CNTRLPLANE-2903: Add configurable PKI profile support

[sanchezl]

Overview

Adds configurable PKI profile support for enhancement #1882, using the API from openshift/api#2645.

PROOF: cluster-kube-apiserver-operator#2051 demonstrates the integration of these APIs into CKAO's cert rotation controllers.

pkg/crypto — Parameterized key generation and certificate creation

• KeyConfig type supporting RSA (2048–8192 bit) and ECDSA (P-256/P-384/P-521)
• GenerateKeyPair(KeyConfig) and SubjectKeyIDFromPublicKey() for algorithm-agnostic key generation
• SubjectKeyIDFromPublicKey() uses truncated SHA-256 (first 160 bits per RFC 7093), consistent with Go 1.25+ (go.dev/issue/71746) and Let's Encrypt — FIPS-compatible, unlike the SHA-1 used by the legacy functions
• Functional options API for certificate creation:
  • NewSigningCertificate(name, keyConfig, ...opts) — self-signed root CA or intermediate CA via WithSigner
  • CA.NewServerCertificate(hostnames, keyConfig, ...opts)
  • CA.NewClientCertificate(userInfo, keyConfig, ...opts)
  • CA.NewPeerCertificate(hostnames, userInfo, keyConfig, ...opts) — both ServerAuth + ClientAuth EKU
• Options: WithLifetime, WithSubject, WithSigner, WithExtensions
• ECDSA certs use DigitalSignature only (no KeyEncipherment); signature algorithm auto-detected from signing key

pkg/pki — Profile resolution

• CertificateType enum: signer, serving, client, peer
• DefaultPKIProfile() — RSA-2048 default, RSA-4096 for signers
• PKIProfileProvider interface with StaticPKIProfileProvider (installer/tests) and ListerPKIProfileProvider (controllers)
• ResolveCertificateConfig(provider, certType, name) → CertificateConfig{Key} — resolves effective key config from profile with category overrides
• Peer type resolves to the stronger key using NIST security strength (GNFS formula for RSA, fixed for ECDSA)

pkg/operator/certrotation — Optional KeyConfig wiring

• Added KeyConfig *crypto.KeyConfig field to RotatedSigningCASecret, ClientRotation, ServingRotation, SignerRotation
• When KeyConfig is set, the new crypto.New*Certificate functions are used; when nil, existing behavior is preserved
• Zero breaking changes — all existing callers are unaffected

Design

• pkg/crypto has zero dependency on pkg/pki or configv1alpha1
• Existing functions untouched — no breaking changes
• Feature gate (ConfigurablePKI) checking is the caller's responsibility

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sanchezl
Once this PR has been reviewed and has the lgtm label, please assign bertinatto for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@sanchezl: This pull request references CNTRLPLANE-2903 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Overview

Adds configurable PKI profile support for enhancement #1882, using the API from openshift/api#2645.

pkg/crypto — Parameterized key generation and certificate creation

• KeyConfig type supporting RSA (2048–8192 bit) and ECDSA (P-256/P-384/P-521)
• GenerateKeyPair(KeyConfig) and SubjectKeyIDFromPublicKey() for algorithm-agnostic key generation
• Functional options API for certificate creation:
• NewSigningCertificate(name, keyConfig, ...opts) — self-signed root CA or intermediate CA via WithSigner
• CA.NewServerCertificate(hostnames, keyConfig, ...opts)
• CA.NewClientCertificate(userInfo, keyConfig, ...opts)
• CA.NewPeerCertificate(hostnames, userInfo, keyConfig, ...opts) — both ServerAuth + ClientAuth EKU
• Options: WithLifetime, WithSubject, WithSigner, WithExtensions
• ECDSA certs use DigitalSignature only (no KeyEncipherment); signature algorithm auto-detected from signing key

pkg/pki — Profile resolution

• CertificateType enum: signer, serving, client, peer
• DefaultPKIProfile() — RSA-2048 default, RSA-4096 for signers
• PKIProfileProvider interface with StaticPKIProfileProvider (installer/tests) and ListerPKIProfileProvider (controllers)
• ResolveCertificateConfig(provider, certType, name) → CertificateConfig{Key} — resolves effective key config from profile with category overrides
• Peer type resolves to the stronger key using NIST security strength (GNFS formula for RSA, fixed for ECDSA)

pkg/operator/certrotation — Optional KeyConfig wiring

• Added KeyConfig *crypto.KeyConfig field to RotatedSigningCASecret, ClientRotation, ServingRotation, SignerRotation
• When KeyConfig is set, the new crypto.New*Certificate functions are used; when nil, existing behavior is preserved
• Zero breaking changes — all existing callers are unaffected

Design

• pkg/crypto has zero dependency on pkg/pki or configv1alpha1
• Existing functions untouched — no breaking changes
• Feature gate (ConfigurablePKI) checking is the caller's responsibility

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@sanchezl: This pull request references CNTRLPLANE-2903 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Overview

Adds configurable PKI profile support for enhancement #1882, using the API from openshift/api#2645.

PROOF: cluster-kube-apiserver-operator#2051 demonstrates the integration of these APIs into CKAO's cert rotation controllers.

pkg/crypto — Parameterized key generation and certificate creation

• KeyConfig type supporting RSA (2048–8192 bit) and ECDSA (P-256/P-384/P-521)
• GenerateKeyPair(KeyConfig) and SubjectKeyIDFromPublicKey() for algorithm-agnostic key generation
• Functional options API for certificate creation:
• NewSigningCertificate(name, keyConfig, ...opts) — self-signed root CA or intermediate CA via WithSigner
• CA.NewServerCertificate(hostnames, keyConfig, ...opts)
• CA.NewClientCertificate(userInfo, keyConfig, ...opts)
• CA.NewPeerCertificate(hostnames, userInfo, keyConfig, ...opts) — both ServerAuth + ClientAuth EKU
• Options: WithLifetime, WithSubject, WithSigner, WithExtensions
• ECDSA certs use DigitalSignature only (no KeyEncipherment); signature algorithm auto-detected from signing key

pkg/pki — Profile resolution

• CertificateType enum: signer, serving, client, peer
• DefaultPKIProfile() — RSA-2048 default, RSA-4096 for signers
• PKIProfileProvider interface with StaticPKIProfileProvider (installer/tests) and ListerPKIProfileProvider (controllers)
• ResolveCertificateConfig(provider, certType, name) → CertificateConfig{Key} — resolves effective key config from profile with category overrides
• Peer type resolves to the stronger key using NIST security strength (GNFS formula for RSA, fixed for ECDSA)

pkg/operator/certrotation — Optional KeyConfig wiring

• Added KeyConfig *crypto.KeyConfig field to RotatedSigningCASecret, ClientRotation, ServingRotation, SignerRotation
• When KeyConfig is set, the new crypto.New*Certificate functions are used; when nil, existing behavior is preserved
• Zero breaking changes — all existing callers are unaffected

Design

• pkg/crypto has zero dependency on pkg/pki or configv1alpha1
• Existing functions untouched — no breaking changes
• Feature gate (ConfigurablePKI) checking is the caller's responsibility

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[hasbro17]

Since this wasn't in the enhancement, can we make these defaults more apparent/explicit? I'll have to align the installer to use these defaults as well.

So rather than defining it in two places, maybe the default key sizes and algo for signer/leaf certs can live in the API as a const as the source of truth and I can consume it from there (until I can get the installer to switch over to library-go's crypto pkg).
E.g:
https://github.com/openshift/api/blob/0608f61fdd6bd966ba0ded180a6f49005e30ae2f/config/v1alpha1/types_pki.go#L248-L256

[sanchezl]

For unblocking the installer now: since this PR is still in review, feel free to duplicate the default values directly in the installer for now.

[openshift-ci]

@sanchezl: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@sanchezl: This pull request references CNTRLPLANE-2903 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Overview

Adds configurable PKI profile support for enhancement #1882, using the API from openshift/api#2645.

PROOF: cluster-kube-apiserver-operator#2051 demonstrates the integration of these APIs into CKAO's cert rotation controllers.

pkg/crypto — Parameterized key generation and certificate creation

• KeyConfig type supporting RSA (2048–8192 bit) and ECDSA (P-256/P-384/P-521)
• GenerateKeyPair(KeyConfig) and SubjectKeyIDFromPublicKey() for algorithm-agnostic key generation
• SubjectKeyIDFromPublicKey() uses truncated SHA-256 (first 160 bits per RFC 7093), consistent with Go 1.25+ (go.dev/issue/71746) and Let's Encrypt — FIPS-compatible, unlike the SHA-1 used by the legacy functions
• Functional options API for certificate creation:
• NewSigningCertificate(name, keyConfig, ...opts) — self-signed root CA or intermediate CA via WithSigner
• CA.NewServerCertificate(hostnames, keyConfig, ...opts)
• CA.NewClientCertificate(userInfo, keyConfig, ...opts)
• CA.NewPeerCertificate(hostnames, userInfo, keyConfig, ...opts) — both ServerAuth + ClientAuth EKU
• Options: WithLifetime, WithSubject, WithSigner, WithExtensions
• ECDSA certs use DigitalSignature only (no KeyEncipherment); signature algorithm auto-detected from signing key

pkg/pki — Profile resolution

• CertificateType enum: signer, serving, client, peer
• DefaultPKIProfile() — RSA-2048 default, RSA-4096 for signers
• PKIProfileProvider interface with StaticPKIProfileProvider (installer/tests) and ListerPKIProfileProvider (controllers)
• ResolveCertificateConfig(provider, certType, name) → CertificateConfig{Key} — resolves effective key config from profile with category overrides
• Peer type resolves to the stronger key using NIST security strength (GNFS formula for RSA, fixed for ECDSA)

pkg/operator/certrotation — Optional KeyConfig wiring

• Added KeyConfig *crypto.KeyConfig field to RotatedSigningCASecret, ClientRotation, ServingRotation, SignerRotation
• When KeyConfig is set, the new crypto.New*Certificate functions are used; when nil, existing behavior is preserved
• Zero breaking changes — all existing callers are unaffected

Design

• pkg/crypto has zero dependency on pkg/pki or configv1alpha1
• Existing functions untouched — no breaking changes
• Feature gate (ConfigurablePKI) checking is the caller's responsibility

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.