Use ECDSA P-256 private keys for cert-manager certificates#1973
Conversation
Switch all cert-manager Certificate resources from the default RSA algorithm to ECDSA P-256. This applies to webhook serving certs, metrics server certs, and all operator bindata certificates. The sync-bindata.sh script is updated accordingly. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Francesco Pantano <fpantano@redhat.com>
OpenStackControlPlane CRD Size Report
Threshold reference
|
|
Build failed (check pipeline). Post ❌ openstack-k8s-operators-content-provider FAILURE in 4m 01s |
|
/test openstack-operator-build-deploy-kuttl-4-18 |
|
recheck |
|
I guess its ok to get this in 18 as well? for the 18/19 branching, we plan to branch one more from main. we'll discuss in our tomorrows meeting |
This is technically ok for 18 as well. The target is 19 of course, so we can also hold it until we branch a |
@stuggi as this is not a goal for 18, my proposal is to land this after we branch |
|
@fmount: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| name: infra-operator-selfsigned-issuer | ||
| privateKey: | ||
| algorithm: ECDSA | ||
| size: 256 |
There was a problem hiding this comment.
256 is the default for ECDSA it seems:
https://github.com/cert-manager/cert-manager/blob/master/internal/apis/certmanager/types_certificate.go#L311-L319
Probably don't need to explicitly set the size. But, weird that they would default to RSA in 2026. I guess you could also set the size and not the algorithm too. But it's not a problem, just providing the feedback since I went to the trouble of looking up the defaults.
|
@bshephar: changing LGTM is restricted to collaborators DetailsIn response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: bshephar, fmount The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Switch all
cert-managerCertificateresources from the defaultRSAalgorithm toECDSAP-256. This applies towebhookserving certs,metricsserver certs, and all operatorbindatacertificates. Thesync-bindata.shscript is updated accordingly (and it properly regenerates all the services files).Jira: https://redhat.atlassian.net/browse/OSPRH-27314