Make RSA key length configurable

CHANGELOG.md

@@ -8,6 +8,7 @@ All notable changes to this project will be documented in this file.
 
 - Active Directory's `samAccountName` generation can now be customized ([#454]).
 - Added experimental cert-manager backend ([#482]).
+- Make RSA key length configurable ([#506]).
 
 ### Fixed
 
@@ -25,6 +26,7 @@ All notable changes to this project will be documented in this file.
 [#495]: https://github.com/stackabletech/secret-operator/pull/495
 [#497]: https://github.com/stackabletech/secret-operator/pull/497
 [#505]: https://github.com/stackabletech/secret-operator/pull/505
+[#506]: https://github.com/stackabletech/secret-operator/pull/506
 
 ## [24.7.0] - 2024-07-24
 

deploy/helm/secret-operator/crds/crds.yaml

@@ -58,6 +58,28 @@ spec:
 
                                 If `autoGenerate: true` then the Secret Operator will prepare a new CA certificate the old CA approaches expiration. If `autoGenerate: false` then the Secret Operator will log a warning instead.
                               type: string
+                            keyGeneration:
+                              default:
+                                rsa:
+                                  length: 2048
+                              description: The algorithm used to generate a keypair and required configuration settings. Currently only RSA and a key length of 2048, 3072 or 4096 bits can be configured.
+                              oneOf:
+                                - required:
+                                    - rsa
+                              properties:
+                                rsa:
+                                  properties:
+                                    length:
+                                      description: The amount of bits used for key or certs. Currently, `2048`, `3072` and `4096` are supported. Defaults to `2048` bits.
+                                      enum:
+                                        - 2048
+                                        - 3072
+                                        - 4096
+                                      type: integer
+                                  required:
+                                    - length
+                                  type: object
+                              type: object
                             secret:
                               description: Reference (name and namespace) to a Kubernetes Secret object where the CA certificate and key is stored in the keys `ca.crt` and `ca.key` respectively.
                               properties:

docs/modules/secret-operator/examples/secretclass-tls-key-length.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: secrets.stackable.tech/v1alpha1
+kind: SecretClass
+metadata:
+  name: tls
+spec:
+  backend:
+    autoTls:
+      ca:
+        secret:
+          name: secret-provisioner-tls-ca
+          namespace: default
+        keyGeneration: # <1>
+          rsa: # <2>
+            length: 4096 # <3>

docs/modules/secret-operator/pages/secretclass.adoc

@@ -38,6 +38,26 @@ CAUTION: Attributes of the certificate (such as the expiration date, fingerprint
 
 xref:scope.adoc[Scopes] are used to populate the claims (such as `subjectAlternateName`) of the provisioned certificates.
 
+[#backend-tls-key-pair-generation]
+=== `TLS key pair generation`
+
+Currently, only RSA is supported in the `autoTls` backend.
+You can however configure the key length for generated private keys. If not specified it will default to `2048` bits.
+
+----
+include::example$secretclass-tls-key-length.yaml[]
+----
+<1> `autoTls.ca.keyGeneration` specifies which algorithm and additional parameters are used
+<2> `autoTls.ca.keyGeneration.rsa` specifies the RSA key pair algorithm (RSA currently is the only one supported)
+<3> `autoTls.ca.keyGeneration.rsa.length` specifies the amount of bits used for key or certs. Currently, `2048`, `3072` and `4096` are supported. Defaults to `2048` bits.
+
+CAUTION: Using a key length higher than `2048` will significantly increase the computation time to create new key-pairs.
+The SSL Labs https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices[SSL and TLS Deployment Best Practices] as of 2024-10-01 recommend
+
+>  For most websites, using RSA keys stronger than 2,048 bits and ECDSA keys stronger than 256 bits is a waste of CPU power and might impair user experience
+
+If options higher than `2048` are chosen, the CPU resources for the secret operator should be increased in order to avoid Pods being stuck in `Pending` waiting for the computation of their key-pair.
+
 ==== Certificate lifetime
 
 By default the Secret Operator will generally aim to use as short-lived certificates as possible.

rust/operator-binary/build.rs

@@ -6,7 +6,7 @@ fn main() {
     let out_dir = PathBuf::from(std::env::var("OUT_DIR").expect("OUT_DIR is required"));
     tonic_build::configure()
         .file_descriptor_set_path(out_dir.join("file_descriptor_set.bin"))
-        .compile(&["vendor/csi/csi.proto"], &["vendor/csi"])
+        .compile_protos(&["vendor/csi/csi.proto"], &["vendor/csi"])
         .unwrap();
     built::write_built_file().unwrap();
 }

rust/operator-binary/src/backend/tls/ca.rs

@@ -34,6 +34,7 @@ use tracing::{info, info_span, warn};
 
 use crate::{
     backend::SecretBackendError,
+    crd::TlsKeyGeneration,
     utils::{asn1time_to_offsetdatetime, Asn1TimeParseError, Unloggable},
 };
 
@@ -153,6 +154,9 @@ pub struct Config {
     /// Hence, this value _should_ be larger than the PKI's maximum certificate lifetime,
     /// and smaller than [`Self::ca_certificate_lifetime`].
     pub rotate_if_ca_expires_before: Option<Duration>,
+
+    /// Configuration how TLS private keys should be created.
+    pub key_generation: TlsKeyGeneration,
 }
 
 /// A single certificate authority certificate.
@@ -188,7 +192,12 @@ impl CertificateAuthority {
         let not_before = now - Duration::from_minutes_unchecked(5);
         let not_after = now + config.ca_certificate_lifetime;
         let conf = Conf::new(ConfMethod::default()).unwrap();
-        let private_key = Rsa::generate(2048)
+
+        let private_key_length = match config.key_generation {
+            TlsKeyGeneration::Rsa { length } => length,
+        };
+
+        let private_key = Rsa::generate(private_key_length)
             .and_then(PKey::try_from)
             .context(GenerateKeySnafu)?;
         let certificate = X509Builder::new()

rust/operator-binary/src/backend/tls/mod.rs

@@ -28,7 +28,7 @@ use stackable_operator::{
 use time::OffsetDateTime;
 
 use crate::{
-    crd,
+    crd::{self, TlsKeyGeneration},
     format::{well_known, SecretData, WellKnownSecretData},
     utils::iterator_try_concat_bytes,
 };
@@ -132,6 +132,7 @@ impl SecretBackendError for Error {
 pub struct TlsGenerate {
     ca_manager: ca::Manager,
     max_cert_lifetime: Duration,
+    key_generation: TlsKeyGeneration,
 }
 
 impl TlsGenerate {
@@ -147,6 +148,7 @@ impl TlsGenerate {
             secret: ca_secret,
             auto_generate: auto_generate_ca,
             ca_certificate_lifetime,
+            key_generation,
         }: &crd::AutoTlsCa,
         max_cert_lifetime: Duration,
     ) -> Result<Self> {
@@ -158,11 +160,13 @@ impl TlsGenerate {
                     manage_ca: *auto_generate_ca,
                     ca_certificate_lifetime: *ca_certificate_lifetime,
                     rotate_if_ca_expires_before: Some(*ca_certificate_lifetime / 2),
+                    key_generation: key_generation.clone(),
                 },
             )
             .await
             .context(LoadCaSnafu)?,
             max_cert_lifetime,
+            key_generation: key_generation.clone(),
         })
     }
 }
@@ -233,7 +237,12 @@ impl SecretBackend for TlsGenerate {
         }
 
         let conf = Conf::new(ConfMethod::default()).unwrap();
-        let pod_key = Rsa::generate(2048)
+
+        let pod_key_length = match self.key_generation {
+            TlsKeyGeneration::Rsa { length } => length,
+        };
+
+        let pod_key = Rsa::generate(pod_key_length)
             .and_then(PKey::try_from)
             .context(GenerateKeySnafu)?;
         let mut addresses = Vec::new();

rust/operator-binary/src/crd.rs

@@ -4,7 +4,7 @@ use serde::{Deserialize, Serialize};
 use snafu::Snafu;
 use stackable_operator::{
     kube::CustomResource,
-    schemars::{self, JsonSchema},
+    schemars::{self, schema::Schema, JsonSchema},
     time::Duration,
 };
 use stackable_secret_operator_crd_utils::SecretReference;
@@ -123,6 +123,11 @@ pub struct AutoTlsCa {
     /// If `autoGenerate: false` then the Secret Operator will log a warning instead.
     #[serde(default = "AutoTlsCa::default_ca_certificate_lifetime")]
     pub ca_certificate_lifetime: Duration,
+
+    /// The algorithm used to generate a keypair and required configuration settings.
+    /// Currently only RSA and a key length of 2048, 3072 or 4096 bits can be configured.
+    #[serde(default)]
+    pub key_generation: TlsKeyGeneration,
 }
 
 impl AutoTlsCa {
@@ -131,6 +136,61 @@ impl AutoTlsCa {
     }
 }
 
+#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub enum TlsKeyGeneration {
+    Rsa {
+        /// The amount of bits used for key or certs. Currently, `2048`, `3072` and `4096` are
+        /// supported. Defaults to `2048` bits.
+        #[schemars(schema_with = "TlsKeyGeneration::tls_key_length_schema")]
+        length: u32,
+    },
+}
+
+impl TlsKeyGeneration {
+    pub const TLS_RSA_KEY_LENGTH_2048: u32 = 2048;
+    pub const TLS_RSA_KEY_LENGTH_3072: u32 = 3072;
+    pub const TLS_RSA_KEY_LENGTH_4096: u32 = 4096;
+
+    // Could not get a "standard" enum with assigned values/discriminants to work as integers in the schema
+    // The following was generated and requires the length to be provided as string (we want an integer)
+    // keyGeneration:
+    //   default:
+    //     rsa:
+    //       length: '2048'
+    //   oneOf:
+    //     - required:
+    //         - rsa
+    //   properties:
+    //     rsa:
+    //       properties:
+    //         length:
+    //           enum:
+    //             - '2048'
+    //             - '3072'
+    //             - '4096'
+    //           type: string
+    pub fn tls_key_length_schema(_: &mut schemars::gen::SchemaGenerator) -> Schema {
+        serde_json::from_value(serde_json::json!({
+            "type": "integer",
+            "enum": [
+                Self::TLS_RSA_KEY_LENGTH_2048,
+                Self::TLS_RSA_KEY_LENGTH_3072,
+                Self::TLS_RSA_KEY_LENGTH_4096
+            ]
+        }))
+        .expect("Failed to parse JSON of custom tls key length schema")
+    }
+}
+
+impl Default for TlsKeyGeneration {
+    fn default() -> Self {
+        Self::Rsa {
+            length: Self::TLS_RSA_KEY_LENGTH_2048,
+        }
+    }
+}
+
 #[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
 #[serde(rename_all = "camelCase")]
 pub struct CertManagerBackend {
@@ -368,6 +428,9 @@ mod test {
                 secret:
                   name: secret-provisioner-tls-ca
                   namespace: default
+                keyGeneration:
+                  rsa:
+                    length: 3072
         "#;
         let deserializer = serde_yaml::Deserializer::from_str(input);
         let secret_class: SecretClass =
@@ -383,6 +446,9 @@ mod test {
                         },
                         auto_generate: false,
                         ca_certificate_lifetime: DEFAULT_CA_CERT_LIFETIME,
+                        key_generation: TlsKeyGeneration::Rsa {
+                            length: TlsKeyGeneration::TLS_RSA_KEY_LENGTH_3072
+                        }
                     },
                     max_certificate_lifetime: DEFAULT_MAX_CERT_LIFETIME,
                 })
@@ -418,7 +484,8 @@ mod test {
                             namespace: "default".to_string(),
                         },
                         auto_generate: true,
-                        ca_certificate_lifetime: Duration::from_days_unchecked(100)
+                        ca_certificate_lifetime: Duration::from_days_unchecked(100),
+                        key_generation: TlsKeyGeneration::default()
                     },
                     max_certificate_lifetime: Duration::from_days_unchecked(31),
                 })