CNTRLPLANE-2012: Add configurable PKI support for installer-generated signer certificates

cmd/openshift-install/testdata/agent/image/assets/tls_assets.txt

@@ -10,3 +10,12 @@ exists $WORK/tls/admin-kubeconfig-signer.key
 exists $WORK/tls/kube-apiserver-lb-signer.key 
 exists $WORK/tls/kube-apiserver-localhost-signer.key
 exists $WORK/tls/kube-apiserver-service-network-signer.key
+
+-- install-config.yaml --
+apiVersion: v1
+baseDomain: localhost
+metadata:
+  name: agent-certs
+platform:
+  none: {}
+pullSecret: '{"auths":{"unused":{"auth":"dW51c2VkCg=="}}}'

data/data/agent/files/usr/local/bin/set-node-zero.sh

@@ -52,7 +52,20 @@ if [ "${IS_NODE_ZERO}" = "true" ]; then
        # shellcheck disable=SC1091
        . /usr/local/bin/release-image.sh
        IMAGE=$(image_for installer)
+       # The installer's cert generation requires an install-config dependency
+       # even though signer certs don't use any cluster-specific data.
+       # Provide a minimal config to satisfy the dependency.
+       cat > /tmp/install-config.yaml <<'ICEOF'
+apiVersion: v1
+baseDomain: localhost
+metadata:
+  name: agent-certs
+platform:
+  none: {}
+pullSecret: '{"auths":{"unused":{"auth":"dW51c2VkCg=="}}}'
+ICEOF
        /usr/bin/podman run --privileged -v /tmp:/assets --rm "${IMAGE}" agent create certificates --dir=/assets
+       rm -f /tmp/install-config.yaml
        cp /tmp/tls/* $AGENT_TLS_DIR
     fi
 

data/data/install.openshift.io_installconfigs.yaml

@@ -5078,6 +5078,82 @@ spec:
             - rhel-9
             - rhel-10
             type: string
+          pki:
+            description: |-
+              PKI configures cryptographic parameters for installer-generated
+              signer certificates. When specified, all signer certificates use the
+              algorithm and parameters from signerCertificates.
+              Feature gated by ConfigurablePKI.
+            properties:
+              signerCertificates:
+                description: |-
+                  signerCertificates specifies key parameters for all installer-generated
+                  certificate authority (CA) certificates.
+                  When set, all signer certificates use the specified algorithm and parameters.
+                minProperties: 1
+                properties:
+                  key:
+                    description: key specifies the cryptographic parameters for the
+                      certificate's key pair.
+                    properties:
+                      algorithm:
+                        description: |-
+                          algorithm specifies the key generation algorithm.
+                          Valid values are "RSA" and "ECDSA".
+                        enum:
+                        - RSA
+                        - ECDSA
+                        type: string
+                      ecdsa:
+                        description: |-
+                          ecdsa specifies ECDSA key parameters.
+                          Required when algorithm is ECDSA, and forbidden otherwise.
+                        properties:
+                          curve:
+                            description: |-
+                              curve specifies the NIST elliptic curve for ECDSA keys.
+                              Valid values are "P256", "P384", and "P521".
+                            enum:
+                            - P256
+                            - P384
+                            - P521
+                            type: string
+                        required:
+                        - curve
+                        type: object
+                      rsa:
+                        description: |-
+                          rsa specifies RSA key parameters.
+                          Required when algorithm is RSA, and forbidden otherwise.
+                        properties:
+                          keySize:
+                            description: |-
+                              keySize specifies the size of RSA keys in bits.
+                              Valid values are multiples of 1024 from 2048 to 8192.
+                            format: int32
+                            maximum: 8192
+                            minimum: 2048
+                            multipleOf: 1024
+                            type: integer
+                        required:
+                        - keySize
+                        type: object
+                    required:
+                    - algorithm
+                    type: object
+                    x-kubernetes-validations:
+                    - message: rsa is required when algorithm is RSA, and forbidden
+                        otherwise
+                      rule: 'has(self.algorithm) && self.algorithm == ''RSA'' ?  has(self.rsa)
+                        : !has(self.rsa)'
+                    - message: ecdsa is required when algorithm is ECDSA, and forbidden
+                        otherwise
+                      rule: 'has(self.algorithm) && self.algorithm == ''ECDSA'' ?  has(self.ecdsa)
+                        : !has(self.ecdsa)'
+                type: object
+            required:
+            - signerCertificates
+            type: object
           platform:
             description: |-
               Platform is the configuration for the specific platform upon which to

docs/user/customization.md

@@ -54,6 +54,17 @@ feature set.
         The default is [OVNKubernetes][ovn-kubernetes].
     * `serviceNetwork` (optional array of [IP networks](#ip-networks)): The IP address pools for services.
         The default is 172.30.0.0/16.
+* `pki` (optional object): Configures cryptographic parameters for installer-generated signer certificates.
+    Requires the `ConfigurablePKI` feature gate (set `featureSet: TechPreviewNoUpgrade` or use `CustomNoUpgrade` with `featureGates`).
+    When omitted and the feature gate is enabled, signer certificates default to ECDSA P-384.
+    When omitted and the feature gate is disabled, signer certificates use RSA 2048 (existing default behavior).
+    * `signerCertificates` (required object): Key parameters for all signer certificates.
+        * `key` (required object): Key generation parameters.
+            * `algorithm` (required string): The key algorithm. Valid values are `RSA` and `ECDSA`.
+            * `rsa` (optional object): RSA-specific parameters. Required when `algorithm` is `RSA`.
+                * `keySize` (required integer): Key size in bits. Valid values are multiples of 1024 from 2048 to 8192.
+            * `ecdsa` (optional object): ECDSA-specific parameters. Required when `algorithm` is `ECDSA`.
+                * `curve` (required string): The elliptic curve. Valid values are `P256`, `P384`, and `P521`.
 * `platform` (required object): The configuration for the specific platform upon which to perform the installation.
     * `aws` (optional object): [AWS-specific properties](aws/customization.md#cluster-scoped-properties).
     * `baremetal` (optional object): [Baremetal IPI-specific properties](metal/customization_ipi.md).
@@ -251,6 +262,48 @@ sshKey: ssh-ed25519 AAAA...
 If your proxy certificate is signed by a certificate authority which RHCOS does not trust by default, you may also wish to configure [an additional trust bundle](#additional-trust-bundle).
 If `additionalTrustBundle` and at least one `proxy` setting are configured, the `cluster` [Proxy object][proxy] will be configured with [`trustedCA`][proxy-trusted-ca] referencing the additional trust bundle.
 
+### PKI (signer certificate configuration)
+
+An example install config with RSA 4096-bit signer certificates:
+
+```yaml
+apiVersion: v1
+baseDomain: example.com
+metadata:
+  name: test-cluster
+featureSet: TechPreviewNoUpgrade
+pki:
+  signerCertificates:
+    key:
+      algorithm: RSA
+      rsa:
+        keySize: 4096
+platform: ...
+pullSecret: '{"auths": ...}'
+sshKey: ssh-ed25519 AAAA...
+```
+
+An example install config with ECDSA P-384 signer certificates:
+
+```yaml
+apiVersion: v1
+baseDomain: example.com
+metadata:
+  name: test-cluster
+featureSet: TechPreviewNoUpgrade
+pki:
+  signerCertificates:
+    key:
+      algorithm: ECDSA
+      ecdsa:
+        curve: P384
+platform: ...
+pullSecret: '{"auths": ...}'
+sshKey: ssh-ed25519 AAAA...
+```
+
+The `pki` configuration applies only to the 11 signer (CA) certificates generated by the installer. Leaf certificates signed by these CAs continue to use RSA 2048. When `pki` is present, `signerCertificates` must be fully specified with algorithm and key parameters.
+
 ## Kubernetes Customization (unvalidated)
 
 In addition to customizing OpenShift and aspects of the underlying platform, the installer allows arbitrary modification to the Kubernetes objects that are injected into the cluster. Note that there is currently no validation on the modifications that are made, so it is possible that the changes will result in a non-functioning cluster. The Kubernetes manifests can be viewed and modified using the `manifests` and `manifest-templates` targets.

pkg/asset/ignition/machine/arbiter_ignition_customizations_test.go

@@ -85,8 +85,10 @@ func TestArbiterIgnitionCustomizationsGenerate(t *testing.T) {
 
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
+			rootCAParents := asset.Parents{}
+			rootCAParents.Add(tc.installConfig)
 			rootCA := &tls.RootCA{}
-			err := rootCA.Generate(context.Background(), nil)
+			err := rootCA.Generate(context.Background(), rootCAParents)
 			assert.NoError(t, err, "unexpected error generating root CA")
 
 			parents := asset.Parents{}

pkg/asset/ignition/machine/arbiter_test.go

@@ -70,8 +70,10 @@ func TestArbiterGenerate(t *testing.T) {
 	}
 	for _, tc := range testCases {
 		t.Run(tc.description, func(t *testing.T) {
+			rootCAParents := asset.Parents{}
+			rootCAParents.Add(tc.installConfig)
 			rootCA := &tls.RootCA{}
-			err := rootCA.Generate(context.Background(), nil)
+			err := rootCA.Generate(context.Background(), rootCAParents)
 			assert.NoError(t, err, "unexpected error generating root CA")
 
 			parents := asset.Parents{}

pkg/asset/ignition/machine/master_ignition_customizations_test.go

@@ -48,8 +48,10 @@ func TestMasterIgnitionCustomizationsGenerate(t *testing.T) {
 					},
 				})
 
+			rootCAParents := asset.Parents{}
+			rootCAParents.Add(installConfig)
 			rootCA := &tls.RootCA{}
-			err := rootCA.Generate(context.Background(), nil)
+			err := rootCA.Generate(context.Background(), rootCAParents)
 			assert.NoError(t, err, "unexpected error generating root CA")
 
 			parents := asset.Parents{}

pkg/asset/ignition/machine/master_test.go

@@ -38,8 +38,10 @@ func TestMasterGenerate(t *testing.T) {
 			},
 		})
 
+	rootCAParents := asset.Parents{}
+	rootCAParents.Add(installConfig)
 	rootCA := &tls.RootCA{}
-	err := rootCA.Generate(context.Background(), nil)
+	err := rootCA.Generate(context.Background(), rootCAParents)
 	assert.NoError(t, err, "unexpected error generating root CA")
 
 	parents := asset.Parents{}

pkg/asset/ignition/machine/worker_ignition_customizations_test.go

@@ -48,8 +48,10 @@ func TestWorkerIgnitionCustomizationsGenerate(t *testing.T) {
 					},
 				})
 
+			rootCAParents := asset.Parents{}
+			rootCAParents.Add(installConfig)
 			rootCA := &tls.RootCA{}
-			err := rootCA.Generate(context.Background(), nil)
+			err := rootCA.Generate(context.Background(), rootCAParents)
 			assert.NoError(t, err, "unexpected error generating root CA")
 
 			parents := asset.Parents{}

pkg/asset/ignition/machine/worker_test.go

@@ -28,8 +28,10 @@ func TestWorkerGenerate(t *testing.T) {
 			},
 		})
 
+	rootCAParents := asset.Parents{}
+	rootCAParents.Add(installConfig)
 	rootCA := &tls.RootCA{}
-	err := rootCA.Generate(context.Background(), nil)
+	err := rootCA.Generate(context.Background(), rootCAParents)
 	assert.NoError(t, err, "unexpected error generating root CA")
 
 	parents := asset.Parents{}

pkg/asset/imagebased/configimage/ingressoperatorsigner.go

@@ -59,7 +59,10 @@ func (a *IngressOperatorSignerCertKey) Generate(ctx context.Context, dependencie
 		return err
 	}
 
-	a.KeyRaw = tls.PrivateKeyToPem(key)
+	a.KeyRaw, err = tls.PrivateKeyToPem(key)
+	if err != nil {
+		return fmt.Errorf("failed to encode private key to PEM: %w", err)
+	}
 	a.CertRaw = tls.CertToPem(crt)
 
 	return nil

pkg/asset/manifests/operators.go

@@ -90,6 +90,7 @@ func (m *Manifests) Dependencies() []asset.Asset {
 		&bootkube.InternalReleaseImageTLSSecret{},
 		&bootkube.InternalReleaseImageRegistryAuthSecret{},
 		&BMCVerifyCAConfigMap{},
+		&PKIConfiguration{},
 	}
 }
 
@@ -107,8 +108,9 @@ func (m *Manifests) Generate(_ context.Context, dependencies asset.Parents) erro
 	imageDigestMirrorSet := &ImageDigestMirrorSet{}
 	mcoCfgTemplate := &manifests.MCO{}
 	bmcVerifyCAConfigMap := &BMCVerifyCAConfigMap{}
+	pkiConfig := &PKIConfiguration{}
 
-	dependencies.Get(installConfig, ingress, dns, network, infra, proxy, scheduler, imageContentSourcePolicy, imageDigestMirrorSet, clusterCSIDriverConfig, mcoCfgTemplate, bmcVerifyCAConfigMap)
+	dependencies.Get(installConfig, ingress, dns, network, infra, proxy, scheduler, imageContentSourcePolicy, imageDigestMirrorSet, clusterCSIDriverConfig, mcoCfgTemplate, bmcVerifyCAConfigMap, pkiConfig)
 
 	redactedConfig, err := redactedInstallConfig(*installConfig.Config)
 	if err != nil {
@@ -147,6 +149,7 @@ func (m *Manifests) Generate(_ context.Context, dependencies asset.Parents) erro
 	m.FileList = append(m.FileList, clusterCSIDriverConfig.Files()...)
 	m.FileList = append(m.FileList, imageDigestMirrorSet.Files()...)
 	m.FileList = append(m.FileList, bmcVerifyCAConfigMap.Files()...)
+	m.FileList = append(m.FileList, pkiConfig.Files()...)
 
 	asset.SortFiles(m.FileList)
 

pkg/asset/manifests/pki.go

@@ -0,0 +1,102 @@
+package manifests
+
+import (
+	"context"
+	"path"
+
+	"github.com/pkg/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/yaml"
+
+	configv1alpha1 "github.com/openshift/api/config/v1alpha1"
+	features "github.com/openshift/api/features"
+	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/installconfig"
+	pkidefaults "github.com/openshift/installer/pkg/types/pki"
+)
+
+var pkiCfgFilename = path.Join(manifestDir, "cluster-pki-02-config.yaml")
+
+// PKIConfiguration generates the PKI custom resource manifest.
+type PKIConfiguration struct {
+	FileList []*asset.File
+}
+
+var _ asset.WritableAsset = (*PKIConfiguration)(nil)
+
+// Name returns a human friendly name for the asset.
+func (*PKIConfiguration) Name() string {
+	return "PKI Config"
+}
+
+// Dependencies returns all of the dependencies directly needed to generate
+// the asset.
+func (*PKIConfiguration) Dependencies() []asset.Asset {
+	return []asset.Asset{
+		&installconfig.InstallConfig{},
+	}
+}
+
+// Generate generates the PKI custom resource manifest.
+// The manifest is only generated when the ConfigurablePKI feature gate is enabled.
+func (p *PKIConfiguration) Generate(_ context.Context, dependencies asset.Parents) error {
+	installConfig := &installconfig.InstallConfig{}
+	dependencies.Get(installConfig)
+
+	if !installConfig.Config.Enabled(features.FeatureGateConfigurablePKI) {
+		return nil
+	}
+
+	certMgmt := configv1alpha1.PKICertificateManagement{
+		Mode: configv1alpha1.PKICertificateManagementModeDefault,
+	}
+
+	if installConfig.Config.PKI != nil {
+		profile := pkidefaults.DefaultPKIProfile()
+		profile.SignerCertificates = pkidefaults.CertificateConfigToUpstream(installConfig.Config.PKI.SignerCertificates)
+
+		certMgmt = configv1alpha1.PKICertificateManagement{
+			Mode: configv1alpha1.PKICertificateManagementModeCustom,
+			Custom: configv1alpha1.CustomPKIPolicy{
+				PKIProfile: profile,
+			},
+		}
+	}
+
+	config := &configv1alpha1.PKI{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: configv1alpha1.SchemeGroupVersion.String(),
+			Kind:       "PKI",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "cluster",
+		},
+		Spec: configv1alpha1.PKISpec{
+			CertificateManagement: certMgmt,
+		},
+	}
+
+	configData, err := yaml.Marshal(config)
+	if err != nil {
+		return errors.Wrapf(err, "failed to marshal PKI config")
+	}
+
+	p.FileList = []*asset.File{
+		{
+			Filename: pkiCfgFilename,
+			Data:     configData,
+		},
+	}
+
+	return nil
+}
+
+// Files returns the files generated by the asset.
+func (p *PKIConfiguration) Files() []*asset.File {
+	return p.FileList
+}
+
+// Load returns false since this asset is not written to disk by the installer.
+func (p *PKIConfiguration) Load(f asset.FileFetcher) (bool, error) {
+	return false, nil
+}