Address review comments

Author: Karthik-K-N

api/bootstrap/kubeadm/v1beta2/kubeadm_types.go

@@ -217,10 +217,10 @@ type ClusterConfiguration struct {
 	// +kubebuilder:validation:Maximum=36500
 	CACertificateValidityPeriodDays int32 `json:"caCertificateValidityPeriodDays,omitempty"`
 
-	// EncryptionAlgorithm holds the type of asymmetric encryption algorithm used for keys and certificates.
+	// encryptionAlgorithm holds the type of asymmetric encryption algorithm used for keys and certificates.
 	// Can be one of "RSA-2048", "RSA-3072", "RSA-4096", "ECDSA-P256" or "ECDSA-P384".
 	// If not specified, Cluster API will use RSA-2048 as default.
-	// This field is only supported with Kubernetes v1.34 or above.
+	// This field is only supported with Kubernetes v1.31 or above.
 	// +optional
 	EncryptionAlgorithm EncryptionAlgorithmType `json:"encryptionAlgorithm,omitempty"`
 }

bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigs.yaml

@@ -72,7 +72,6 @@ func Convert_upstreamv1beta4_ClusterConfiguration_To_v1beta2_ClusterConfiguratio
 	}
 	out.CertificateValidityPeriodDays = convertToDays(in.CertificateValidityPeriod)
 	out.CACertificateValidityPeriodDays = convertToDays(in.CACertificateValidityPeriod)
-	out.EncryptionAlgorithm = bootstrapv1.EncryptionAlgorithmType(in.EncryptionAlgorithm)
 	return nil
 }
 
@@ -83,7 +82,6 @@ func Convert_v1beta2_ClusterConfiguration_To_upstreamv1beta4_ClusterConfiguratio
 	}
 	out.CertificateValidityPeriod = convertFromDays(in.CertificateValidityPeriodDays)
 	out.CACertificateValidityPeriod = convertFromDays(in.CACertificateValidityPeriodDays)
-	out.EncryptionAlgorithm = EncryptionAlgorithmType(in.EncryptionAlgorithm)
 	return nil
 }
 

bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigtemplates.yaml

@@ -286,7 +286,7 @@ func (ca *clusterAccessor) Connect(ctx context.Context) (retErr error) {
 	// private key generation fails because we check Connected above.
 	if ca.lockedState.clientCertificatePrivateKey == nil {
 		log.V(6).Info("Generating client certificate private key")
-		clientCertificatePrivateKey, err := certs.NewPrivateKey("")
+		clientCertificatePrivateKey, err := certs.NewPrivateKey()
 		if err != nil {
 			return errors.Wrapf(err, "error creating client certificate private key")
 		}

bootstrap/kubeadm/types/upstreamv1beta4/conversion.go

@@ -18,8 +18,8 @@ package internal
 
 import (
 	"context"
-	"crypto"
 	"crypto/rand"
+	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"fmt"
@@ -90,15 +90,10 @@ func TestGetWorkloadCluster(t *testing.T) {
 	}()
 
 	// Create an etcd secret with valid certs
-	key, err := certs.NewPrivateKey("")
+	key, err := certs.NewPrivateKey()
 	g.Expect(err).ToNot(HaveOccurred())
-
 	cert, err := getTestCACert(key)
 	g.Expect(err).ToNot(HaveOccurred())
-
-	encodedKey, err := certs.EncodePrivateKeyPEM(key)
-	g.Expect(err).ToNot(HaveOccurred())
-
 	etcdSecret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "my-cluster-etcd",
@@ -109,7 +104,7 @@ func TestGetWorkloadCluster(t *testing.T) {
 		},
 		Data: map[string][]byte{
 			secret.TLSCrtDataName: certs.EncodeCertPEM(cert),
-			secret.TLSKeyDataName: encodedKey,
+			secret.TLSKeyDataName: certs.EncodePrivateKeyPEM(key),
 		},
 	}
 	emptyCrtEtcdSecret := etcdSecret.DeepCopy()
@@ -266,7 +261,7 @@ func TestGetWorkloadCluster(t *testing.T) {
 	}
 }
 
-func getTestCACert(key crypto.Signer) (*x509.Certificate, error) {
+func getTestCACert(key *rsa.PrivateKey) (*x509.Certificate, error) {
 	cfg := certs.Config{
 		CommonName: "kubernetes",
 	}

controllers/clustercache/cluster_accessor.go

@@ -429,7 +429,7 @@ func (r *KubeadmControlPlaneReconciler) reconcile(ctx context.Context, controlPl
 	}
 
 	// Generate Cluster Kubeconfig if needed
-	if result, err := r.reconcileKubeconfig(ctx, controlPlane); err != nil || !result.IsZero() {
+	if result, err := r.reconcileKubeconfig(ctx, controlPlane); !result.IsZero() || err != nil {
 		if err != nil {
 			log.Error(err, "Failed to reconcile Kubeconfig")
 		}

controlplane/kubeadm/config/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanes.yaml

@@ -18,8 +18,8 @@ package controllers
 
 import (
 	"context"
-	"crypto"
 	"crypto/rand"
+	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"fmt"
@@ -813,16 +813,11 @@ func TestKubeadmControlPlaneReconciler_ensureOwnerReferences(t *testing.T) {
 	cluster.Spec.ControlPlaneEndpoint.Port = 6443
 	cluster.Status.Initialization.InfrastructureProvisioned = ptr.To(true)
 	kcp.Spec.Version = "v1.21.0"
-
-	key, err := certs.NewPrivateKey("")
+	key, err := certs.NewPrivateKey()
 	g.Expect(err).ToNot(HaveOccurred())
-
 	crt, err := getTestCACert(key)
 	g.Expect(err).ToNot(HaveOccurred())
 
-	encodedKey, err := certs.EncodePrivateKeyPEM(key)
-	g.Expect(err).ToNot(HaveOccurred())
-
 	clusterSecret := &corev1.Secret{
 		// The Secret's Type is used by KCP to determine whether it is user-provided.
 		// clusterv1.ClusterSecretType signals that the Secret is CAPI-provided.
@@ -836,7 +831,7 @@ func TestKubeadmControlPlaneReconciler_ensureOwnerReferences(t *testing.T) {
 		},
 		Data: map[string][]byte{
 			secret.TLSCrtDataName: certs.EncodeCertPEM(crt),
-			secret.TLSKeyDataName: encodedKey,
+			secret.TLSKeyDataName: certs.EncodePrivateKeyPEM(key),
 		},
 	}
 
@@ -4113,7 +4108,7 @@ func newCluster(namespacedName *types.NamespacedName) *clusterv1.Cluster {
 	}
 }
 
-func getTestCACert(key crypto.Signer) (*x509.Certificate, error) {
+func getTestCACert(key *rsa.PrivateKey) (*x509.Certificate, error) {
 	cfg := certs.Config{
 		CommonName: "kubernetes",
 	}