Address review comme

Author: Karthik-K-N

api/bootstrap/kubeadm/v1beta2/kubeadm_types.go

@@ -219,7 +219,10 @@ type ClusterConfiguration struct {
 
 	// encryptionAlgorithm holds the type of asymmetric encryption algorithm used for keys and certificates.
 	// Can be one of "RSA-2048", "RSA-3072", "RSA-4096", "ECDSA-P256" or "ECDSA-P384".
+	// For Kubernetes 1.34 or above, "ECDSA-P384" is supported.
 	// If not specified, Cluster API will use RSA-2048 as default.
+	// When this field is modified every certificate generated afterward will use the new
+	// encryptionAlgorithm. Existing CA certificates and service account keys are not rotated.
 	// This field is only supported with Kubernetes v1.31 or above.
 	// +optional
 	EncryptionAlgorithm EncryptionAlgorithmType `json:"encryptionAlgorithm,omitempty"`

bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigs.yaml

@@ -142,8 +142,6 @@ func (m *Management) GetWorkloadCluster(ctx context.Context, clusterKey client.O
 	var clientCert tls.Certificate
 	if keyData != nil {
 		// Get client cert from cache if possible, otherwise generate it and add it to the cache.
-		// TODO: When we implement ClusterConfiguration.EncryptionAlgorithm we should add it to
-		//       the ClientCertEntries and make it part of the key.
 		if entry, ok := m.ClientCertCache.Has(ClientCertEntry{Cluster: clusterKey, EncryptionAlgorithm: keyEncryptionAlgorithm}.Key()); ok {
 			clientCert = *entry.ClientCert
 		} else {

bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigtemplates.yaml

@@ -99,6 +99,7 @@ spec:
           apiServer:
             # host.docker.internal is required by kubetest when running on MacOS because of the way ports are proxied.
             certSANs: [localhost, 127.0.0.1, 0.0.0.0, host.docker.internal]
+          encryptionAlgorithm: "RSA-4096"
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
 kind: DockerMachineTemplate

controlplane/kubeadm/config/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanes.yaml

@@ -131,8 +131,7 @@ func NewSigner(keyEncryptionAlgorithm bootstrapv1.EncryptionAlgorithmType) (cryp
 	if rsaKeySize == 0 {
 		return nil, errors.Errorf("cannot obtain key size from unknown RSA algorithm: %q", keyEncryptionAlgorithm)
 	}
-	pk, err := rsa.GenerateKey(rand.Reader, rsaKeySize)
-	return pk, errors.WithStack(err)
+	return rsa.GenerateKey(rand.Reader, rsaKeySize)
 }
 
 // EncodePrivateKeyPEMFromSigner converts a known private key type of RSA or ECDSA to
@@ -164,7 +163,7 @@ func EncodePrivateKeyPEMFromSigner(key crypto.PrivateKey) ([]byte, error) {
 func EncodePublicKeyPEMFromSigner(key crypto.PublicKey) ([]byte, error) {
 	der, err := x509.MarshalPKIXPublicKey(key)
 	if err != nil {
-		return []byte{}, errors.WithStack(err)
+		return []byte{}, err
 	}
 	block := pem.Block{
 		Type:  "PUBLIC KEY",
@@ -173,9 +172,9 @@ func EncodePublicKeyPEMFromSigner(key crypto.PublicKey) ([]byte, error) {
 	return pem.EncodeToMemory(&block), nil
 }
 
-// rsaKeySizeFromAlgorithmType takes a known RSA algorithm defined in the kubeadm API
-// and returns its key size. For unknown types it returns 0. For an empty type it returns
-// the default size of 2048.
+// rsaKeySizeFromAlgorithmType takes a known RSA algorithm defined in the kubeadm API and returns its key size.
+// For unknown types it returns 0.
+// For an empty type ("") which is the default (zero value) on the API field it returns the default size of 2048.
 func rsaKeySizeFromAlgorithmType(keyEncryptionAlgorithm bootstrapv1.EncryptionAlgorithmType) int {
 	switch keyEncryptionAlgorithm {
 	case bootstrapv1.EncryptionAlgorithmRSA2048, "":

controlplane/kubeadm/config/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanetemplates.yaml

@@ -20,11 +20,11 @@ import bootstrapv1 "sigs.k8s.io/cluster-api/api/bootstrap/kubeadm/v1beta2"
 
 // KubeConfigOption helps to modify KubeConfigOptions.
 type KubeConfigOption interface { //nolint:revive
-	// ApplyKubeConfigurationOption applies this options to the given kube configuration options.
-	ApplyKubeConfigurationOption(*KubeConfigOptions)
+	// ApplyKubeConfigOption applies this options to the given KubeConfigOptions options.
+	ApplyKubeConfigOption(*KubeConfigOptions)
 }
 
-// KubeConfigOptions allows to set options for generating kube configuration.
+// KubeConfigOptions allows to set options for generating a kubeconfig.
 type KubeConfigOptions struct { //nolint:revive
 	keyEncryptionAlgorithm bootstrapv1.EncryptionAlgorithmType
 }
@@ -33,14 +33,14 @@ type KubeConfigOptions struct { //nolint:revive
 // and then returns itself (for convenient chaining).
 func (o *KubeConfigOptions) ApplyOptions(opts []KubeConfigOption) {
 	for _, opt := range opts {
-		opt.ApplyKubeConfigurationOption(o)
+		opt.ApplyKubeConfigOption(o)
 	}
 }
 
 // KeyEncryptionAlgorithm allows to specify the key encryption algorithm type.
-type KeyEncryptionAlgorithm string
+type KeyEncryptionAlgorithm bootstrapv1.EncryptionAlgorithmType
 
-// ApplyKubeConfigurationOption applies this configuration to the given kube configuration options.
-func (t KeyEncryptionAlgorithm) ApplyKubeConfigurationOption(opts *KubeConfigOptions) {
+// ApplyKubeConfigOption applies this configuration to the given kube configuration options.
+func (t KeyEncryptionAlgorithm) ApplyKubeConfigOption(opts *KubeConfigOptions) {
 	opts.keyEncryptionAlgorithm = bootstrapv1.EncryptionAlgorithmType(t)
 }