kubeadm swallows errors when CA key isn't in RSA format

[juicemia]

What happened: When trying to deploy Kubernetes using kubeadm v1.12.1, kubeadm failed to generate certificates, causing it to fail at a later step.

After passing -v10 to get all the logs I could I found that it was expecting all the certificates to have been pre-made, even though I only added the certificate and key for the certificate authority. So I dug into the code, and in pkiutil.TryLoadKeyFromDisk I found this:

	// Allow RSA format only
	var key *rsa.PrivateKey
	switch k := privKey.(type) {
	case *rsa.PrivateKey:
		key = k
	default:
		return nil, fmt.Errorf("the private key file %s isn't in RSA format", privateKeyPath)
	}

It turns out all the PKI I've been generating for things like etcd has been ECDSA. So I found the issue I was having, but I still couldn't figure out why kubeadm wasn't failing right away. I took a look at the caller of that function:

			// Try and load a CA Key
			caKey, err = pkiutil.TryLoadKeyFromDisk(ic.CertificatesDir, ca.BaseName)
			if err != nil {
				// If there's no CA key, make sure every certificate exists.
				for _, leaf := range leaves {
					cl := certKeyLocation{
						pkiDir:   ic.CertificatesDir,
						baseName: leaf.BaseName,
						uxName:   leaf.Name,
					}
					if err := validateSignedCertWithCA(cl, caCert); err != nil {
						return fmt.Errorf("could not load expected certificate %q or validate the existence of key %q for it: %v", leaf.Name, ca.Name, err)
					}
				}
				// CACert exists and all clients exist, continue to next CA.
				continue
			}

It looks like that original error is swallowed.

What you expected to happen: Immediate failure when keys are in the wrong format.

How to reproduce it (as minimally and precisely as possible): Use an ECDSA cert/key pair and run kubeadm init.

Anything else we need to know?:

Environment:

• Kubernetes version (use kubectl version): v1.12.1
• Cloud provider or hardware configuration: OpenStack
• OS (e.g. from /etc/os-release): Ubuntu 18.04
• Kernel (e.g. uname -a): 4.15.0-34-generic discuss the meaning of kubeadm init --api-advertise-addresses #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
• Install tools: kubeadm
• Others:

/kind bug

[yagonobre]

@juicemia thanks for create the issue on the right repo, can you close the kubernetes/kubernetes#70594?

I'm working on a fix.

[yagonobre]

This was fixed on kubernetes/kubernetes#70331, but due to a wrong error wrap on pkihelper if you try to create a cluster with invalid ca it will result in a panic.
/priority important-soon

[neolit123]

the fix from @yagonobre seems good.

ECDSA isn't supported by kubeadm yet, here is the tracking issue:
#984