ECDSA private key

[ghost]

FEATURE REQUEST

I was trying to deploy a new cluster with autogenerated EC CAs when I discovered that kubeadm waits for CA key to be in RSA format.
I thought maybe there is no capabilities to generate EC certificates in kubeadm, so I've generated whole chain: ca, frontproxy-ca, apiserver, apiserver-kubelet-client, front-proxy-client and sa private and public keys.
Now kubeadm stopped on private key to apiserver certificate (while accepting ECDSA certificate itself)

So the feature request: please add support for EC keys if underlying infrastructure is able to support it.

[neolit123]

i need to do some investigation for the stakes here, but for now my answer is that EC will not be supported any time soon (don't quote me on that).

[joejulian]

To repro:

ca-config.json

{"signing":{"default":{"expiry":"43800h"},"profiles":{"server":{"expiry":"43800h","usages":["signing","key encipherment","server auth","client auth"]},"client":{"expiry":"43800h","usages":["signing","key encipherment","client auth"]},"peer":{"expiry":"43800h","usages":["signing","key encipherment","server auth","client auth"]}}}}

ca-csr.json

{"CN":"etcd","key":{"algo":"ecdsa","size":256}}

Then use cfssl:

cfssl gencert -initca -config ca-config.json ca-csr.json | cfssljson -bare ca -
mv ca.pem ca.crt
mv ca-key.pem ca.key

Now try to use this CA cert:

kubeadm alpha phase certs all --cert-dir $PWD

failure loading ca certificate: the private key file /home/foo/test/ca.key isn't in RSA format

[joejulian]

@neolit123 What led you to your expectation that this would not be coming soon? Do you see some specific blocker?

[joejulian]

@andrewrynhard Your PR (kubernetes/kubernetes#41295) removed EC key support. I can't find any specific reasoning for that in the PR or the related issue. Is there any reason that you know of not to just re-add the EC support to pki_helpers?

After actually looking at that PR, there was no working code removed, just some placeholders.

[neolit123]

@joejulian

@neolit123 What led you to your expectation that this would not be coming soon? Do you see some specific blocker?

i think the biggest blocker is that this is a relatively low priority task and the kubeadm team is busy.

i did some investigation and it feels like the rest of kubernetes is ECDSA "ready".
PRs for kubeadm are welcome!

[timothysc]

/assign @liztio

[geoffgarside]

Looks like the certutil.NewSignedCert functions have been updated to use crypto.Signer as of kubernetes/client-go@30575d7

[rojkov]

I'd like to tackle this if nobody is working on it.

[fabriziopandini]

@rojkov great
/assign @rojkov
/lifecycle active

[k8s-ci-robot]

@fabriziopandini: GitHub didn't allow me to assign the following users: rojkov.

Note that only kubernetes members and repo collaborators can be assigned and that issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

@rojkov great
/assign @rojkov
/lifecycle active

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rojkov]

/assign @rojkov

[rojkov]

The corresponding PR is kubernetes/kubernetes#76390.