-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use ECDSA instead of RSA #9127
Use ECDSA instead of RSA #9127
Conversation
Skipping CI for Draft Pull Request. |
/test all |
63a425a
to
da8c73e
Compare
/test pull-kubevirt-e2e-k8s-1.25-sig-compute-migrations-root |
/test pull-kubevirt-e2e-k8s-1.25-sig-compute-migrations-root |
/retest-required |
/retest |
Currently, kubevirt generates certificates with RSA signature. ECDSA, in general, create signatures faster than RSA. Also, OLM already uses ECDSA[1], and it would be right to conform. The elliptic curve used is the NIST P-256 (FIPS 186-3, section D.2.3), also known as secp256r1 or prime256v1: this is supported by TLS1.3[2]. [1] https://github.com/operator-framework/operator-lifecycle-manager/blob/master/pkg/controller/certs/certs.go#L31:L34 [2] https://www.rfc-editor.org/rfc/rfc8446#section-4.2.7 Signed-off-by: fossedihelm <ffossemo@redhat.com>
da8c73e
to
448748c
Compare
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: acardace The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest-required |
/cherrypick release-0.59 |
@fossedihelm: once the present PR merges, I will cherry-pick it on top of release-0.59 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest-required |
@fossedihelm: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest-required |
/retest-required |
@fossedihelm: new pull request created: #9345 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cherrypick release-0.58 |
@fossedihelm: #9127 failed to apply on top of branch "release-0.58":
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What this PR does / why we need it:
Currently, kubevirt generates certificates with RSA signature. ECDSA, in general, create signatures faster than RSA. Also, OLM already uses ECDSA[1], and it would be right to conform. The elliptic curve used is the NIST P-256 (FIPS 186-3, section D.2.3), also known as secp256r1 or prime256v1: this is supported by TLS1.3[2].
[1] https://github.com/operator-framework/operator-lifecycle-manager/blob/master/pkg/controller/certs/certs.go#L31:L34
[2] https://www.rfc-editor.org/rfc/rfc8446#section-4.2.7
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Release note: