CNTRLPLANE-2014: Enable configurable PKI for managed certificate rotation

sanchezl · sanchezl · commit dd6209dd562b · 2026-04-10T00:35:59.000-04:00
Wire up the ConfigurablePKI feature gate to the PKI controller's cert
rotation, enabling cluster admins to configure certificate key algorithms
via the PKI CRD when the gate is enabled.

Changes:
- Set CertificateName and PKIProfileProvider on RotatedSigningCASecret and
  RotatedSelfSignedCertKeySecret to enable PKI profile resolution
- Switch from ServingRotation+toClientCert to PeerRotation for target
  certificates that need both client and server authentication
- Create a config informer factory in the PKI reconciler to provide the
  PKI lister when ConfigurablePKI is enabled
- Make the signer controller algorithm-agnostic: remove hardcoded
  SHA512WithRSA signature algorithm (auto-detected from signing key) and
  support PKCS#8/EC private key formats alongside legacy PKCS#1 RSA

When ConfigurablePKI is disabled (the default), behavior is identical to
before — nil PKIProfileProvider preserves legacy RSA-2048 behavior.
diff --git a/pkg/controller/pki/pki_controller.go b/pkg/controller/pki/pki_controller.go
@@ -8,7 +8,6 @@ package pki
 
 import (
 	"context"
-	"crypto/x509"
 	"fmt"
 	"log"
 	"reflect"
@@ -22,15 +21,18 @@ import (
 	"github.com/openshift/cluster-network-operator/pkg/names"
 
 	"github.com/openshift/library-go/pkg/controller/factory"
-	"github.com/openshift/library-go/pkg/crypto"
 	"github.com/openshift/library-go/pkg/operator/certrotation"
+	"github.com/openshift/library-go/pkg/pki"
 	"github.com/pkg/errors"
 
 	features "github.com/openshift/api/features"
+	configclient "github.com/openshift/client-go/config/clientset/versioned"
+	configinformers "github.com/openshift/client-go/config/informers/externalversions"
 	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
 	crclient "sigs.k8s.io/controller-runtime/pkg/client"
@@ -76,11 +78,15 @@ type PKIReconciler struct {
 	status    *statusmanager.StatusManager
 
 	// one PKI per CA
-	pkis map[types.NamespacedName]*pki
+	pkis map[types.NamespacedName]*operatorPKI
 	// For computing status
 	pkiErrs map[types.NamespacedName]error
 
 	certDuration time.Duration
+
+	// pkiProfileProvider is non-nil when the ConfigurablePKI feature gate is
+	// enabled. It provides the PKI profile for certificate key configuration.
+	pkiProfileProvider pki.PKIProfileProvider
 }
 
 // The periodic resync interval.
@@ -101,14 +107,29 @@ func newPKIReconciler(mgr manager.Manager, status *statusmanager.StatusManager,
 		certDuration = 2 * time.Hour
 	}
 
+	var pkiProfileProvider pki.PKIProfileProvider
+	if featureGates.Enabled(features.FeatureGateConfigurablePKI) {
+		cfgClient, err := configclient.NewForConfig(mgr.GetConfig())
+		if err != nil {
+			return nil, fmt.Errorf("failed to create config client for PKI informer: %w", err)
+		}
+		cfgInformers := configinformers.NewSharedInformerFactory(cfgClient, 10*time.Minute)
+		pkiProfileProvider = pki.NewClusterPKIProfileProvider(cfgInformers.Config().V1alpha1().PKIs().Lister())
+
+		stopCh := make(chan struct{})
+		cfgInformers.Start(stopCh)
+		cfgInformers.WaitForCacheSync(stopCh)
+	}
+
 	return &PKIReconciler{
 		mgr:       mgr,
 		status:    status,
 		clientset: clientset,
 
-		pkis:         map[types.NamespacedName]*pki{},
-		pkiErrs:      map[types.NamespacedName]error{},
-		certDuration: certDuration,
+		pkis:               map[types.NamespacedName]*operatorPKI{},
+		pkiErrs:            map[types.NamespacedName]error{},
+		certDuration:       certDuration,
+		pkiProfileProvider: pkiProfileProvider,
 	}, nil
 }
 
@@ -139,7 +160,7 @@ func (r *PKIReconciler) Reconcile(ctx context.Context, request reconcile.Request
 		}
 	}
 	if existing == nil {
-		existing, err = newPKI(obj, r.clientset, r.mgr, r.certDuration)
+		existing, err = newPKI(obj, r.clientset, r.mgr, r.certDuration, r.pkiProfileProvider)
 		if err != nil {
 			log.Println(err)
 			r.pkiErrs[request.NamespacedName] =
@@ -179,15 +200,15 @@ func (r *PKIReconciler) setStatus() {
 	}
 }
 
-// pki is the internal type that represents a single PKI CRD. It manages the
+// operatorPKI is the internal type that represents a single PKI CRD. It manages the
 // business of reconciling the certificate objects
-type pki struct {
+type operatorPKI struct {
 	spec       netopv1.OperatorPKISpec
 	controller factory.Controller
 }
 
 // newPKI creates a CertRotationController for the supplied configuration
-func newPKI(config *netopv1.OperatorPKI, clientset *kubernetes.Clientset, mgr manager.Manager, certDuration time.Duration) (*pki, error) {
+func newPKI(config *netopv1.OperatorPKI, clientset *kubernetes.Clientset, mgr manager.Manager, certDuration time.Duration, pkiProfileProvider pki.PKIProfileProvider) (*operatorPKI, error) {
 	spec := config.Spec
 
 	// Ugly: the existing cache + informers used as part of the controller-manager
@@ -209,12 +230,14 @@ func newPKI(config *netopv1.OperatorPKI, clientset *kubernetes.Clientset, mgr ma
 			AdditionalAnnotations: certrotation.AdditionalAnnotations{
 				JiraComponent: names.ClusterNetworkOperatorJiraComponent,
 			},
-			Validity:      10 * OneYear,
-			Refresh:       9 * OneYear,
-			Informer:      inf.Core().V1().Secrets(),
-			Lister:        inf.Core().V1().Secrets().Lister(),
-			Client:        clientset.CoreV1(),
-			EventRecorder: &eventrecorder.LoggingRecorder{},
+			CertificateName:    fmt.Sprintf("network.%s-signer", config.Name),
+			PKIProfileProvider: pkiProfileProvider,
+			Validity:           10 * OneYear,
+			Refresh:            9 * OneYear,
+			Informer:           inf.Core().V1().Secrets(),
+			Lister:             inf.Core().V1().Secrets().Lister(),
+			Client:             clientset.CoreV1(),
+			EventRecorder:      &eventrecorder.LoggingRecorder{},
 		},
 		certrotation.CABundleConfigMap{
 			Namespace: config.Namespace,
@@ -233,15 +256,13 @@ func newPKI(config *netopv1.OperatorPKI, clientset *kubernetes.Clientset, mgr ma
 			AdditionalAnnotations: certrotation.AdditionalAnnotations{
 				JiraComponent: names.ClusterNetworkOperatorJiraComponent,
 			},
-			Validity: certDuration,
-			Refresh:  certDuration / 2,
-			CertCreator: &certrotation.ServingRotation{
+			CertificateName:    fmt.Sprintf("network.%s-peer", config.Name),
+			PKIProfileProvider: pkiProfileProvider,
+			Validity:           certDuration,
+			Refresh:            certDuration / 2,
+			CertCreator: &certrotation.PeerRotation{
 				Hostnames: func() []string { return []string{spec.TargetCert.CommonName} },
-
-				// Force the certificate to also be client
-				CertificateExtensionFn: []crypto.CertificateExtensionFunc{
-					toClientCert,
-				},
+				UserInfo:  &user.DefaultInfo{Name: spec.TargetCert.CommonName},
 			},
 			Lister:        inf.Core().V1().Secrets().Lister(),
 			Informer:      inf.Core().V1().Secrets(),
@@ -252,7 +273,7 @@ func newPKI(config *netopv1.OperatorPKI, clientset *kubernetes.Clientset, mgr ma
 		nil,
 	)
 
-	out := &pki{
+	out := &operatorPKI{
 		controller: cont,
 	}
 	config.Spec.DeepCopyInto(&out.spec)
@@ -265,29 +286,7 @@ func newPKI(config *netopv1.OperatorPKI, clientset *kubernetes.Clientset, mgr ma
 }
 
 // sync causes the underlying cert controller to try and reconcile
-func (p *pki) sync() error {
+func (p *operatorPKI) sync() error {
 	runOnceCtx := context.WithValue(context.Background(), certrotation.RunOnceContextKey, true) //nolint:staticcheck
 	return p.controller.Sync(runOnceCtx, nil)
 }
-
-// toClientCert is a certificate "decorator" that adds ClientAuth to the
-// list of ExtendedKeyUsages. This allows the generated certificate to be
-// used for both client and server auth.
-func toClientCert(cert *x509.Certificate) error {
-	if len(cert.ExtKeyUsage) == 0 {
-		return nil
-	}
-
-	found := false
-	for _, u := range cert.ExtKeyUsage {
-		if u == x509.ExtKeyUsageClientAuth {
-			found = true
-			break
-		}
-	}
-
-	if !found {
-		cert.ExtKeyUsage = append(cert.ExtKeyUsage, x509.ExtKeyUsageClientAuth)
-	}
-	return nil
-}
diff --git a/pkg/controller/signer/signer.go b/pkg/controller/signer/signer.go
@@ -3,7 +3,6 @@ package signer
 import (
 	c "crypto"
 	"crypto/rand"
-	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
@@ -21,8 +20,6 @@ func newCertificateTemplate(certReq *x509.CertificateRequest, certDuration time.
 	template := &x509.Certificate{
 		Subject: certReq.Subject,
 
-		SignatureAlgorithm: x509.SHA512WithRSA,
-
 		NotBefore:    time.Now().Add(-1 * time.Second),
 		NotAfter:     time.Now().Add(certDuration),
 		SerialNumber: big.NewInt(serialNumber),
@@ -69,13 +66,28 @@ func decodeCertificate(pemBytes []byte) (*x509.Certificate, error) {
 	return x509.ParseCertificate(block.Bytes)
 }
 
-func decodePrivateKey(pemBytes []byte) (*rsa.PrivateKey, error) {
+func decodePrivateKey(pemBytes []byte) (c.Signer, error) {
 	block, _ := pem.Decode(pemBytes)
-	if block == nil || block.Type != "RSA PRIVATE KEY" {
-		fmt.Println(block.Type)
-		err := errors.New("PEM block type must be RSA PRIVATE KEY")
-		return nil, err
+	if block == nil {
+		return nil, errors.New("no PEM block found in private key data")
 	}
 
-	return x509.ParsePKCS1PrivateKey(block.Bytes)
+	switch block.Type {
+	case "RSA PRIVATE KEY":
+		return x509.ParsePKCS1PrivateKey(block.Bytes)
+	case "PRIVATE KEY":
+		key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse PKCS8 private key: %w", err)
+		}
+		signer, ok := key.(c.Signer)
+		if !ok {
+			return nil, fmt.Errorf("parsed private key does not implement crypto.Signer")
+		}
+		return signer, nil
+	case "EC PRIVATE KEY":
+		return x509.ParseECPrivateKey(block.Bytes)
+	default:
+		return nil, fmt.Errorf("unsupported PEM block type: %s", block.Type)
+	}
 }
