feat(auth): add TLS compatibility mode for authentication keys

Author: aleoli

cmd/liqo-controller-manager/main.go

@@ -143,6 +143,8 @@ func main() {
 		"api-server-address-override", "", "Override the API server address where the Kuberentes APIServer is exposed")
 	pflag.StringVar(&caOverride, "ca-override", "", "Override the CA certificate used by Kubernetes to sign certificates (base64 encoded)")
 	pflag.BoolVar(&trustedCA, "trusted-ca", false, "Whether the Kubernetes APIServer certificate is issue by a trusted CA")
+	// TLS compatibility mode
+	tlsCompatibilityMode := pflag.Bool("tls-compatibility-mode", false, "Enable TLS compatibility mode for client certificates and keys (use RSA/ECDSA instead of Ed25519)")
 	// AWS configurations
 	pflag.StringVar(&awsConfig.AwsAccessKeyID, "aws-access-key-id", "", "AWS IAM AccessKeyID for the Liqo User")
 	pflag.StringVar(&awsConfig.AwsSecretAccessKey, "aws-secret-access-key", "", "AWS IAM SecretAccessKey for the Liqo User")
@@ -324,6 +326,7 @@ func main() {
 			APIServerAddressOverride: apiServerAddressOverride,
 			CAOverrideB64:            caOverride,
 			TrustedCA:                trustedCA,
+			TLSCompatibilityMode:     *tlsCompatibilityMode,
 			SliceStatusOptions: &remoteresourceslicecontroller.SliceStatusOptions{
 				EnableStorage:             *enableStorage,
 				LocalRealStorageClassName: *realStorageClassName,

cmd/liqo-controller-manager/modules/authentication.go

@@ -46,6 +46,7 @@ type AuthOption struct {
 	APIServerAddressOverride string
 	CAOverrideB64            string
 	TrustedCA                bool
+	TLSCompatibilityMode     bool
 	SliceStatusOptions       *remoteresourceslicecontroller.SliceStatusOptions
 }
 
@@ -62,7 +63,7 @@ func SetupAuthenticationModule(ctx context.Context, mgr manager.Manager, uncache
 		}
 	}
 
-	if err := enforceAuthenticationKeys(ctx, uncachedClient, opts.LiqoNamespace); err != nil {
+	if err := enforceAuthenticationKeys(ctx, uncachedClient, opts.LiqoNamespace, opts.TLSCompatibilityMode); err != nil {
 		klog.Errorf("Unable to enforce authentication keys: %v", err)
 		return err
 	}
@@ -155,8 +156,8 @@ func SetupAuthenticationModule(ctx context.Context, mgr manager.Manager, uncache
 	return nil
 }
 
-func enforceAuthenticationKeys(ctx context.Context, cl client.Client, liqoNamespace string) error {
-	if err := authentication.InitClusterKeys(ctx, cl, liqoNamespace); err != nil {
+func enforceAuthenticationKeys(ctx context.Context, cl client.Client, liqoNamespace string, tlsCompatibilityMode bool) error {
+	if err := authentication.InitClusterKeys(ctx, cl, liqoNamespace, tlsCompatibilityMode); err != nil {
 		return err
 	}
 

deployments/liqo/README.md

@@ -11,6 +11,7 @@
 | authentication.awsConfig.secretAccessKey | string | `""` | SecretAccessKey for the Liqo user. |
 | authentication.awsConfig.useExistingSecret | bool | `false` | Use an existing secret to configure the AWS credentials. |
 | authentication.enabled | bool | `true` | Enable/Disable the authentication module. |
+| authentication.tlsCompatibilityMode | bool | `false` | Enable TLS compatibility mode for client certificates and keys. When true, Liqo will use a widely supported algorithm (e.g., RSA/ECDSA) for generating private keys and CSRs instead of Ed25519. Keep disabled by default to preserve current behavior. |
 | common.affinity | object | `{}` | Affinity for all liqo pods, excluding virtual kubelet. |
 | common.extraArgs | list | `[]` | Extra arguments for all liqo pods, excluding virtual kubelet. |
 | common.globalAnnotations | object | `{}` | Global annotations to be added to all resources created by Liqo controllers |

deployments/liqo/templates/liqo-controller-manager-deployment.yaml

@@ -52,6 +52,7 @@ spec:
           - --liqo-namespace=$(POD_NAMESPACE)
           - --networking-enabled={{ .Values.networking.enabled }}
           - --authentication-enabled={{ .Values.authentication.enabled }}
+          - --tls-compatibility-mode={{ .Values.authentication.tlsCompatibilityMode }}
           - --offloading-enabled={{ .Values.offloading.enabled }}
           - --default-limits-enforcement={{ .Values.controllerManager.config.defaultLimitsEnforcement }}
           {{- $d := dict "commandName" "--default-node-resources" "dictionary" .Values.offloading.defaultNodeResources -}}

deployments/liqo/values.yaml

@@ -141,6 +141,11 @@ networking:
 authentication:
   # -- Enable/Disable the authentication module.
   enabled: true
+  # -- Enable TLS compatibility mode for client certificates and keys.
+  # When true, Liqo will use a widely supported algorithm (e.g., RSA/ECDSA)
+  # for generating private keys and CSRs instead of Ed25519. Keep disabled
+  # by default to preserve current behavior.
+  tlsCompatibilityMode: false
   # AWS-specific configuration for the local cluster and the Liqo user.
   # This user should be able (1) to create new IAM users, (2) to create new programmatic access
   # credentials, and (3) to describe EKS clusters.

docs/usage/liqoctl/liqoctl_generate.md

@@ -182,6 +182,10 @@ liqoctl generate peering-user [flags]
 
 >The cluster ID of the cluster from which peering will be performed
 
+`--tls-compatibility-mode` _string_:
+
+>TLS compatibility mode for peering-user keys: one of auto,true,false. When auto, liqoctl attempts to detect the controller manager setting. **(default "auto")**
+
 
 ### Global options
 

pkg/liqo-controller-manager/authentication/csr.go

@@ -16,8 +16,11 @@ package authentication
 
 import (
 	"bytes"
+	"crypto"
+	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/rand"
+	"crypto/rsa"
 	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
@@ -33,7 +36,7 @@ import (
 type CSRChecker func(*x509.CertificateRequest) error
 
 // GenerateCSRForResourceSlice generates a new CSR given a private key and a resource slice.
-func GenerateCSRForResourceSlice(key ed25519.PrivateKey,
+func GenerateCSRForResourceSlice(key crypto.PrivateKey,
 	resourceSlice *authv1beta1.ResourceSlice) (csrBytes []byte, err error) {
 	return generateCSR(key, CommonNameResourceSliceCSR(resourceSlice), OrganizationResourceSliceCSR(resourceSlice))
 }
@@ -64,12 +67,12 @@ func OrganizationResourceSliceCSR(resourceSlice *authv1beta1.ResourceSlice) stri
 }
 
 // GenerateCSRForControlPlane generates a new CSR given a private key and a subject.
-func GenerateCSRForControlPlane(key ed25519.PrivateKey, clusterID liqov1beta1.ClusterID) (csrBytes []byte, err error) {
+func GenerateCSRForControlPlane(key crypto.PrivateKey, clusterID liqov1beta1.ClusterID) (csrBytes []byte, err error) {
 	return generateCSR(key, CommonNameControlPlaneCSR(clusterID), OrganizationControlPlaneCSR())
 }
 
 // GenerateCSRForPeerUser generates a new CSR given a private key and the clusterID from which the peering will start.
-func GenerateCSRForPeerUser(key ed25519.PrivateKey, clusterID liqov1beta1.ClusterID) (csrBytes []byte, userCN string, err error) {
+func GenerateCSRForPeerUser(key crypto.PrivateKey, clusterID liqov1beta1.ClusterID) (csrBytes []byte, userCN string, err error) {
 	userCN, err = commonNamePeerUser(clusterID)
 	if err != nil {
 		return nil, "", fmt.Errorf("unable to generate user CN: %w", err)
@@ -162,40 +165,56 @@ func checkCSR(csr, publicKey []byte, checkPublicKey bool, commonName, organizati
 	}
 
 	if checkPublicKey {
-		// Check the length of the public key and return an error if invalid
+		// Validate provided public key bytes
 		if len(publicKey) == 0 {
 			return fmt.Errorf("invalid public key")
 		}
 
-		// if the pub key is 0-terminated, drop it
-		if publicKey[len(publicKey)-1] == 0 {
-			publicKey = publicKey[:len(publicKey)-1]
+		// Marshal CSR public key to PKIX DER and compare with provided PKIX public key bytes
+		csrPubDER, err := x509.MarshalPKIXPublicKey(x509Csr.PublicKey)
+		if err != nil {
+			return fmt.Errorf("failed to marshal CSR public key: %w", err)
 		}
 
-		// Check that the public key used the expected algorithm and verify that the CSR has been
-		// signed with the key provided by the peer at peering time.
-		switch crtKey := x509Csr.PublicKey.(type) {
-		case ed25519.PublicKey:
-			if !bytes.Equal(crtKey, publicKey) {
-				return fmt.Errorf("invalid public key")
-			}
-		default:
-			return fmt.Errorf("invalid public key type %T", crtKey)
+		if !bytes.Equal(csrPubDER, publicKey) {
+			return fmt.Errorf("invalid public key")
 		}
 	}
 
 	return nil
 }
 
-func generateCSR(key ed25519.PrivateKey, commonName, organization string) (csrBytes []byte, err error) {
+func generateCSR(key crypto.PrivateKey, commonName, organization string) (csrBytes []byte, err error) {
 	asn1Subj, err := asn1.Marshal(pkix.Name{CommonName: commonName, Organization: []string{organization}}.ToRDNSequence())
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal subject information: %w", err)
 	}
 
+	// Select appropriate signature algorithm based on private key type
+	sigAlg := x509.UnknownSignatureAlgorithm
+	switch k := key.(type) {
+	case ed25519.PrivateKey:
+		sigAlg = x509.PureEd25519
+	case *rsa.PrivateKey:
+		// Default to SHA256 for RSA keys
+		sigAlg = x509.SHA256WithRSA
+	case *ecdsa.PrivateKey:
+		// Choose hash based on curve size
+		switch k.Curve.Params().BitSize {
+		case 521:
+			sigAlg = x509.ECDSAWithSHA512
+		case 384:
+			sigAlg = x509.ECDSAWithSHA384
+		default:
+			sigAlg = x509.ECDSAWithSHA256
+		}
+	default:
+		return nil, fmt.Errorf("unsupported private key type %T", key)
+	}
+
 	template := x509.CertificateRequest{
 		RawSubject:         asn1Subj,
-		SignatureAlgorithm: x509.PureEd25519,
+		SignatureAlgorithm: sigAlg,
 	}
 
 	csrBytes, err = x509.CreateCertificateRequest(rand.Reader, &template, key)

pkg/liqo-controller-manager/authentication/keys.go

@@ -16,8 +16,12 @@ package authentication
 
 import (
 	"context"
+	"crypto"
+	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha256"
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
@@ -55,26 +59,100 @@ func GenerateEd25519Keys() (privateKey, publicKey []byte, err error) {
 	return privateKeyPEM, publicKeyPEM, nil
 }
 
-// SignNonce signs a nonce using the provided private key.
-func SignNonce(priv ed25519.PrivateKey, nonce []byte) []byte {
-	return ed25519.Sign(priv, nonce)
+// GenerateRSAKeys returns a new pair of RSA private and public keys in PEM format.
+// Keys are generated using RSA 2048 bits and encoded in PEM format.
+func GenerateRSAKeys() (privateKey, publicKey []byte, err error) {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to generate RSA private key: %w", err)
+	}
+
+	privateKeyBytes, err := x509.MarshalPKCS8PrivateKey(priv)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to marshal RSA private key: %w", err)
+	}
+	privateKeyPEM := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privateKeyBytes})
+
+	publicKeyBytes, err := x509.MarshalPKIXPublicKey(&priv.PublicKey)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to marshal RSA public key: %w", err)
+	}
+	publicKeyPEM := pem.EncodeToMemory(&pem.Block{Type: "PUBLIC KEY", Bytes: publicKeyBytes})
+
+	return privateKeyPEM, publicKeyPEM, nil
 }
 
-// VerifyNonce verifies the signature of a nonce using the public key of the cluster.
-func VerifyNonce(pubKey ed25519.PublicKey, nonce, signature []byte) bool {
-	return ed25519.Verify(pubKey, nonce, signature)
+// SignNonce signs a nonce using the provided private key. The private key can be
+// ed25519.PrivateKey, *rsa.PrivateKey, or *ecdsa.PrivateKey. For RSA/ECDSA the nonce
+// is hashed with SHA-256 before signing.
+func SignNonce(priv crypto.PrivateKey, nonce []byte) ([]byte, error) {
+	switch k := priv.(type) {
+	case ed25519.PrivateKey:
+		sig := ed25519.Sign(k, nonce)
+		return sig, nil
+	case *rsa.PrivateKey:
+		sum := sha256.Sum256(nonce)
+		sig, err := rsa.SignPKCS1v15(rand.Reader, k, crypto.SHA256, sum[:])
+		if err != nil {
+			return nil, fmt.Errorf("rsa sign failed: %w", err)
+		}
+		return sig, nil
+	case *ecdsa.PrivateKey:
+		sum := sha256.Sum256(nonce)
+		sig, err := ecdsa.SignASN1(rand.Reader, k, sum[:])
+		if err != nil {
+			return nil, fmt.Errorf("ecdsa sign failed: %w", err)
+		}
+		return sig, nil
+	default:
+		return nil, fmt.Errorf("unsupported private key type %T", priv)
+	}
+}
+
+// VerifyNonce verifies the signature of a nonce using the PKIX-encoded public key bytes of the cluster.
+// The public key can be Ed25519, RSA, or ECDSA.
+func VerifyNonce(pubKeyPKIX []byte, nonce, signature []byte) (bool, error) {
+	pub, err := x509.ParsePKIXPublicKey(pubKeyPKIX)
+	if err != nil {
+		return false, fmt.Errorf("failed to parse public key: %w", err)
+	}
+
+	switch pk := pub.(type) {
+	case ed25519.PublicKey:
+		return ed25519.Verify(pk, nonce, signature), nil
+	case *rsa.PublicKey:
+		sum := sha256.Sum256(nonce)
+		if err := rsa.VerifyPKCS1v15(pk, crypto.SHA256, sum[:], signature); err != nil {
+			return false, nil
+		}
+		return true, nil
+	case *ecdsa.PublicKey:
+		sum := sha256.Sum256(nonce)
+		if ecdsa.VerifyASN1(pk, sum[:], signature) {
+			return true, nil
+		}
+		return false, nil
+	default:
+		return false, fmt.Errorf("unsupported public key type %T", pub)
+	}
 }
 
 // InitClusterKeys initializes the authentication keys for the cluster.
 // If the secret containing the keys does not exist, it generates a new pair of keys and stores them in a secret.
-func InitClusterKeys(ctx context.Context, cl client.Client, liqoNamespace string) error {
+// If tlsCompatibilityMode is true, RSA keys are generated instead of Ed25519.
+func InitClusterKeys(ctx context.Context, cl client.Client, liqoNamespace string, tlsCompatibilityMode bool) error {
 	// Get secret if it exists
 	var secret corev1.Secret
 	err := cl.Get(ctx, client.ObjectKey{Name: consts.AuthKeysSecretName, Namespace: liqoNamespace}, &secret)
 	switch {
 	case apierrors.IsNotFound(err):
 		// Forge a new pair of keys.
-		private, public, err := GenerateEd25519Keys()
+		var private, public []byte
+		if tlsCompatibilityMode {
+			private, public, err = GenerateRSAKeys()
+		} else {
+			private, public, err = GenerateEd25519Keys()
+		}
 		if err != nil {
 			return fmt.Errorf("error while generating cluster authentication keys: %w", err)
 		}
@@ -107,7 +185,8 @@ func InitClusterKeys(ctx context.Context, cl client.Client, liqoNamespace string
 }
 
 // GetClusterKeys retrieves the private and public keys of the cluster from the secret.
-func GetClusterKeys(ctx context.Context, cl client.Client, liqoNamespace string) (ed25519.PrivateKey, ed25519.PublicKey, error) {
+// It returns the private key as crypto.PrivateKey and the public key as PKIX-encoded bytes.
+func GetClusterKeys(ctx context.Context, cl client.Client, liqoNamespace string) (crypto.PrivateKey, []byte, error) {
 	var secret corev1.Secret
 	if err := cl.Get(ctx, client.ObjectKey{Name: consts.AuthKeysSecretName, Namespace: liqoNamespace}, &secret); err != nil {
 		return nil, nil, fmt.Errorf("unable to get secret with cluster authentication keys: %w", err)
@@ -134,16 +213,13 @@ func GetClusterKeys(ctx context.Context, cl client.Client, liqoNamespace string)
 		return nil, nil, fmt.Errorf("public key not found in secret %s/%s", liqoNamespace, consts.AuthKeysSecretName)
 	}
 
+	// The public key is stored in PEM format with PKIX-encoded bytes. Return the DER bytes for portability.
 	publicKeyPEM, _ := pem.Decode(publicKey)
 	if publicKeyPEM == nil {
 		return nil, nil, fmt.Errorf("failed to decode public key in PEM format")
 	}
-	pub, err := x509.ParsePKIXPublicKey(publicKeyPEM.Bytes)
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to parse public key: %w", err)
-	}
 
-	return priv.(ed25519.PrivateKey), pub.(ed25519.PublicKey), nil
+	return priv, publicKeyPEM.Bytes, nil
 }
 
 // GetClusterKeysPEM retrieves the private and public keys of the cluster from the secret and encoded in PEM format.

pkg/liqo-controller-manager/authentication/noncesigner-controller/noncesigner_controller.go

@@ -116,7 +116,11 @@ func (r *NonceSignerReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	}
 
 	// Sign the nonce using the private key.
-	signedNonce := authentication.SignNonce(privateKey, nonce)
+	signedNonce, err := authentication.SignNonce(privateKey, nonce)
+	if err != nil {
+		klog.Errorf("unable to sign nonce for secret %q: %v", req.NamespacedName, err)
+		return ctrl.Result{}, err
+	}
 
 	// Check if the secret is already signed and the signature is the same.
 	existingSignedNonce, found := secret.Data[consts.SignedNonceSecretField]

pkg/liqo-controller-manager/authentication/tenant-controller/tenant_controller.go

@@ -16,7 +16,6 @@ package tenantcontroller
 
 import (
 	"context"
-	"crypto/ed25519"
 	"fmt"
 
 	corev1 "k8s.io/api/core/v1"
@@ -177,9 +176,14 @@ func (r *TenantReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
 			return ctrl.Result{}, err
 		}
 
-		// check the signature
-
-		if !authentication.VerifyNonce(ed25519.PublicKey(tenant.Spec.PublicKey), nonce, tenant.Spec.Signature) {
+		// check the signature using the PKIX-encoded public key bytes
+		ok, err := authentication.VerifyNonce(tenant.Spec.PublicKey, nonce, tenant.Spec.Signature)
+		if err != nil {
+			klog.Errorf("Unable to verify signature for Tenant %q: %s", req.Name, err)
+			r.EventRecorder.Event(tenant, corev1.EventTypeWarning, "SignatureVerificationFailed", err.Error())
+			return ctrl.Result{}, err
+		}
+		if !ok {
 			err = fmt.Errorf("signature verification failed for Tenant %q", req.Name)
 			klog.Error(err)
 			r.EventRecorder.Event(tenant, corev1.EventTypeWarning, "SignatureVerificationFailed", err.Error())