upgrade rsa key size from 2048 to 3072

Signed-off-by: chaosi-zju <chaosi@zju.edu.cn>

charts/karmada/templates/pre-install-job.yaml

@@ -388,12 +388,12 @@ spec:
           mkdir -p /opt/configs
           mkdir -p /opt/certs
           cp -r -L /opt/mount/* /opt/configs/
-          openssl req -x509 -sha256 -new -nodes -days 365 -newkey rsa:2048 -keyout "/opt/certs/server-ca.key" -out "/opt/certs/server-ca.crt" -subj "/C=xx/ST=x/L=x/O=x/OU=x/CN=ca/emailAddress=x/"
-          openssl req -x509 -sha256 -new -nodes -days 365 -newkey rsa:2048 -keyout "/opt/certs/front-proxy-ca.key" -out "/opt/certs/front-proxy-ca.crt" -subj "/C=xx/ST=x/L=x/O=x/OU=x/CN=ca/emailAddress=x/"
+          openssl req -x509 -sha256 -new -nodes -days 365 -newkey rsa:{{ .Values.certs.auto.rsaSize }} -keyout "/opt/certs/server-ca.key" -out "/opt/certs/server-ca.crt" -subj "/C=xx/ST=x/L=x/O=x/OU=x/CN=ca/emailAddress=x/"
+          openssl req -x509 -sha256 -new -nodes -days 365 -newkey rsa:{{ .Values.certs.auto.rsaSize }} -keyout "/opt/certs/front-proxy-ca.key" -out "/opt/certs/front-proxy-ca.crt" -subj "/C=xx/ST=x/L=x/O=x/OU=x/CN=ca/emailAddress=x/"
           echo '{"signing":{"default":{"expiry":{{ printf `"%s"` .Values.certs.auto.expiry }},"usages":["signing","key encipherment","client auth","server auth"]}}}' > "/opt/certs/server-ca-config.json"
-          echo '{"CN":"system:admin","hosts":{{ tpl (toJson .Values.certs.auto.hosts) . }},"names":[{"O":"system:masters"}],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=/opt/certs/server-ca.crt -ca-key=/opt/certs/server-ca.key -config=/opt/certs/server-ca-config.json - | cfssljson -bare /opt/certs/karmada
+          echo '{"CN":"system:admin","hosts":{{ tpl (toJson .Values.certs.auto.hosts) . }},"names":[{"O":"system:masters"}],"key":{"algo":"rsa","size":{{ .Values.certs.auto.rsaSize }}}}' | cfssl gencert -ca=/opt/certs/server-ca.crt -ca-key=/opt/certs/server-ca.key -config=/opt/certs/server-ca-config.json - | cfssljson -bare /opt/certs/karmada
           echo '{"signing":{"default":{"expiry":{{ printf `"%s"` .Values.certs.auto.expiry }},"usages":["signing","key encipherment","client auth","server auth"]}}}' > "/opt/certs/front-proxy-ca-config.json"
-          echo '{"CN":"front-proxy-client","hosts":{{ tpl (toJson .Values.certs.auto.hosts) . }},"names":[{"O":"system:masters"}],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=/opt/certs/front-proxy-ca.crt -ca-key=/opt/certs/front-proxy-ca.key -config=/opt/certs/front-proxy-ca-config.json - | cfssljson -bare /opt/certs/front-proxy-client
+          echo '{"CN":"front-proxy-client","hosts":{{ tpl (toJson .Values.certs.auto.hosts) . }},"names":[{"O":"system:masters"}],"key":{"algo":"rsa","size":{{ .Values.certs.auto.rsaSize }}}}' | cfssl gencert -ca=/opt/certs/front-proxy-ca.crt -ca-key=/opt/certs/front-proxy-ca.key -config=/opt/certs/front-proxy-ca-config.json - | cfssljson -bare /opt/certs/front-proxy-client
           karmada_ca=$(base64 /opt/certs/server-ca.crt | tr -d '\r\n')
           karmada_ca_key=$(base64 /opt/certs/server-ca.key | tr -d '\r\n')
           karmada_crt=$(base64 /opt/certs/karmada.pem | tr -d '\r\n')

charts/karmada/values.yaml

@@ -130,6 +130,8 @@ certs:
       "localhost",
       "127.0.0.1"
     ]
+    ## @param certs.auto.rsaSize rsa key size of the certificate
+    rsaSize: 3072
   custom:
     ## @param certs.custom.caCrt ca of the certificate
     caCrt: |

hack/util.sh

@@ -213,7 +213,7 @@ function util::create_signing_certkey {
     # Create ca
     ${sudo} /usr/bin/env bash -e <<EOF
     rm -f "${dest_dir}/${id}.crt" "${dest_dir}/${id}.key"
-    ${OPENSSL_BIN} req -x509 -sha256 -new -nodes -days 3650 -newkey rsa:2048 -keyout "${dest_dir}/${id}.key" -out "${dest_dir}/${id}.crt" -subj "/CN=${cn}/"
+    ${OPENSSL_BIN} req -x509 -sha256 -new -nodes -days 3650 -newkey rsa:3072 -keyout "${dest_dir}/${id}.key" -out "${dest_dir}/${id}.crt" -subj "/CN=${cn}/"
     echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment",${purpose}]}}}' > "${dest_dir}/${id}-config.json"
 EOF
 }
@@ -236,7 +236,7 @@ function util::create_certkey {
     done
     ${sudo} /usr/bin/env bash -e <<EOF
     cd ${dest_dir}
-    echo '{"CN":"${cn}","hosts":[${hosts}],"names":[{"O":"${og}"}],"key":{"algo":"rsa","size":2048}}' | ${CFSSL_BIN} gencert -ca=${ca}.crt -ca-key=${ca}.key -config=${ca}-config.json - | ${CFSSLJSON_BIN} -bare ${id}
+    echo '{"CN":"${cn}","hosts":[${hosts}],"names":[{"O":"${og}"}],"key":{"algo":"rsa","size":3072}}' | ${CFSSL_BIN} gencert -ca=${ca}.crt -ca-key=${ca}.key -config=${ca}-config.json - | ${CFSSLJSON_BIN} -bare ${id}
     mv "${id}-key.pem" "${id}.key"
     mv "${id}.pem" "${id}.crt"
     rm -f "${id}.csr"

operator/pkg/certs/certs.go

@@ -46,7 +46,7 @@ import (
 const (
 	// CertificateBlockType is a possible value for pem.Block.Type.
 	CertificateBlockType = "CERTIFICATE"
-	rsaKeySize           = 2048
+	rsaKeySize           = 3072
 	keyExtension         = ".key"
 	certExtension        = ".crt"
 )

pkg/karmadactl/cmdinit/cert/cert.go

@@ -45,7 +45,7 @@ import (
 const (
 	// certificateBlockType is a possible value for pem.Block.Type.
 	certificateBlockType = "CERTIFICATE"
-	rsaKeySize           = 2048
+	rsaKeySize           = 3072
 	// Duration365d Certificate validity period
 	Duration365d = time.Hour * 24 * 365
 )

pkg/karmadactl/register/register.go

@@ -761,7 +761,7 @@ func (o *CommandRegisterOption) makeKarmadaAgentDeployment() *appsv1.Deployment
 
 // generateKeyAndCSR generate private key and csr
 func generateKeyAndCSR(clusterName string) (*rsa.PrivateKey, []byte, error) {
-	pk, err := rsa.GenerateKey(rand.Reader, 2048)
+	pk, err := rsa.GenerateKey(rand.Reader, 3072)
 	if err != nil {
 		return nil, nil, err
 	}

pkg/util/lifted/pubkeypin/pubkeypin_test.go

@@ -24,57 +24,65 @@ import (
 )
 
 // testCertPEM is a simple self-signed test certificate issued with the openssl CLI:
-// openssl req -new -newkey rsa:2048 -days 36500 -nodes -x509 -keyout /dev/null -out test.crt
+// openssl req -new -newkey rsa:3072 -days 36500 -nodes -x509 -keyout /dev/null -out test.crt
 const testCertPEM = `
 -----BEGIN CERTIFICATE-----
-MIIDRDCCAiygAwIBAgIJAJgVaCXvC6HkMA0GCSqGSIb3DQEBBQUAMB8xHTAbBgNV
-BAMTFGt1YmVhZG0ta2V5cGlucy10ZXN0MCAXDTE3MDcwNTE3NDMxMFoYDzIxMTcw
-NjExMTc0MzEwWjAfMR0wGwYDVQQDExRrdWJlYWRtLWtleXBpbnMtdGVzdDCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0ba8mHU9UtYlzM1Own2Fk/XGjR
-J4uJQvSeGLtz1hID1IA0dLwruvgLCPadXEOw/f/IWIWcmT+ZmvIHZKa/woq2iHi5
-+HLhXs7aG4tjKGLYhag1hLjBI7icqV7ovkjdGAt9pWkxEzhIYClFMXDjKpMSynu+
-YX6nZ9tic1cOkHmx2yiZdMkuriRQnpTOa7bb03OC1VfGl7gHlOAIYaj4539WCOr8
-+ACTUMJUFEHcRZ2o8a/v6F9GMK+7SC8SJUI+GuroXqlMAdhEv4lX5Co52enYaClN
-+D9FJLRpBv2YfiCQdJRaiTvCBSxEFz6BN+PtP5l2Hs703ZWEkOqCByM6HV8CAwEA
-AaOBgDB+MB0GA1UdDgQWBBRQgUX8MhK2rWBWQiPHWcKzoWDH5DBPBgNVHSMESDBG
-gBRQgUX8MhK2rWBWQiPHWcKzoWDH5KEjpCEwHzEdMBsGA1UEAxMUa3ViZWFkbS1r
-ZXlwaW5zLXRlc3SCCQCYFWgl7wuh5DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
-BQUAA4IBAQCaAUif7Pfx3X0F08cxhx8/Hdx4jcJw6MCq6iq6rsXM32ge43t8OHKC
-pJW08dk58a3O1YQSMMvD6GJDAiAfXzfwcwY6j258b1ZlI9Ag0VokvhMl/XfdCsdh
-AWImnL1t4hvU5jLaImUUMlYxMcSfHBGAm7WJIZ2LdEfg6YWfZh+WGbg1W7uxLxk6
-y4h5rWdNnzBHWAGf7zJ0oEDV6W6RSwNXtC0JNnLaeIUm/6xdSddJlQPwUv8YH4jX
-c1vuFqTnJBPcb7W//R/GI2Paicm1cmns9NLnPR35exHxFTy+D1yxmGokpoPMdife
-aH+sfuxT8xeTPb3kjzF9eJTlnEquUDLM
+MIIEbTCCAtWgAwIBAgIULwXa4OSKT/GklPt0JMn2GUZYClMwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yNDA1MjAwMjIzNTdaGA8yMTI0
+MDQyNjAyMjM1N1owRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCAaIwDQYJKoZIhvcN
+AQEBBQADggGPADCCAYoCggGBAMXIMrjc7AKSa1Q/gmJzyXUwg0CNtmbWwz9cxWW3
+5DYxRsirnOc9EVMMI6hSl9k1dOh8DQ1uIZLM8EHtSol7o/CP3MCBT6SkaniXpFON
+UUZkKY3Yo7t8AOcuRoLRrnye2YrpQOEQ8eb+dXnzibFrJuSw6fXBoXdutmaWWMmN
+XPICC1s8l/GxT7jjvm7Y5iVFq+sZco/qxv1ZeBNmUcWWXEtT2KppCBRXk/23OcV2
+fvCDS/3bUIgeBxphUnASv8r5W5orbtl/HGgn/uv7LyYDVVWgYVxXuXaW6blc+oLB
+bFbiPlfg7EIrcbkV1qBl9SesMPrp8lQH3+PEMCxF6Q0kxDfJteiIUQsWhmyV6/VA
+t7XVIU0Dl99zN7WoZLsstjI9/7b+TjBqMRWVTtoAeHMzH9lLx75rTUfAXzcM2Zpy
+AsEmlNXzcysyTgqhZg1bQwbHZVzH3ctfMxw/DDzpvyhPfHM5eQp06HPSMhv0v4uZ
+pz3mNOxCffRxj4A1v9pWn0YyoQIDAQABo1MwUTAdBgNVHQ4EFgQUvBTsnQ7yih79
+Jz7d0VZmSvAnRWAwHwYDVR0jBBgwFoAUvBTsnQ7yih79Jz7d0VZmSvAnRWAwDwYD
+VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAYEAoR0w2y1v4QlE4rQ+LPAi
+Am576mClL5gCpSEdBP32htSJOEz4VHeUn/zpGWoO6ezEeMOqosuax2LP2sv62zOj
+OyYXxZ6uBV6jz+hvpufgIqnFj9sRckS6wXsDb726fOaKvv1PCdQUQPMgF9sX3vQD
+YeWqg0ga1OGfeXdJMdS2AmTidR0m83EIE1PvX2nddhh1xOC0XCoUuwv/O8aSvfqg
+iBBDZt0FFMlkSsSkNwbYylmaY0MR11bMCx6OZTCQ43zkcxg9k8ItvxOvSkRjfTlh
+QaPa/qIkto4XQCrTHPcMRVSYfIFOi5hpiwXVuC1T/uFDKqvhGAijGX8xTi/FYJV6
+Bgm0D8TXpEBqhvS7Fkf9mUdOF8FenGhJrJtY8jqCCsietGC6tuabl0tFVgDV+6nu
+0sQVRzYWcvk/21vps+LiO/+EifDbq8KpmEALOWp59kZPYalLmFlyavXHNlpxd9Tm
+sOVrkbwM/dtdTqzqQ6YW2uRGfTfmb3pfOBN4H6kiu6RD
 -----END CERTIFICATE-----`
 
 // expectedHash can be verified using the openssl CLI.
-const expectedHash = `sha256:345959acb2c3b2feb87d281961c893f62a314207ef02599f1cc4a5fb255480b3`
+const expectedHash = `sha256:d597b45a039e09054649e094dc3da2997475827404cf67a886459724c4e35d38`
 
 // testCert2PEM is a second test cert generated the same way as testCertPEM
 const testCert2PEM = `
 -----BEGIN CERTIFICATE-----
-MIID9jCCAt6gAwIBAgIJAN5MXZDic7qYMA0GCSqGSIb3DQEBBQUAMFkxCzAJBgNV
-BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
-aWRnaXRzIFB0eSBMdGQxEjAQBgNVBAMTCXRlc3RDZXJ0MjAgFw0xNzA3MjQxNjA0
-MDFaGA8yMTE3MDYzMDE2MDQwMVowWTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNv
-bWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAG
-A1UEAxMJdGVzdENlcnQyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-0brwpJYN2ytPWzRBtZSVc3dhkQlA59AzxzqeLLkano0Pxo9NIc3T/y58nnRI8uaS
-I1P7BzUfJTiUEvmAtX8NggqKK4ld/gPrU+IRww1CUYS4KCkA/0d0ctPy0JwBCjD+
-b57G3rmNE8c+0jns6J96ZzNtqmv6N+ZlFBAXm1p4S+k0kGi5+hoQ6H7SYXjk2lG+
-r/8jPQEjy/NSdw1dcCA0Nc6o+hPr32927dS6J9KOhBeXNYUNdbuDDmroM9/gN2e/
-YMSA1olLeDPQ7Xvhk0PIyEDnHh83AffPCx5yM3htVRGddjIsPAVUJEL3z5leJtxe
-fzyPghOhHJY0PXqznDQTcwIDAQABo4G+MIG7MB0GA1UdDgQWBBRP0IJqv/5rQ4Uf
-SByl77dJeEapRDCBiwYDVR0jBIGDMIGAgBRP0IJqv/5rQ4UfSByl77dJeEapRKFd
-pFswWTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoT
-GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAxMJdGVzdENlcnQyggkA
-3kxdkOJzupgwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEA0RIMHc10
-wHHPMh9UflqBgDMF7gfbOL0juJfGloAOcohWWfMZBBJ0CQKMy3xRyoK3HmbW1eeb
-iATjesw7t4VEAwf7mgKAd+eTfWYB952uq5qYJ2TI28mSofEq1Wz3RmrNkC1KCBs1
-u+YMFGwyl6necV9zKCeiju4jeovI1GA38TvH7MgYln6vMJ+FbgOXj7XCpek7dQiY
-KGaeSSH218mGNQaWRQw2Sm3W6cFdANoCJUph4w18s7gjtFpfV63s80hXRps+vEyv
-jEQMEQpG8Ss7HGJLGLBw/xAmG0e//XS/o2dDonbGbvzToFByz8OGxjMhk6yV6hdd
-+iyvsLAw/MYMSA==
+MIIEbTCCAtWgAwIBAgIULEFzXomJO9a0Tv+pC6/7L6voZjEwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yNDA1MjAwMjI1MzRaGA8yMTI0
+MDQyNjAyMjUzNFowRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCAaIwDQYJKoZIhvcN
+AQEBBQADggGPADCCAYoCggGBANJPAabiDP66oTZGPajoAtwbJKCpixekZdGX4xlO
+X+ymnVeKuawiX/pXQB0ZMg0imQ1KgUTNdHzVJzuPtkJDeGvAwGzgPBFrM3XjUs+1
+kl2KlG9WEqLViF/J0NjPDCAJRgQNor0ycjiHSr5dg9QlrCduuaro3SCNfT4xuci7
+k2UHxzFhguYXn+Ef+6ZqdtsM9x8aQhWa2Aw3I1yEuOSKT8HmcDkYyeI4XaI299Gz
+LFz4+lR72jkAJRA2Dk5pKBwYJz8i3Wmr6wyXUizlSly3796tUMfzgXxnNkCRXaLz
+4uiqUatnmCd1/pZ47I4oSUCCjj7Mq7EFfKFmXfCoaXAfNGxMdYtwjl299h2PtKKU
+wlBwv1BUJICWkJ+OyB3Tv9YuZqNWoYY2x4qPV3/QWaUgtv5/LKdYR6Ivzc4gwMJD
+PWjpb27KtnKrlw6VwrrjfyMEDVkVkibXJWAnoJv0KJ275rIre5vQH4DKFC0isfNR
+sLVOKfiyWudqIVFiVDUCufDnPQIDAQABo1MwUTAdBgNVHQ4EFgQU14xkgPnKLiqe
+gS/blBgvJTc8qO8wHwYDVR0jBBgwFoAU14xkgPnKLiqegS/blBgvJTc8qO8wDwYD
+VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAYEAFf4Fc5ScyZMqkcoVuYvh
+1WISAbM6k+5aHX/KA+Br35Zxh4B3s+NGGG48RXVt4xMs/x9fCU1OpWKLiAzJwSBM
+hFidIBshCrrVnVKy+ws1tOAcw4f21k5n0S/Sw+uYWNpamcpD7X3kFpTMIzYGdO5c
+hffYHQ+oP3tQTD9GMuNVAlagrMqabk6JZXz36ow+aPASdnCjrA0WpuQ+XeldGc+N
+4hfU6rTKdFO8Uu9iaMgd5tFlZdIYEBP+wJ9APKtjjwuolsKcQKaHHLorMnNXO5Ct
+TA7YgpW7oic1AMtmD+Z+ucT9OpGHEXQa4TEtmr0fiEAUFjwcwyy7LO7x18buUPt4
+Rzq+T+QEdf3BmBL4p5ArKyLcOeZNK4MjPbbjKYnibJBGDYgtrz7GLgF//P4S4/lP
+0lmm5cBxIDEaeE6WjQZUrx+TvJFIQ8GTu0vG8h7JDKqO6UbBL8OAMZ2fO9iPXlYH
+0EZLIWXX1p8W8w7+dmr0CGpLdascEdxXkf/XYIsAP68K
 -----END CERTIFICATE-----
 `