Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optimize CA cert hash calculation with community.crypto #11758

Merged
merged 1 commit into from
Dec 2, 2024
Merged

Optimize CA cert hash calculation with community.crypto #11758

merged 1 commit into from
Dec 2, 2024

Conversation

ErikJiang
Copy link
Member

@ErikJiang ErikJiang commented Nov 29, 2024
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

this PR optimizes the CA certificate hash calculation by using the community.crypto module.
additionally, I've moved the default value of kube_asymmetric_encryption_algorithm back to the Kubernetes/control-plane role, as this variable is currently only used within that role.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Optimize CA cert hash calculation with community.crypto

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Nov 29, 2024
@ErikJiang ErikJiang mentioned this pull request Nov 29, 2024
Merged
VannTen
VannTen reviewed Nov 29, 2024
View reviewed changes
roles/kubernetes/kubeadm/tasks/main.yml Outdated
Comment on lines 32 to 36
- name: Extract public key from CA certificate
community.crypto.openssl_publickey_info:
path: "{{ kube_cert_dir }}/ca.crt"
type: x509
register: publickey_info
Copy link
Contributor

@VannTen VannTen Nov 29, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem with that is that community.crypto module requires to install python cryptography on the managed host, which is not that easy to do -> see #11158
An alternative to that, I think, is to fetch either the public key or the whole cert (but not the private key, ofc) and use the community.crypto filters ( for instance the x509_info filter ).
Since filter runs on the ansible control node, this only requires to install cryptography on the control node, which is much easier.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this issue seems more complex than I expected. I'll update the PR later.
thanks for your suggestions.

@ErikJiang ErikJiang force-pushed the optimize-ca-cert-hash-calculation branch from b5d703b to 2a53439 Compare November 29, 2024 10:14
@ErikJiang ErikJiang marked this pull request as draft November 29, 2024 10:15
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 29, 2024
@ErikJiang ErikJiang force-pushed the optimize-ca-cert-hash-calculation branch from 2a53439 to f691d63 Compare November 30, 2024 12:10
@ErikJiang
Copy link
Member Author

/ok-to-test

@k8s-ci-robot k8s-ci-robot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label Nov 30, 2024
@ErikJiang ErikJiang force-pushed the optimize-ca-cert-hash-calculation branch 5 times, most recently from bc0ccc1 to 33503a7 Compare December 1, 2024 15:28
@ErikJiang ErikJiang marked this pull request as ready for review December 1, 2024 15:29
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 1, 2024
@k8s-ci-robot k8s-ci-robot requested a review from mzaian December 1, 2024 15:29
@ErikJiang ErikJiang force-pushed the optimize-ca-cert-hash-calculation branch from 33503a7 to 4e9a111 Compare December 2, 2024 02:31
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Dec 2, 2024
@yankay
Copy link
Member

yankay commented Dec 2, 2024

Great work 🎉

VannTen
VannTen requested changes Dec 2, 2024
View reviewed changes
Copy link
Contributor

@VannTen VannTen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some nitpicks, otherwise that's pretty good 👍

roles/kubernetes/kubeadm/tasks/main.yml Outdated
Comment on lines 41 to 47

- name: Calculate kubeadm CA cert hash
set_fact:
kubeadm_ca_hash: "{{ (ca_cert_content.content | b64decode | community.crypto.x509_certificate_info).public_key_fingerprints.sha256 }}"
when: ca_cert_content.content | length > 0
delegate_to: localhost
run_once: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is pretty good, great work !

Just a thought though: do we need to use set fact ? I think it should be possible to simply have that expression directly in the jinja template in kubeadm-client.conf.j2, wdyt ? (adjusting the conditionals).

The only downside I could see is that it would compute it for each host, but I don't think the difference is noticeable.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

directly placing the expression in the kubeadm-client.conf.j2 template is indeed more concise.

roles/kubespray-defaults/defaults/main/main.yml
Comment on lines -65 to -69
# Supported asymmetric encryption algorithm types for the cluster's keys and certificates.
# can be one of RSA-2048(default), RSA-3072, RSA-4096, ECDSA-P256
# ref: https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta4/#kubeadm-k8s-io-v1beta4-ClusterConfiguration
kube_asymmetric_encryption_algorithm: "RSA-2048"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should probably mention in the commit message why we can do that (== since the switch makes it used only in one role), otherwise it can appear a bit random to the uninitiated ^.

@ErikJiang
Optimize CA cert hash calculation with community.crypto
00e4964 
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
@ErikJiang ErikJiang force-pushed the optimize-ca-cert-hash-calculation branch from 4e9a111 to 00e4964 Compare December 2, 2024 09:59
@VannTen
Copy link
Contributor

VannTen commented Dec 2, 2024

Thanks for the great work ! First step to replace our usage of dubious openssl pipelines with community.crypto o/

/approve
/lgtm

I don't think we need a release-note though, this should not change anything for the users.

/release-note-edit release-note NONE
/remove-kind feature
/kind cleanup

@k8s-ci-robot k8s-ci-robot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. and removed kind/feature Categorizes issue or PR as related to a new feature. labels Dec 2, 2024
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 2, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ErikJiang, VannTen

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 2, 2024
@k8s-ci-robot k8s-ci-robot merged commit 98807ff into kubernetes-sigs:master Dec 2, 2024
41 checks passed
kpoxo6op pushed a commit to kpoxo6op/kubespray that referenced this pull request Dec 27, 2024
@ErikJiang @kpoxo6op
Optimize CA cert hash calculation with community.crypto (kubernetes-s…
92635b4 
…igs#11758)

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
@tico88612 tico88612 mentioned this pull request Jan 2, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@VannTen VannTen VannTen requested changes

@cyclinder cyclinder Awaiting requested review from cyclinder

@MrFreezeex MrFreezeex Awaiting requested review from MrFreezeex

@mzaian mzaian Awaiting requested review from mzaian

Assignees

@VannTen VannTen

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ErikJiang @yankay @VannTen @k8s-ci-robot