chore: update rook to 1.16.6 (#333)

Author: nvanthao

cmd/ekco/cli/regen-cert.go

@@ -6,10 +6,10 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
+	"github.com/replicatedhq/ekco/pkg/util"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	certutil "k8s.io/client-go/util/cert"
-	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 	certsphase "k8s.io/kubernetes/cmd/kubeadm/app/phases/certs"
 	"k8s.io/kubernetes/cmd/kubeadm/app/phases/certs/renewal"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
@@ -37,15 +37,22 @@ func RegenCertCmd(v *viper.Viper) *cobra.Command {
 				return fmt.Errorf("Expected exactly 1 cert in %s, got %d", certPath, len(certs))
 			}
 			cert := certs[0]
+
+			// check if encryption algorithm is supported
+			encryptionAlgorithm, err := util.GetEncryptionAlgorithmType(cert)
+			if err != nil {
+				return errors.Wrapf(err, "get encryption algorithm type from %s", certPath)
+			}
+
 			cfg := &pkiutil.CertConfig{
 				Config: certutil.Config{
 					CommonName:   cert.Subject.CommonName,
 					Organization: cert.Subject.Organization,
 					AltNames:     certutil.AltNames{},
 					Usages:       cert.ExtKeyUsage,
 				},
-				NotAfter:            &cert.NotAfter,
-				EncryptionAlgorithm: kubeadmapi.EncryptionAlgorithmType(cert.PublicKeyAlgorithm.String()),
+				NotAfter:            cert.NotAfter,
+				EncryptionAlgorithm: encryptionAlgorithm,
 			}
 
 			newCertIPs := map[string]net.IP{}

go.mod

@@ -61,7 +61,10 @@ func (c *Controller) RotateRegistryCert(ctx context.Context) error {
 		return errors.Wrap(err, "load cluster CA")
 	}
 
-	config := certToConfig(cert)
+	config, err := certToConfig(cert)
+	if err != nil {
+		return errors.Wrap(err, "convert cert to config")
+	}
 
 	newCert, newKey, err := generateNewCertAndKey(caCert, caKey, config)
 	if err != nil {
@@ -131,9 +134,15 @@ func (c *Controller) updateRegistryCert(ctx context.Context, namespace, name str
 	return nil
 }
 
-func certToConfig(crt *x509.Certificate) *certConfig {
+func certToConfig(crt *x509.Certificate) (*certConfig, error) {
 	notBefore := time.Now().UTC()
-	notAfter := notBefore.Add(kubeadmconstants.CertificateValidity)
+	notAfter := notBefore.Add(kubeadmconstants.CertificateValidityPeriod)
+
+	encryptionAlgorithm, err := util.GetEncryptionAlgorithmType(crt)
+	if err != nil {
+		return nil, errors.Wrapf(err, "get encryption algorithm type from %s", crt.Subject.CommonName)
+	}
+
 	return &certConfig{
 		Config: cert.Config{
 			CommonName:   crt.Subject.CommonName,
@@ -146,8 +155,8 @@ func certToConfig(crt *x509.Certificate) *certConfig {
 		},
 		NotBefore:          &notBefore,
 		NotAfter:           &notAfter,
-		PublicKeyAlgorithm: kubeadmapi.EncryptionAlgorithmType(crt.PublicKeyAlgorithm.String()),
-	}
+		PublicKeyAlgorithm: encryptionAlgorithm,
+	}, nil
 }
 
 // Copied from pkiutil.NewCertAndKey
@@ -192,7 +201,7 @@ func newSignedCert(cfg *certConfig, key crypto.Signer, caCert *x509.Certificate,
 		notBefore = *cfg.NotBefore
 	}
 
-	notAfter := time.Now().Add(kubeadmconstants.CertificateValidity).UTC()
+	notAfter := time.Now().Add(kubeadmconstants.CertificateValidityPeriod).UTC()
 	if cfg.NotAfter != nil {
 		notAfter = *cfg.NotAfter
 	}

go.sum

@@ -49,7 +49,7 @@ func Test_generateNewCertAndKey(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			caKey, err := rsa.GenerateKey(rand.Reader, 1024)
+			caKey, err := rsa.GenerateKey(rand.Reader, 2048)
 			assert.NoError(t, err)
 
 			caBytes, err := x509.CreateCertificate(rand.Reader, test.ca, test.ca, &caKey.PublicKey, caKey)
@@ -58,7 +58,8 @@ func Test_generateNewCertAndKey(t *testing.T) {
 			parsedCA, err := x509.ParseCertificate(caBytes)
 			assert.NoError(t, err)
 
-			cfg := certToConfig(parsedCA)
+			cfg, err := certToConfig(parsedCA)
+			assert.NoError(t, err)
 			newCert, _, err := generateNewCertAndKey(parsedCA, caKey, cfg)
 			assert.NoError(t, err)
 

pkg/cluster/registry_cert.go

@@ -1139,9 +1139,12 @@ func TestController_SetFilesystemReplication(t *testing.T) {
 						Namespace: "rook-ceph",
 					},
 					Spec: cephv1.FilesystemSpec{
-						MetadataPool: cephv1.PoolSpec{
-							Replicated: cephv1.ReplicatedSpec{
-								Size: 1,
+						MetadataPool: cephv1.NamedPoolSpec{
+							Name: "myfs-metadata",
+							PoolSpec: cephv1.PoolSpec{
+								Replicated: cephv1.ReplicatedSpec{
+									Size: 1,
+								},
 							},
 						},
 						DataPools: []cephv1.NamedPoolSpec{
@@ -1181,9 +1184,12 @@ func TestController_SetFilesystemReplication(t *testing.T) {
 						Namespace: "rook-ceph",
 					},
 					Spec: cephv1.FilesystemSpec{
-						MetadataPool: cephv1.PoolSpec{
-							Replicated: cephv1.ReplicatedSpec{
-								Size: 1,
+						MetadataPool: cephv1.NamedPoolSpec{
+							Name: "myfs-metadata",
+							PoolSpec: cephv1.PoolSpec{
+								Replicated: cephv1.ReplicatedSpec{
+									Size: 1,
+								},
 							},
 						},
 						DataPools: []cephv1.NamedPoolSpec{
@@ -1223,9 +1229,12 @@ func TestController_SetFilesystemReplication(t *testing.T) {
 						Namespace: "rook-ceph",
 					},
 					Spec: cephv1.FilesystemSpec{
-						MetadataPool: cephv1.PoolSpec{
-							Replicated: cephv1.ReplicatedSpec{
-								Size: 1,
+						MetadataPool: cephv1.NamedPoolSpec{
+							Name: "myfs-metadata",
+							PoolSpec: cephv1.PoolSpec{
+								Replicated: cephv1.ReplicatedSpec{
+									Size: 1,
+								},
 							},
 						},
 						DataPools: []cephv1.NamedPoolSpec{

pkg/cluster/registry_cert_test.go

@@ -133,7 +133,7 @@ func updateRegistryObjectStore(ctx context.Context, client kubernetes.Interface,
 			return fmt.Errorf("get registry-s3-secret secret in kurl namespace: %v", err)
 		}
 	}
-	if registryConfig != nil && registrySecret != nil {
+	if registryConfig != nil && registrySecret != nil && registryConfig.Data != nil && registrySecret.Data != nil {
 		logs("Updating Registry to use new object store")
 
 		existingConfig := registryConfig.Data["config.yml"]

pkg/cluster/rook_ceph_test.go

@@ -0,0 +1,38 @@
+package util
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"crypto/x509"
+	"fmt"
+
+	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
+)
+
+// GetEncryptionAlgorithmType returns the encryption algorithm type for a given certificate
+// https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta4/#kubeadm-k8s-io-v1beta4-ClusterConfiguration
+// Can be one of "RSA-2048" (default), "RSA-3072", "RSA-4096" or "ECDSA-P256"
+func GetEncryptionAlgorithmType(cert *x509.Certificate) (kubeadmapi.EncryptionAlgorithmType, error) {
+	switch pubKey := cert.PublicKey.(type) {
+	case *rsa.PublicKey:
+		keySize := pubKey.Size() * 8 // Size() returns bytes, convert to bits
+		switch keySize {
+		case 2048:
+			return kubeadmapi.EncryptionAlgorithmRSA2048, nil
+		case 3072:
+			return kubeadmapi.EncryptionAlgorithmRSA3072, nil
+		case 4096:
+			return kubeadmapi.EncryptionAlgorithmRSA4096, nil
+		default:
+			return "", fmt.Errorf("unsupported RSA key size: %d bits", keySize)
+		}
+	case *ecdsa.PublicKey:
+		if pubKey.Curve == elliptic.P256() {
+			return kubeadmapi.EncryptionAlgorithmECDSAP256, nil
+		}
+		return "", fmt.Errorf("unsupported ECDSA curve: %s", pubKey.Curve.Params().Name)
+	default:
+		return "", fmt.Errorf("unsupported public key type: %T", pubKey)
+	}
+}