Test changes

Karthik-K-N · Karthik-K-N · commit 1a13048c9ee1 · 2025-10-15T13:00:16.000+05:30
diff --git a/controlplane/kubeadm/internal/cluster_test.go b/controlplane/kubeadm/internal/cluster_test.go
@@ -18,8 +18,8 @@ package internal
 
 import (
 	"context"
+	"crypto"
 	"crypto/rand"
-	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"fmt"
@@ -90,10 +90,15 @@ func TestGetWorkloadCluster(t *testing.T) {
 	}()
 
 	// Create an etcd secret with valid certs
-	key, err := certs.NewPrivateKey()
+	key, err := certs.NewPrivateKey("")
 	g.Expect(err).ToNot(HaveOccurred())
+
 	cert, err := getTestCACert(key)
 	g.Expect(err).ToNot(HaveOccurred())
+
+	encodedKey, err := certs.EncodePrivateKeyPEM(key)
+	g.Expect(err).ToNot(HaveOccurred())
+
 	etcdSecret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "my-cluster-etcd",
@@ -104,7 +109,7 @@ func TestGetWorkloadCluster(t *testing.T) {
 		},
 		Data: map[string][]byte{
 			secret.TLSCrtDataName: certs.EncodeCertPEM(cert),
-			secret.TLSKeyDataName: certs.EncodePrivateKeyPEM(key),
+			secret.TLSKeyDataName: encodedKey,
 		},
 	}
 	emptyCrtEtcdSecret := etcdSecret.DeepCopy()
@@ -249,7 +254,7 @@ func TestGetWorkloadCluster(t *testing.T) {
 			})
 			g.Expect(err).ToNot(HaveOccurred())
 
-			workloadCluster, err := m.GetWorkloadCluster(ctx, tt.clusterKey)
+			workloadCluster, err := m.GetWorkloadCluster(ctx, tt.clusterKey, "")
 			if tt.expectErr {
 				g.Expect(err).To(HaveOccurred())
 				g.Expect(workloadCluster).To(BeNil())
@@ -261,7 +266,7 @@ func TestGetWorkloadCluster(t *testing.T) {
 	}
 }
 
-func getTestCACert(key *rsa.PrivateKey) (*x509.Certificate, error) {
+func getTestCACert(key crypto.Signer) (*x509.Certificate, error) {
 	cfg := certs.Config{
 		CommonName: "kubernetes",
 	}
diff --git a/controlplane/kubeadm/internal/controllers/controller_test.go b/controlplane/kubeadm/internal/controllers/controller_test.go
@@ -18,8 +18,8 @@ package controllers
 
 import (
 	"context"
+	"crypto"
 	"crypto/rand"
-	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"fmt"
@@ -813,11 +813,16 @@ func TestKubeadmControlPlaneReconciler_ensureOwnerReferences(t *testing.T) {
 	cluster.Spec.ControlPlaneEndpoint.Port = 6443
 	cluster.Status.Initialization.InfrastructureProvisioned = ptr.To(true)
 	kcp.Spec.Version = "v1.21.0"
-	key, err := certs.NewPrivateKey()
+
+	key, err := certs.NewPrivateKey("")
 	g.Expect(err).ToNot(HaveOccurred())
+
 	crt, err := getTestCACert(key)
 	g.Expect(err).ToNot(HaveOccurred())
 
+	encodedKey, err := certs.EncodePrivateKeyPEM(key)
+	g.Expect(err).ToNot(HaveOccurred())
+
 	clusterSecret := &corev1.Secret{
 		// The Secret's Type is used by KCP to determine whether it is user-provided.
 		// clusterv1.ClusterSecretType signals that the Secret is CAPI-provided.
@@ -831,7 +836,7 @@ func TestKubeadmControlPlaneReconciler_ensureOwnerReferences(t *testing.T) {
 		},
 		Data: map[string][]byte{
 			secret.TLSCrtDataName: certs.EncodeCertPEM(crt),
-			secret.TLSKeyDataName: certs.EncodePrivateKeyPEM(key),
+			secret.TLSKeyDataName: encodedKey,
 		},
 	}
 
@@ -4108,7 +4113,7 @@ func newCluster(namespacedName *types.NamespacedName) *clusterv1.Cluster {
 	}
 }
 
-func getTestCACert(key *rsa.PrivateKey) (*x509.Certificate, error) {
+func getTestCACert(key crypto.Signer) (*x509.Certificate, error) {
 	cfg := certs.Config{
 		CommonName: "kubernetes",
 	}
diff --git a/controlplane/kubeadm/internal/controllers/fakes_test.go b/controlplane/kubeadm/internal/controllers/fakes_test.go
@@ -49,7 +49,7 @@ func (f *fakeManagementCluster) List(ctx context.Context, list client.ObjectList
 	return f.Reader.List(ctx, list, opts...)
 }
 
-func (f *fakeManagementCluster) GetWorkloadCluster(_ context.Context, _ client.ObjectKey) (internal.WorkloadCluster, error) {
+func (f *fakeManagementCluster) GetWorkloadCluster(_ context.Context, _ client.ObjectKey, _ bootstrapv1.EncryptionAlgorithmType) (internal.WorkloadCluster, error) {
 	return f.Workload, f.WorkloadErr
 }
 
diff --git a/test/infrastructure/docker/internal/controllers/backends/inmemory/inmemorymachine_controller_test.go b/test/infrastructure/docker/internal/controllers/backends/inmemory/inmemorymachine_controller_test.go
@@ -18,8 +18,8 @@ package inmemory
 
 import (
 	"context"
+	"crypto"
 	cryptorand "crypto/rand"
-	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"fmt"
@@ -763,6 +763,9 @@ func createCASecret(t *testing.T, cluster *clusterv1.Cluster, purpose secretutil
 	cert, key, err := newCertificateAuthority()
 	g.Expect(err).ToNot(HaveOccurred())
 
+	encodedKey, err := certs.EncodePrivateKeyPEM(key)
+	g.Expect(err).ToNot(HaveOccurred())
+
 	return &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: cluster.Namespace,
@@ -772,7 +775,7 @@ func createCASecret(t *testing.T, cluster *clusterv1.Cluster, purpose secretutil
 			},
 		},
 		Data: map[string][]byte{
-			secretutil.TLSKeyDataName: certs.EncodePrivateKeyPEM(key),
+			secretutil.TLSKeyDataName: encodedKey,
 			secretutil.TLSCrtDataName: certs.EncodeCertPEM(cert),
 		},
 		Type: clusterv1.ClusterSecretType,
@@ -782,8 +785,8 @@ func createCASecret(t *testing.T, cluster *clusterv1.Cluster, purpose secretutil
 // TODO: make this public functions in server/certs.go or in a new util package.
 
 // newCertificateAuthority creates new certificate and private key for the certificate authority.
-func newCertificateAuthority() (*x509.Certificate, *rsa.PrivateKey, error) {
-	key, err := certs.NewPrivateKey()
+func newCertificateAuthority() (*x509.Certificate, crypto.Signer, error) {
+	key, err := certs.NewPrivateKey("")
 	if err != nil {
 		return nil, nil, err
 	}
@@ -797,7 +800,7 @@ func newCertificateAuthority() (*x509.Certificate, *rsa.PrivateKey, error) {
 }
 
 // newSelfSignedCACert creates a CA certificate.
-func newSelfSignedCACert(key *rsa.PrivateKey) (*x509.Certificate, error) {
+func newSelfSignedCACert(key crypto.Signer) (*x509.Certificate, error) {
 	cfg := certs.Config{
 		CommonName: "kubernetes",
 	}
diff --git a/test/infrastructure/inmemory/pkg/server/certs.go b/test/infrastructure/inmemory/pkg/server/certs.go
@@ -17,7 +17,7 @@ limitations under the License.
 package server
 
 import (
-	"crypto/rsa"
+	"crypto"
 	"crypto/x509"
 	"net"
 
@@ -26,19 +26,19 @@ import (
 	"sigs.k8s.io/cluster-api/util/certs"
 )
 
-var key *rsa.PrivateKey
+var key crypto.Signer
 
 func init() {
 	// Create a private key only once, since this is a slow operation and it is ok
 	// to reuse it for all the certificates in a test provider.
 	var err error
-	key, err = certs.NewPrivateKey()
+	key, err = certs.NewPrivateKey("")
 	if err != nil {
 		panic(errors.Wrap(err, "unable to create private key").Error())
 	}
 }
 
-func newCertAndKey(caCert *x509.Certificate, caKey *rsa.PrivateKey, config *certs.Config) (*x509.Certificate, *rsa.PrivateKey, error) {
+func newCertAndKey(caCert *x509.Certificate, caKey crypto.Signer, config *certs.Config) (*x509.Certificate, crypto.Signer, error) {
 	cert, err := config.NewSignedCert(key, caCert, caKey)
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "unable to create certificate")
diff --git a/test/infrastructure/inmemory/pkg/server/listener.go b/test/infrastructure/inmemory/pkg/server/listener.go
@@ -17,7 +17,7 @@ limitations under the License.
 package server
 
 import (
-	"crypto/rsa"
+	"crypto"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
@@ -45,11 +45,11 @@ type WorkloadClusterListener struct {
 
 	apiServers                  sets.Set[string]
 	apiServerCaCertificate      *x509.Certificate
-	apiServerCaKey              *rsa.PrivateKey
+	apiServerCaKey              crypto.Signer
 	apiServerServingCertificate *tls.Certificate
 
 	adminCertificate *x509.Certificate
-	adminKey         *rsa.PrivateKey
+	adminKey         crypto.Signer
 
 	etcdMembers             sets.Set[string]
 	etcdServingCertificates map[string]*tls.Certificate
@@ -84,6 +84,11 @@ func (s *WorkloadClusterListener) HostPort() string {
 
 // RESTConfig returns the rest config for a WorkloadClusterListener.
 func (s *WorkloadClusterListener) RESTConfig() (*rest.Config, error) {
+	encodedKey, err := certs.EncodePrivateKeyPEM(s.adminKey)
+	if err != nil {
+		return nil, err
+	}
+
 	kubeConfig := clientcmdapi.Config{
 		Clusters: map[string]*clientcmdapi.Cluster{
 			"in-memory": {
@@ -95,7 +100,7 @@ func (s *WorkloadClusterListener) RESTConfig() (*rest.Config, error) {
 			"in-memory": {
 				Username:              "in-memory",
 				ClientCertificateData: certs.EncodeCertPEM(s.adminCertificate), // TODO: convert to PEM
-				ClientKeyData:         certs.EncodePrivateKeyPEM(s.adminKey),   // TODO: convert to PEM
+				ClientKeyData:         encodedKey,                              // TODO: convert to PEM
 			},
 		},
 		Contexts: map[string]*clientcmdapi.Context{
diff --git a/test/infrastructure/inmemory/pkg/server/mux.go b/test/infrastructure/inmemory/pkg/server/mux.go
@@ -18,7 +18,7 @@ package server
 
 import (
 	"context"
-	"crypto/rsa"
+	"crypto"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
@@ -387,7 +387,7 @@ func (m *WorkloadClustersMux) WorkloadClusterByResourceGroup(resouceGroup string
 // AddAPIServer mimics adding an API server instance behind the WorkloadClusterListener.
 // When the first API server instance is added the serving certificates and the admin certificate
 // for tests are generated, and the listener is started.
-func (m *WorkloadClustersMux) AddAPIServer(wclName, podName string, caCert *x509.Certificate, caKey *rsa.PrivateKey) error {
+func (m *WorkloadClustersMux) AddAPIServer(wclName, podName string, caCert *x509.Certificate, caKey crypto.Signer) error {
 	// Start server
 	// Note: It is important that we unlock once the server is started. Because otherwise the server
 	// doesn't work yet as GetCertificate (which is required for the tls handshake) also requires the lock.
@@ -420,7 +420,12 @@ func (m *WorkloadClustersMux) AddAPIServer(wclName, podName string, caCert *x509
 				return errors.Wrapf(err, "failed to create serving certificate for API server %s", podName)
 			}
 
-			certificate, err := tls.X509KeyPair(certs.EncodeCertPEM(cert), certs.EncodePrivateKeyPEM(key))
+			encodedKey, err := certs.EncodePrivateKeyPEM(key)
+			if err != nil {
+				return errors.Wrapf(err, "failed to encode private key for API server %s", podName)
+			}
+
+			certificate, err := tls.X509KeyPair(certs.EncodeCertPEM(cert), encodedKey)
 			if err != nil {
 				return errors.Wrapf(err, "failed to create X509KeyPair for API server %s", podName)
 			}
@@ -533,7 +538,7 @@ func (m *WorkloadClustersMux) HasAPIServer(wclName, podName string) bool {
 // AddEtcdMember mimics adding an etcd Member behind the WorkloadClusterListener;
 // every etcd member gets a dedicated serving certificate, so it will be possible to serve port forward requests
 // to a specific etcd pod/member.
-func (m *WorkloadClustersMux) AddEtcdMember(wclName, podName string, caCert *x509.Certificate, caKey *rsa.PrivateKey) error {
+func (m *WorkloadClustersMux) AddEtcdMember(wclName, podName string, caCert *x509.Certificate, caKey crypto.Signer) error {
 	m.lock.Lock()
 	defer m.lock.Unlock()
 
@@ -552,7 +557,12 @@ func (m *WorkloadClustersMux) AddEtcdMember(wclName, podName string, caCert *x50
 			return errors.Wrapf(err, "failed to create serving certificate for etcd member %s", podName)
 		}
 
-		certificate, err := tls.X509KeyPair(certs.EncodeCertPEM(cert), certs.EncodePrivateKeyPEM(key))
+		encodedKey, err := certs.EncodePrivateKeyPEM(key)
+		if err != nil {
+			return err
+		}
+
+		certificate, err := tls.X509KeyPair(certs.EncodeCertPEM(cert), encodedKey)
 		if err != nil {
 			return errors.Wrapf(err, "failed to create X509KeyPair for etcd member %s", podName)
 		}
diff --git a/test/infrastructure/inmemory/pkg/server/mux_test.go b/test/infrastructure/inmemory/pkg/server/mux_test.go
@@ -18,8 +18,8 @@ package server
 
 import (
 	"context"
+	"crypto"
 	cryptorand "crypto/rand"
-	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
@@ -351,7 +351,10 @@ func TestAPI_PortForward(t *testing.T) {
 	cert, key, err := newCertAndKey(etcdCert, etcdKey, config)
 	g.Expect(err).ToNot(HaveOccurred())
 
-	clientCert, err := tls.X509KeyPair(certs.EncodeCertPEM(cert), certs.EncodePrivateKeyPEM(key))
+	encodedKey, err := certs.EncodePrivateKeyPEM(key)
+	g.Expect(err).ToNot(HaveOccurred())
+
+	clientCert, err := tls.X509KeyPair(certs.EncodeCertPEM(cert), encodedKey)
 	g.Expect(err).ToNot(HaveOccurred())
 
 	p2 := inmemoryproxy.Proxy{
@@ -533,8 +536,8 @@ func setupWorkloadClusterListener(g Gomega, ports CustomPorts) (*WorkloadCluster
 }
 
 // newCertificateAuthority creates new certificate and private key for the certificate authority.
-func newCertificateAuthority() (*x509.Certificate, *rsa.PrivateKey, error) {
-	key, err := certs.NewPrivateKey()
+func newCertificateAuthority() (*x509.Certificate, crypto.Signer, error) {
+	key, err := certs.NewPrivateKey("")
 	if err != nil {
 		return nil, nil, err
 	}
@@ -548,7 +551,7 @@ func newCertificateAuthority() (*x509.Certificate, *rsa.PrivateKey, error) {
 }
 
 // newSelfSignedCACert creates a CA certificate.
-func newSelfSignedCACert(key *rsa.PrivateKey) (*x509.Certificate, error) {
+func newSelfSignedCACert(key crypto.Signer) (*x509.Certificate, error) {
 	cfg := certs.Config{
 		CommonName: "kubernetes",
 	}
diff --git a/util/kubeconfig/kubeconfig_test.go b/util/kubeconfig/kubeconfig_test.go

Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,7 @@ func (f *fakeManagementCluster) List(ctx context.Context, list client.ObjectList`
`49`	`49`	`return f.Reader.List(ctx, list, opts...)`
`50`	`50`	`}`
`51`	`51`
`52`		`-func (f *fakeManagementCluster) GetWorkloadCluster(_ context.Context, _ client.ObjectKey) (internal.WorkloadCluster, error) {`
	`52`	`+func (f *fakeManagementCluster) GetWorkloadCluster(_ context.Context, _ client.ObjectKey, _ bootstrapv1.EncryptionAlgorithmType) (internal.WorkloadCluster, error) {`
`53`	`53`	`return f.Workload, f.WorkloadErr`
`54`	`54`	`}`
`55`	`55`