Address review comments

Author: Karthik-K-N

util/certs/certs.go

@@ -135,24 +135,34 @@ func NewSigner(keyEncryptionAlgorithm bootstrapv1.EncryptionAlgorithmType) (cryp
 	return pk, errors.WithStack(err)
 }
 
-// EncodePrivateKeyPEMFromSigner returns PEM-encoded private key data.
-func EncodePrivateKeyPEMFromSigner(key crypto.Signer) ([]byte, error) {
-	privateBytes, err := x509.MarshalPKCS8PrivateKey(key)
-	if err != nil {
-		return nil, fmt.Errorf("unable to marshal private key: %v", err)
-	}
-
-	block := pem.Block{
-		Type:  "RSA PRIVATE KEY",
-		Bytes: privateBytes,
+// EncodePrivateKeyPEMFromSigner converts a known private key type of RSA or ECDSA to
+// a PEM encoded block or returns an error.
+func EncodePrivateKeyPEMFromSigner(key crypto.PrivateKey) ([]byte, error) {
+	switch t := key.(type) {
+	case *ecdsa.PrivateKey:
+		derBytes, err := x509.MarshalECPrivateKey(t)
+		if err != nil {
+			return nil, err
+		}
+		block := &pem.Block{
+			Type:  "EC PRIVATE KEY",
+			Bytes: derBytes,
+		}
+		return pem.EncodeToMemory(block), nil
+	case *rsa.PrivateKey:
+		block := &pem.Block{
+			Type:  "RSA PRIVATE KEY",
+			Bytes: x509.MarshalPKCS1PrivateKey(t),
+		}
+		return pem.EncodeToMemory(block), nil
+	default:
+		return nil, fmt.Errorf("private key is not a recognized type: %T", key)
 	}
-
-	return pem.EncodeToMemory(&block), nil
 }
 
 // EncodePublicKeyPEMFromSigner returns PEM-encoded public key data.
-func EncodePublicKeyPEMFromSigner(key crypto.Signer) ([]byte, error) {
-	der, err := x509.MarshalPKIXPublicKey(key.Public())
+func EncodePublicKeyPEMFromSigner(key crypto.PublicKey) ([]byte, error) {
+	der, err := x509.MarshalPKIXPublicKey(key)
 	if err != nil {
 		return []byte{}, errors.WithStack(err)
 	}

util/kubeconfig/kubeconfig.go

@@ -54,17 +54,14 @@ func FromSecret(ctx context.Context, c client.Reader, cluster client.ObjectKey)
 }
 
 // New creates a new Kubeconfig using the cluster name and specified endpoint.
-func New(clusterName, endpoint string, caCert *x509.Certificate, caKey crypto.Signer, options ...KubeConfigurationOption) (*api.Config, error) {
+func New(clusterName, endpoint string, caCert *x509.Certificate, caKey crypto.Signer, options ...KubeConfigOption) (*api.Config, error) {
 	cfg := &certs.Config{
 		CommonName:   "kubernetes-admin",
 		Organization: []string{"system:masters"},
 		Usages:       []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 	}
 
-	userName := fmt.Sprintf("%s-admin", clusterName)
-	contextName := fmt.Sprintf("%s@%s", userName, clusterName)
-
-	kubeConfigOptions := &KubeConfigurationOptions{}
+	kubeConfigOptions := &KubeConfigOptions{}
 	kubeConfigOptions.ApplyOptions(options)
 
 	clientKey, err := certs.NewSigner(kubeConfigOptions.keyEncryptionAlgorithm)
@@ -82,6 +79,9 @@ func New(clusterName, endpoint string, caCert *x509.Certificate, caKey crypto.Si
 		return nil, errors.Wrap(err, "unable to encode private key")
 	}
 
+	userName := fmt.Sprintf("%s-admin", clusterName)
+	contextName := fmt.Sprintf("%s@%s", userName, clusterName)
+
 	return &api.Config{
 		Clusters: map[string]*api.Cluster{
 			clusterName: {
@@ -106,7 +106,7 @@ func New(clusterName, endpoint string, caCert *x509.Certificate, caKey crypto.Si
 }
 
 // CreateSecret creates the Kubeconfig secret for the given cluster.
-func CreateSecret(ctx context.Context, c client.Client, cluster *clusterv1.Cluster, options ...KubeConfigurationOption) error {
+func CreateSecret(ctx context.Context, c client.Client, cluster *clusterv1.Cluster, options ...KubeConfigOption) error {
 	name := util.ObjectKey(cluster)
 	return CreateSecretWithOwner(ctx, c, name, cluster.Spec.ControlPlaneEndpoint.String(), metav1.OwnerReference{
 		APIVersion: clusterv1.GroupVersion.String(),
@@ -117,7 +117,7 @@ func CreateSecret(ctx context.Context, c client.Client, cluster *clusterv1.Clust
 }
 
 // CreateSecretWithOwner creates the Kubeconfig secret for the given cluster name, namespace, endpoint, and owner reference.
-func CreateSecretWithOwner(ctx context.Context, c client.Client, clusterName client.ObjectKey, endpoint string, owner metav1.OwnerReference, options ...KubeConfigurationOption) error {
+func CreateSecretWithOwner(ctx context.Context, c client.Client, clusterName client.ObjectKey, endpoint string, owner metav1.OwnerReference, options ...KubeConfigOption) error {
 	server, err := url.JoinPath("https://", endpoint)
 	if err != nil {
 		return err
@@ -189,7 +189,7 @@ func NeedsClientCertRotation(configSecret *corev1.Secret, threshold time.Duratio
 }
 
 // RegenerateSecret creates and stores a new Kubeconfig in the given secret.
-func RegenerateSecret(ctx context.Context, c client.Client, configSecret *corev1.Secret, options ...KubeConfigurationOption) error {
+func RegenerateSecret(ctx context.Context, c client.Client, configSecret *corev1.Secret, options ...KubeConfigOption) error {
 	clusterName, _, err := secret.ParseSecretName(configSecret.Name)
 	if err != nil {
 		return errors.Wrap(err, "failed to parse secret name")
@@ -213,7 +213,7 @@ func RegenerateSecret(ctx context.Context, c client.Client, configSecret *corev1
 	return c.Update(ctx, configSecret)
 }
 
-func generateKubeconfig(ctx context.Context, c client.Client, clusterName client.ObjectKey, endpoint string, options ...KubeConfigurationOption) ([]byte, error) {
+func generateKubeconfig(ctx context.Context, c client.Client, clusterName client.ObjectKey, endpoint string, options ...KubeConfigOption) ([]byte, error) {
 	clusterCA, err := secret.GetFromNamespacedName(ctx, c, clusterName, secret.ClusterCA)
 	if err != nil {
 		if apierrors.IsNotFound(err) {

util/kubeconfig/options.go

@@ -18,20 +18,20 @@ package kubeconfig
 
 import bootstrapv1 "sigs.k8s.io/cluster-api/api/bootstrap/kubeadm/v1beta2"
 
-// KubeConfigurationOption helps to modify KubeConfigurationOptions.
-type KubeConfigurationOption interface {
+// KubeConfigOption helps to modify KubeConfigOptions.
+type KubeConfigOption interface { //nolint:revive
 	// ApplyKubeConfigurationOption applies this options to the given kube configuration options.
-	ApplyKubeConfigurationOption(*KubeConfigurationOptions)
+	ApplyKubeConfigurationOption(*KubeConfigOptions)
 }
 
-// KubeConfigurationOptions allows to set options for generating kube configuration.
-type KubeConfigurationOptions struct {
+// KubeConfigOptions allows to set options for generating kube configuration.
+type KubeConfigOptions struct { //nolint:revive
 	keyEncryptionAlgorithm bootstrapv1.EncryptionAlgorithmType
 }
 
 // ApplyOptions applies the given list options on these options,
 // and then returns itself (for convenient chaining).
-func (o *KubeConfigurationOptions) ApplyOptions(opts []KubeConfigurationOption) {
+func (o *KubeConfigOptions) ApplyOptions(opts []KubeConfigOption) {
 	for _, opt := range opts {
 		opt.ApplyKubeConfigurationOption(o)
 	}
@@ -41,6 +41,6 @@ func (o *KubeConfigurationOptions) ApplyOptions(opts []KubeConfigurationOption)
 type KeyEncryptionAlgorithm string
 
 // ApplyKubeConfigurationOption applies this configuration to the given kube configuration options.
-func (t KeyEncryptionAlgorithm) ApplyKubeConfigurationOption(opts *KubeConfigurationOptions) {
+func (t KeyEncryptionAlgorithm) ApplyKubeConfigurationOption(opts *KubeConfigOptions) {
 	opts.keyEncryptionAlgorithm = bootstrapv1.EncryptionAlgorithmType(t)
 }

util/secret/certificates.go

@@ -435,6 +435,7 @@ func (c *Certificate) Generate() error {
 	}
 	c.KeyPair = kp
 	c.Generated = true
+
 	return nil
 }
 
@@ -501,7 +502,7 @@ func generateServiceAccountKeys(_ int32, keyEncryptionAlgorithm bootstrapv1.Encr
 	if err != nil {
 		return nil, err
 	}
-	saPub, err := certs.EncodePublicKeyPEMFromSigner(saCreds)
+	saPub, err := certs.EncodePublicKeyPEMFromSigner(saCreds.Public())
 	if err != nil {
 		return nil, err
 	}