizeRSA)) + out.SizeECDSA = (*int)(unsafe.Pointer(in.SizeECDSA)) + return nil +} + +// Convert_service_PrivateKeyDefaults_To_v1alpha1_PrivateKeyDefaults is an autogenerated conversion function. +func Convert_service_PrivateKeyDefaults_To_v1alpha1_PrivateKeyDefaults(in *service.PrivateKeyDefaults, out *PrivateKeyDefaults, s conversion.Scope) error { + return autoConvert_service_PrivateKeyDefaults_To_v1alpha1_PrivateKeyDefaults(in, out, s) +} + func autoConvert_v1alpha1_ShootIssuers_To_service_ShootIssuers(in *ShootIssuers, out *service.ShootIssuers, s conversion.Scope) error { out.Enabled = in.Enabled return nil diff --git a/pkg/apis/service/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/service/v1alpha1/zz_generated.deepcopy.go index 89e0d7146..ac5ab86bf 100644 --- a/pkg/apis/service/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/service/v1alpha1/zz_generated.deepcopy.go @@ -81,6 +81,11 @@ func (in *CertConfig) DeepCopyInto(out *CertConfig) { *out = new(Alerting) (*in).DeepCopyInto(*out) } + if in.PrivateKeyDefaults != nil { + in, out := &in.PrivateKeyDefaults, &out.PrivateKeyDefaults + *out = new(PrivateKeyDefaults) + (*in).DeepCopyInto(*out) + } return } @@ -195,6 +200,37 @@ func (in *IssuerConfig) DeepCopy() *IssuerConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PrivateKeyDefaults) DeepCopyInto(out *PrivateKeyDefaults) { + *out = *in + if in.Algorithm != nil { + in, out := &in.Algorithm, &out.Algorithm + *out = new(string) + **out = **in + } + if in.SizeRSA != nil { + in, out := &in.SizeRSA, &out.SizeRSA + *out = new(int) + **out = **in + } + if in.SizeECDSA != nil { + in, out := &in.SizeECDSA, &out.SizeECDSA + *out = new(int) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrivateKeyDefaults. +func (in *PrivateKeyDefaults) DeepCopy() *PrivateKeyDefaults { + if in == nil { + return nil + } + out := new(PrivateKeyDefaults) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ShootIssuers) DeepCopyInto(out *ShootIssuers) { *out = *in diff --git a/pkg/apis/service/zz_generated.deepcopy.go b/pkg/apis/service/zz_generated.deepcopy.go index ea2190aac..2f4d88231 100644 --- a/pkg/apis/service/zz_generated.deepcopy.go +++ b/pkg/apis/service/zz_generated.deepcopy.go @@ -81,6 +81,11 @@ func (in *CertConfig) DeepCopyInto(out *CertConfig) { *out = new(Alerting) (*in).DeepCopyInto(*out) } + if in.PrivateKeyDefaults != nil { + in, out := &in.PrivateKeyDefaults, &out.PrivateKeyDefaults + *out = new(PrivateKeyDefaults) + (*in).DeepCopyInto(*out) + } return } @@ -195,6 +200,37 @@ func (in *IssuerConfig) DeepCopy() *IssuerConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PrivateKeyDefaults) DeepCopyInto(out *PrivateKeyDefaults) { + *out = *in + if in.Algorithm != nil { + in, out := &in.Algorithm, &out.Algorithm + *out = new(string) + **out = **in + } + if in.SizeRSA != nil { + in, out := &in.SizeRSA, &out.SizeRSA + *out = new(int) + **out = **in + } + if in.SizeECDSA != nil { + in, out := &in.SizeECDSA, &out.SizeECDSA + *out = new(int) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrivateKeyDefaults. +func (in *PrivateKeyDefaults) DeepCopy() *PrivateKeyDefaults { + if in == nil { + return nil + } + out := new(PrivateKeyDefaults) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ShootIssuers) DeepCopyInto(out *ShootIssuers) { *out = *in diff --git a/pkg/controller/actuator.go b/pkg/controller/actuator.go index b24f9b1f2..00c8dafc8 100644 --- a/pkg/controller/actuator.go +++ b/pkg/controller/actuator.go @@ -302,6 +302,20 @@ func (a *actuator) createSeedResources(ctx context.Context, certConfig *service. cfg["certExpirationAlertDays"] = *certConfig.Alerting.CertExpirationAlertDays } + if certConfig.PrivateKeyDefaults != nil { + defaults := map[string]interface{}{} + if certConfig.PrivateKeyDefaults.Algorithm != nil { + defaults["algorithm"] = *certConfig.PrivateKeyDefaults.Algorithm + } + if certConfig.PrivateKeyDefaults.SizeRSA != nil { + defaults["sizeRSA"] = *certConfig.PrivateKeyDefaults.SizeRSA + } + if certConfig.PrivateKeyDefaults.SizeECDSA != nil { + defaults["sizeECDSA"] = *certConfig.PrivateKeyDefaults.SizeECDSA + } + cfg["privateKeyDefaults"] = defaults + } + certManagementConfig, err = chart.InjectImages(certManagementConfig, imagevector.ImageVector(), []string{v1alpha1.CertManagementImageName}) if err != nil { return fmt.Errorf("failed to find image version for %s: %v", v1alpha1.CertManagementImageName, err)