Skip to content

Use ECDSA P-256 private keys for cert-manager certificates#1973

Open
fmount wants to merge 1 commit into
openstack-k8s-operators:mainfrom
fmount:crt-manager
Open

Use ECDSA P-256 private keys for cert-manager certificates#1973
fmount wants to merge 1 commit into
openstack-k8s-operators:mainfrom
fmount:crt-manager

Conversation

@fmount

@fmount fmount commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Switch all cert-manager Certificate resources from the default RSA algorithm to ECDSA P-256. This applies to webhook serving certs, metrics server certs, and all operator bindata certificates. The sync-bindata.sh script is updated accordingly (and it properly regenerates all the services files).

Jira: https://redhat.atlassian.net/browse/OSPRH-27314

Switch all cert-manager Certificate resources from the default RSA
algorithm to ECDSA P-256. This applies to webhook serving certs,
metrics server certs, and all operator bindata certificates. The
sync-bindata.sh script is updated accordingly.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Francesco Pantano <fpantano@redhat.com>
@openshift-ci openshift-ci Bot requested review from dprince and rabi July 7, 2026 08:20
@fmount fmount requested a review from mauricioharley July 7, 2026 08:20
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

OpenStackControlPlane CRD Size Report

Metric Value
CRD JSON size 350002 bytes (342KB)
Base branch size 350002 bytes
Change +0.00%
Status yellow — growing
Threshold reference
Color Range Meaning
🟢 green < 300KB Comfortable
🟡 yellow 300–400KB Growing
🟠 orange 400–750KB Concerning
🔴 red > 750KB Approaching 1.5MB etcd limit (cut in half to allow space for update)

@fmount fmount requested review from vakwetu and removed request for rabi July 7, 2026 08:20
@centosinfra-prod-github-app

Copy link
Copy Markdown

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdoproject.org/buildset/d91800d9b448468ca01c8104cce1d670

openstack-k8s-operators-content-provider FAILURE in 4m 01s
⚠️ podified-multinode-edpm-deployment-crc SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ cifmw-crc-podified-edpm-baremetal SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ openstack-operator-tempest-multinode SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ openstack-operator-edpm-baremetal-minor-update SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

@fmount

fmount commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

/test openstack-operator-build-deploy-kuttl-4-18

@fmount

fmount commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

recheck

@fmount fmount requested review from abays and stuggi July 8, 2026 11:58
@stuggi

stuggi commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

I guess its ok to get this in 18 as well? for the 18/19 branching, we plan to branch one more from main. we'll discuss in our tomorrows meeting

@fmount

fmount commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

I guess its ok to get this in 18 as well? for the 18/19 branching, we plan to branch one more from main. we'll discuss in our tomorrows meeting

This is technically ok for 18 as well. The target is 19 of course, so we can also hold it until we branch a stable-18. We can discuss more sure.

@fmount

fmount commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

I guess its ok to get this in 18 as well? for the 18/19 branching, we plan to branch one more from main. we'll discuss in our tomorrows meeting

This is technically ok for 18 as well. The target is 19 of course, so we can also hold it until we branch a stable-18. We can discuss more sure.

@stuggi as this is not a goal for 18, my proposal is to land this after we branch stable-18.

@openshift-ci

openshift-ci Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

@fmount: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/openstack-operator-build-deploy-kuttl-4-20 62715b2 link true /test openstack-operator-build-deploy-kuttl-4-20

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@fultonj fultonj self-requested a review July 14, 2026 15:08
name: infra-operator-selfsigned-issuer
privateKey:
algorithm: ECDSA
size: 256

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

256 is the default for ECDSA it seems:
https://github.com/cert-manager/cert-manager/blob/master/internal/apis/certmanager/types_certificate.go#L311-L319

Probably don't need to explicitly set the size. But, weird that they would default to RSA in 2026. I guess you could also set the size and not the algorithm too. But it's not a problem, just providing the feedback since I went to the trouble of looking up the defaults.

@openshift-ci

openshift-ci Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

@bshephar: changing LGTM is restricted to collaborators

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci

openshift-ci Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: bshephar, fmount
Once this PR has been reviewed and has the lgtm label, please assign fultonj for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants