Merge pull request #168 from gardener/private-key-spec

Allow to specify private key algorithm and size

README.md

@@ -28,6 +28,8 @@ Currently, the `cert-controller-manager` supports certificate authorities via:
     - [Using `commonName` and optional `dnsNames`](#using-commonname-and-optional-dnsnames)
     - [Follow CNAME](#follow-cname)
     - [Preferred Chain](#preferred-chain)
+    - [Secret Labels](#secret-labels)
+    - [Specifying private key algorithm and size](#specifying-private-key-algorithm-and-size)
     - [Using a certificate signing request (CSR)](#using-a-certificate-signing-request-csr)
     - [Creating JKS or PKCS#12 keystores](#creating-jks-or-pkcs12-keystores)
   - [Requesting a Certificate for Ingress](#requesting-a-certificate-for-ingress)
@@ -352,6 +354,33 @@ spec:
 
 In this case the secret `my-secret` will contains the labels.
 
+### Specifying private key algorithm and size
+
+By default, the certificate uses `RSA` with a key size of 2048 bits for the private key.
+Add the `privateKey` section to specify private key algorithm and/or size.
+
+Example:
+
+```yaml
+apiVersion: cert.gardener.cloud/v1alpha1
+kind: Certificate
+metadata:
+  name: cert-ecdsa
+  namespace: default
+spec:
+  commonName: my-service.example-domain.com
+  secretName: my-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 384
+```
+
+Allowed values for `spec.privateKey.algorithm` are `RSA` and `ECDSA`.
+For `RSA`, the allowed key sizes are `2048`, `3072`, and `4096`. If the size field is not specified,
+`2048` is used by default.
+For `ECDSA`, the allowed key sizes are `256` and `384`.  If the size field is not specified,
+`256` is used by default. 
+
 ### Using a certificate signing request (CSR)
 
 You can provide a complete CSR in PEM format (and encoded as Base64).
@@ -474,6 +503,8 @@ See also [examples/40-ingress-echoheaders.yaml](./examples/40-ingress-echoheader
         #cert.gardener.cloud/secret-labels: "key1=value1,key2=value2" # optional labels for the certificate secret
         #cert.gardener.cloud/issuer: issuer-name                      # optional to specify custom issuer (use namespace/name for shoot issuers)
         #cert.gardener.cloud/preferred-chain: "chain name"            # optional to specify preferred-chain (value is the Subject Common Name of the root issuer)
+        #cert.gardener.cloud/private-key-algorithm: ECDSA             # optional to specify algorithm for private key, allowed values are 'RSA' or 'ECDSA'
+        #cert.gardener.cloud/private-key-size: "384"                  # optional to specify size of private key, allowed values for RSA are "2048", "3072", "4096" and for ECDSA "256" and "384"
     spec:
       tls:
         - hosts:
@@ -526,6 +557,8 @@ metadata:
     #cert.gardener.cloud/secret-labels: "key1=value1,key2=value2" # optional labels for the certificate secret
     #cert.gardener.cloud/issuer: issuer-name                      # optional to specify custom issuer (use namespace/name for shoot issuers)
     #cert.gardener.cloud/preferred-chain: "chain name"            # optional to specify preferred-chain (value is the Subject Common Name of the root issuer)
+    #cert.gardener.cloud/private-key-algorithm: ECDSA             # optional to specify algorithm for private key, allowed values are 'RSA' or 'ECDSA'
+    #cert.gardener.cloud/private-key-size: "384"                  # optional to specify size of private key, allowed values for RSA are "2048", "3072", "4096" and for ECDSA "256" and "384"
     dns.gardener.cloud/ttl: "600"
   name: test-service
   namespace: default

VERSION

@@ -1 +1 @@
-v0.12.2-dev
+v0.13.0-dev

charts/cert-management/templates/cert.gardener.cloud_certificates.yaml

@@ -182,6 +182,37 @@ spec:
                   chain with an issuer matching this Subject Common Name. If no match,
                   the default offered chain will be used.'
                 type: string
+              privateKey:
+                description: Private key options. These include the key algorithm
+                  and size.
+                properties:
+                  algorithm:
+                    description: "Algorithm is the private key algorithm of the corresponding
+                      private key for this certificate. \n If provided, allowed values
+                      are either `RSA` or `ECDSA`. If `algorithm` is specified and
+                      `size` is not provided, key size of 2048 will be used for `RSA`
+                      key algorithm and key size of 256 will be used for `ECDSA` key
+                      algorithm."
+                    enum:
+                    - RSA
+                    - ECDSA
+                    type: string
+                  size:
+                    description: "Size is the key bit size of the corresponding private
+                      key for this certificate. \n If `algorithm` is set to `RSA`,
+                      valid values are `2048`, `3072` or `4096`, and will default
+                      to `2048` if not specified. If `algorithm` is set to `ECDSA`,
+                      valid values are `256` or `384`, and will default to `256` if
+                      not specified. No other values are allowed."
+                    enum:
+                    - 256
+                    - 384
+                    - 2048
+                    - 3072
+                    - 4096
+                    format: int32
+                    type: integer
+                type: object
               renew:
                 description: Renew triggers a renewal if set to true
                 type: boolean

charts/cert-management/values.yaml

@@ -9,7 +9,7 @@ replicaCount: 1
 
 image:
   repository: europe-docker.pkg.dev/gardener-project/public/cert-controller-manager
-  tag: v0.12.2-master
+  tag: v0.13.0-master
   pullPolicy: IfNotPresent
 
 resources:

examples/30-cert-simple.yaml

@@ -32,7 +32,12 @@ spec:
   # either '_acme-challenge.cert1.mydomain.com' or '_acme-challenge.cert1.my-other-domain.com'.
   # For example: If a CNAME record exists '_acme-challenge.cert1.mydomain.com' => '_acme-challenge.writable.domain.com',
   # the DNS challenge will be written to '_acme-challenge.writable.domain.com'.
-  #followCNAME: true
+  #  followCNAME: true
 
   # Optionally specify the preferred certificate chain: if the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used.
-  #preferredChain: "ISRG Root X1"
+  #  preferredChain: "ISRG Root X1"
+
+  # Optionally specify algorithm and key size for private key
+  #  privateKey:
+  #    algorithm: ECDSA
+  #    size: 384

examples/40-ingress-echoheaders.yaml

@@ -16,6 +16,8 @@ metadata:
     #cert.gardener.cloud/secret-labels: "key1=value1,key2=value2" # optional labels for the certificate secret
     #cert.gardener.cloud/issuer: issuer-name                      # optional to specify custom issuer (use namespace/name for shoot issuers)
     #cert.gardener.cloud/preferred-chain: "chain name"            # optional to specify preferred-chain (value is the Subject Common Name of the root issuer)
+    #cert.gardener.cloud/private-key-algorithm: ECDSA             # optional to specify algorithm for private key, allowed values are 'RSA' or 'ECDSA'
+    #cert.gardener.cloud/private-key-size: "384"                  # optional to specify size of private key, allowed values for RSA are "2048", "3072", "4096" and for ECDSA "256" and "384"
 spec:
   tls:
     - hosts:

examples/40-service-loadbalancer.yaml

@@ -16,6 +16,8 @@ metadata:
     #cert.gardener.cloud/secret-labels: "key1=value1,key2=value2" # optional labels for the certificate secret
     #cert.gardener.cloud/issuer: issuer-name                      # optional to specify custom issuer (use namespace/name for shoot issuers)
     #cert.gardener.cloud/preferred-chain: "chain name"            # optional to specify preferred-chain (value is the Subject Common Name of the root issuer)
+    #cert.gardener.cloud/private-key-algorithm: ECDSA             # optional to specify algorithm for private key, allowed values are 'RSA' or 'ECDSA'
+    #cert.gardener.cloud/private-key-size: "384"                  # optional to specify size of private key, allowed values for RSA are "2048", "3072", "4096" and for ECDSA "256" and "384"
   name: test-service
   namespace: default
 spec:

pkg/apis/cert/crds/cert.gardener.cloud_certificates.yaml

@@ -177,6 +177,37 @@ spec:
                   chain with an issuer matching this Subject Common Name. If no match,
                   the default offered chain will be used.'
                 type: string
+              privateKey:
+                description: Private key options. These include the key algorithm
+                  and size.
+                properties:
+                  algorithm:
+                    description: "Algorithm is the private key algorithm of the corresponding
+                      private key for this certificate. \n If provided, allowed values
+                      are either `RSA` or `ECDSA`. If `algorithm` is specified and
+                      `size` is not provided, key size of 2048 will be used for `RSA`
+                      key algorithm and key size of 256 will be used for `ECDSA` key
+                      algorithm."
+                    enum:
+                    - RSA
+                    - ECDSA
+                    type: string
+                  size:
+                    description: "Size is the key bit size of the corresponding private
+                      key for this certificate. \n If `algorithm` is set to `RSA`,
+                      valid values are `2048`, `3072` or `4096`, and will default
+                      to `2048` if not specified. If `algorithm` is set to `ECDSA`,
+                      valid values are `256` or `384`, and will default to `256` if
+                      not specified. No other values are allowed."
+                    enum:
+                    - 256
+                    - 384
+                    - 2048
+                    - 3072
+                    - 4096
+                    format: int32
+                    type: integer
+                type: object
               renew:
                 description: Renew triggers a renewal if set to true
                 type: boolean

pkg/apis/cert/crds/zz_generated_crds.go

@@ -477,6 +477,37 @@ spec:
                   chain with an issuer matching this Subject Common Name. If no match,
                   the default offered chain will be used.'
                 type: string
+              privateKey:
+                description: Private key options. These include the key algorithm
+                  and size.
+                properties:
+                  algorithm:
+                    description: "Algorithm is the private key algorithm of the corresponding
+                      private key for this certificate. \n If provided, allowed values
+                      are either ` + "`" + `RSA` + "`" + ` or ` + "`" + `ECDSA` + "`" + `. If ` + "`" + `algorithm` + "`" + ` is specified and
+                      ` + "`" + `size` + "`" + ` is not provided, key size of 2048 will be used for ` + "`" + `RSA` + "`" + `
+                      key algorithm and key size of 256 will be used for ` + "`" + `ECDSA` + "`" + ` key
+                      algorithm."
+                    enum:
+                    - RSA
+                    - ECDSA
+                    type: string
+                  size:
+                    description: "Size is the key bit size of the corresponding private
+                      key for this certificate. \n If ` + "`" + `algorithm` + "`" + ` is set to ` + "`" + `RSA` + "`" + `,
+                      valid values are ` + "`" + `2048` + "`" + `, ` + "`" + `3072` + "`" + ` or ` + "`" + `4096` + "`" + `, and will default
+                      to ` + "`" + `2048` + "`" + ` if not specified. If ` + "`" + `algorithm` + "`" + ` is set to ` + "`" + `ECDSA` + "`" + `,
+                      valid values are ` + "`" + `256` + "`" + ` or ` + "`" + `384` + "`" + `, and will default to ` + "`" + `256` + "`" + ` if
+                      not specified. No other values are allowed."
+                    enum:
+                    - 256
+                    - 384
+                    - 2048
+                    - 3072
+                    - 4096
+                    format: int32
+                    type: integer
+                type: object
               renew:
                 description: Renew triggers a renewal if set to true
                 type: boolean

pkg/apis/cert/v1alpha1/types.go

@@ -82,6 +82,9 @@ type CertificateSpec struct {
 	// PreferredChain allows to specify the preferred certificate chain: if the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used.
 	// +optional
 	PreferredChain *string `json:"preferredChain,omitempty"`
+	// Private key options. These include the key algorithm and size.
+	// +optional
+	PrivateKey *CertificatePrivateKey `json:"privateKey,omitempty"`
 }
 
 // IssuerRef is the reference of the issuer by name.
@@ -93,6 +96,47 @@ type IssuerRef struct {
 	Namespace string `json:"namespace,omitempty"`
 }
 
+// PrivateKeyAlgorithm is the type for the algorithm.
+// +kubebuilder:validation:Enum=RSA;ECDSA
+type PrivateKeyAlgorithm string
+
+const (
+	// RSAKeyAlgorithm is the value to use the RSA algorithm for the private key.
+	RSAKeyAlgorithm PrivateKeyAlgorithm = "RSA"
+
+	// ECDSAKeyAlgorithm is the value to use the ECDSA algorithm for the private key.
+	ECDSAKeyAlgorithm PrivateKeyAlgorithm = "ECDSA"
+)
+
+// PrivateKeySize is the size for the algorithm.
+// +kubebuilder:validation:Enum=256;384;2048;3072;4096
+type PrivateKeySize int32
+
+// CertificatePrivateKey contains configuration options for private keys
+// used by the Certificate controller.
+// These include the key algorithm and size.
+type CertificatePrivateKey struct {
+	// Algorithm is the private key algorithm of the corresponding private key
+	// for this certificate.
+	//
+	// If provided, allowed values are either `RSA` or `ECDSA`.
+	// If `algorithm` is specified and `size` is not provided,
+	// key size of 2048 will be used for `RSA` key algorithm and
+	// key size of 256 will be used for `ECDSA` key algorithm.
+	// +optional
+	Algorithm *PrivateKeyAlgorithm `json:"algorithm,omitempty"`
+
+	// Size is the key bit size of the corresponding private key for this certificate.
+	//
+	// If `algorithm` is set to `RSA`, valid values are `2048`, `3072` or `4096`,
+	// and will default to `2048` if not specified.
+	// If `algorithm` is set to `ECDSA`, valid values are `256` or `384`,
+	// and will default to `256` if not specified.
+	// No other values are allowed.
+	// +optional
+	Size *PrivateKeySize `json:"size,omitempty"`
+}
+
 // BackOffState stores the status for exponential back off on repeated cert request failure
 type BackOffState struct {
 	// ObservedGeneration is the observed generation the BackOffState is assigned to
@@ -158,7 +202,7 @@ type QualifiedIssuerRef struct {
 	Namespace string `json:"namespace"`
 }
 
-// IsDefaultCluster returns true if the reference is on the default cluster
+// IsDefaultCluster returns true if the reference is on the default cluster.
 func (r QualifiedIssuerRef) IsDefaultCluster() bool {
 	return r.Cluster == "default"
 }