5 months ago · d39c6c0720
--- a/apis/generators/v1alpha1/types_sshkey.go
+++ b/apis/generators/v1alpha1/types_sshkey.go
@@ -22,13 +22,14 @@ import (
 
				 
			
 
				 // SSHKeySpec controls the behavior of the ssh key generator.
			
 
				 type SSHKeySpec struct {
			
 
				-	// KeyType specifies the SSH key type (rsa, ed25519)
			
 
				-	// +kubebuilder:validation:Enum=rsa;ed25519
			
 
				+	// KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
			
 
				+	// +kubebuilder:validation:Enum=rsa;ecdsa;ed25519
			
 
				 	// +kubebuilder:default="rsa"
			
 
				 	KeyType string `json:"keyType,omitempty"`
			
 
				 
			
 
				-	// KeySize specifies the key size for RSA keys (default: 2048)
			
 
				+	// KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
			
 
				 	// For RSA keys: 2048, 3072, 4096
			
 
				+	// For ECDSA keys: 256, 384, 521
			
 
				 	// Ignored for ed25519 keys
			
 
				 	// +kubebuilder:validation:Minimum=256
			
 
				 	// +kubebuilder:validation:Maximum=8192
			
--- a/config/crds/bases/generators.external-secrets.io_clustergenerators.yaml
+++ b/config/crds/bases/generators.external-secrets.io_clustergenerators.yaml
@@ -969,17 +969,20 @@ spec:
 
				                         type: string
			
 
				                       keySize:
			
 
				                         description: |-
			
 
				-                          KeySize specifies the key size for RSA keys (default: 2048)
			
 
				+                          KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
			
 
				                           For RSA keys: 2048, 3072, 4096
			
 
				+                          For ECDSA keys: 256, 384, 521
			
 
				                           Ignored for ed25519 keys
			
 
				                         maximum: 8192
			
 
				                         minimum: 256
			
 
				                         type: integer
			
 
				                       keyType:
			
 
				                         default: rsa
			
 
				-                        description: KeyType specifies the SSH key type (rsa, ed25519)
			
 
				+                        description: KeyType specifies the SSH key type (rsa, ecdsa,
			
 
				+                          ed25519)
			
 
				                         enum:
			
 
				                         - rsa
			
 
				+                        - ecdsa
			
 
				                         - ed25519
			
 
				                         type: string
			
 
				                     type: object
			
--- a/config/crds/bases/generators.external-secrets.io_sshkeys.yaml
+++ b/config/crds/bases/generators.external-secrets.io_sshkeys.yaml
@@ -48,17 +48,19 @@ spec:
 
				                 type: string
			
 
				               keySize:
			
 
				                 description: |-
			
 
				-                  KeySize specifies the key size for RSA keys (default: 2048)
			
 
				+                  KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
			
 
				                   For RSA keys: 2048, 3072, 4096
			
 
				+                  For ECDSA keys: 256, 384, 521
			
 
				                   Ignored for ed25519 keys
			
 
				                 maximum: 8192
			
 
				                 minimum: 256
			
 
				                 type: integer
			
 
				               keyType:
			
 
				                 default: rsa
			
 
				-                description: KeyType specifies the SSH key type (rsa, ed25519)
			
 
				+                description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
			
 
				                 enum:
			
 
				                 - rsa
			
 
				+                - ecdsa
			
 
				                 - ed25519
			
 
				                 type: string
			
 
				             type: object
			
--- a/deploy/crds/bundle.yaml
+++ b/deploy/crds/bundle.yaml
@@ -24108,17 +24108,19 @@ spec:
 
				                           type: string
			
 
				                         keySize:
			
 
				                           description: |-
			
 
				-                            KeySize specifies the key size for RSA keys (default: 2048)
			
 
				+                            KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
			
 
				                             For RSA keys: 2048, 3072, 4096
			
 
				+                            For ECDSA keys: 256, 384, 521
			
 
				                             Ignored for ed25519 keys
			
 
				                           maximum: 8192
			
 
				                           minimum: 256
			
 
				                           type: integer
			
 
				                         keyType:
			
 
				                           default: rsa
			
 
				-                          description: KeyType specifies the SSH key type (rsa, ed25519)
			
 
				+                          description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
			
 
				                           enum:
			
 
				                             - rsa
			
 
				+                            - ecdsa
			
 
				                             - ed25519
			
 
				                           type: string
			
 
				                       type: object
			
@@ -26507,17 +26509,19 @@ spec:
 
				                   type: string
			
 
				                 keySize:
			
 
				                   description: |-
			
 
				-                    KeySize specifies the key size for RSA keys (default: 2048)
			
 
				+                    KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
			
 
				                     For RSA keys: 2048, 3072, 4096
			
 
				+                    For ECDSA keys: 256, 384, 521
			
 
				                     Ignored for ed25519 keys
			
 
				                   maximum: 8192
			
 
				                   minimum: 256
			
 
				                   type: integer
			
 
				                 keyType:
			
 
				                   default: rsa
			
 
				-                  description: KeyType specifies the SSH key type (rsa, ed25519)
			
 
				+                  description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
			
 
				                   enum:
			
 
				                     - rsa
			
 
				+                    - ecdsa
			
 
				                     - ed25519
			
 
				                   type: string
			
 
				               type: object
			
--- a/docs/api/generator/sshkey.md
+++ b/docs/api/generator/sshkey.md
@@ -13,8 +13,8 @@ The SSHKey generator provides SSH key pairs that you can use for authentication
 
				 
			
 
				 | Parameter | Description                                                        | Default | Required |
			
 
				 | --------- | ------------------------------------------------------------------ | ------- | -------- |
			
 
				-| keyType   | SSH key type (rsa, ed25519)                                        | rsa     | No       |
			
 
				-| keySize   | Key size for RSA keys (2048, 3072, 4096); ignored for ed25519      | 2048    | No       |
			
 
				+| keyType   | SSH key type (rsa, ecdsa, ed25519)                                        | rsa     | No       |
			
 
				+| keySize   | Key size for RSA keys (2048, 3072, 4096) and ECDSA (256, 384, 521); ignored for ed25519      | 2048 / 256    | No       |
			
 
				 | comment   | Optional comment for the SSH key                                   | ""      | No       |
			
 
				 
			
 
				 ## Example Manifest
			
@@ -31,6 +31,12 @@ RSA SSH key with custom size:
 
				 {% include 'generator-sshkey-rsa.yaml' %}
			
 
				 ```
			
 
				 
			
 
				+ECDSA SSH key:
			
 
				+
			
 
				+```yaml
			
 
				+{% include 'generator-sshkey-ecdsa.yaml' %}
			
 
				+```
			
 
				+
			
 
				 Example `ExternalSecret` that references the SSHKey generator:
			
 
				 
			
 
				 ```yaml
			
@@ -48,6 +54,12 @@ This will generate a `Kind=Secret` with keys called 'privateKey' and 'publicKey'
 
				 - Good compatibility with older systems
			
 
				 - Can specify custom keySize in the spec
			
 
				 
			
 
				+### ECDSA Keys
			
 
				+
			
 
				+- Supports key sizes: 256, 384, 521 bits
			
 
				+- Default key size: 256 bits
			
 
				+- For use in regulated environments
			
 
				+
			
 
				 ### Ed25519 Keys
			
 
				 
			
 
				 - Fixed key size (keySize parameter ignored if specified)
			
--- a/docs/snippets/generator-sshkey-ecdsa.yaml
+++ b/docs/snippets/generator-sshkey-ecdsa.yaml
@@ -0,0 +1,8 @@
 
				+apiVersion: generators.external-secrets.io/v1alpha1
			
 
				+kind: SSHKey
			
 
				+metadata:
			
 
				+  name: example-ecdsa-key
			
 
				+spec:
			
 
				+  keyType: "ecdsa"
			
 
				+  keySize: 521
			
 
				+  comment: "ecdsa@example.com"
			
--- a/generators/v1/sshkey/sshkey.go
+++ b/generators/v1/sshkey/sshkey.go
@@ -19,7 +19,9 @@ package sshkey
 
				 
			
 
				 import (
			
 
				 	"context"
			
 
				+	"crypto/ecdsa"
			
 
				 	"crypto/ed25519"
			
 
				+	"crypto/elliptic"
			
 
				 	"crypto/rand"
			
 
				 	"crypto/rsa"
			
 
				 	"encoding/pem"
			
@@ -98,6 +100,12 @@ func generateSSHKey(keyType string, keySize *int, comment string) (privateKey, p
 
				 		return generateRSAKey(bits, comment)
			
 
				 	case "ed25519":
			
 
				 		return generateEd25519Key(comment)
			
 
				+	case "ecdsa":
			
 
				+		bits := 256
			
 
				+		if keySize != nil {
			
 
				+			bits = *keySize
			
 
				+		}
			
 
				+		return generateECDSAKey(bits, comment)
			
 
				 	default:
			
 
				 		return nil, nil, fmt.Errorf(errUnsupported, keyType)
			
 
				 	}
			
@@ -161,13 +169,54 @@ func generateEd25519Key(comment string) (privateKey, publicKey []byte, err error
 
				 	return pem.EncodeToMemory(sshPrivateKey), publicKeyBytes, nil
			
 
				 }
			
 
				 
			
 
				+func generateECDSAKey(keySize int, comment string) (privateKey, publicKey []byte, err error) {
			
 
				+	var ellipticCurve elliptic.Curve
			
 
				+
			
 
				+	// Select the elliptic curve based on keySize
			
 
				+	switch keySize {
			
 
				+	case 256:
			
 
				+		ellipticCurve = elliptic.P256()
			
 
				+	case 384:
			
 
				+		ellipticCurve = elliptic.P384()
			
 
				+	case 521:
			
 
				+		ellipticCurve = elliptic.P521()
			
 
				+	default:
			
 
				+		ellipticCurve = elliptic.P256()
			
 
				+	}
			
 
				+
			
 
				+	ecdsaKey, err := ecdsa.GenerateKey(ellipticCurve, rand.Reader)
			
 
				+	if err != nil {
			
 
				+		return nil, nil, err
			
 
				+	}
			
 
				+
			
 
				+	// Create SSH private key in OpenSSH format
			
 
				+	sshPrivateKey, err := ssh.MarshalPrivateKey(ecdsaKey, comment)
			
 
				+	if err != nil {
			
 
				+		return nil, nil, err
			
 
				+	}
			
 
				+
			
 
				+	// Create SSH public key
			
 
				+	sshPublicKey, err := ssh.NewPublicKey(&ecdsaKey.PublicKey)
			
 
				+	if err != nil {
			
 
				+		return nil, nil, err
			
 
				+	}
			
 
				+
			
 
				+	publicKeyBytes := ssh.MarshalAuthorizedKey(sshPublicKey)
			
 
				+	if comment != "" {
			
 
				+		// Remove the newline and add comment
			
 
				+		publicKeyStr := string(publicKeyBytes[:len(publicKeyBytes)-1]) + " " + comment + "\n"
			
 
				+		publicKeyBytes = []byte(publicKeyStr)
			
 
				+	}
			
 
				+
			
 
				+	return pem.EncodeToMemory(sshPrivateKey), publicKeyBytes, nil
			
 
				+}
			
 
				+
			
 
				 func parseSpec(data []byte) (*genv1alpha1.SSHKey, error) {
			
 
				 	var spec genv1alpha1.SSHKey
			
 
				 	err := yaml.Unmarshal(data, &spec)
			
 
				 	return &spec, err
			
 
				 }
			
 
				 
			
 
				-
			
 
				 // NewGenerator creates a new Generator instance.
			
 
				 func NewGenerator() genv1alpha1.Generator {
			
 
				 	return &Generator{}
			
--- a/generators/v1/sshkey/sshkey_test.go
+++ b/generators/v1/sshkey/sshkey_test.go
@@ -96,6 +96,39 @@ func TestGenerate(t *testing.T) {
 
				 			},
			
 
				 		},
			
 
				 		{
			
 
				+			name:     "ecdsa key",
			
 
				+			jsonSpec: &apiextensions.JSON{Raw: []byte(`{"spec":{"keyType":"ecdsa"}}`)},
			
 
				+			wantErr:  false,
			
 
				+			validate: func(t *testing.T, result map[string][]byte) {
			
 
				+				assert.Contains(t, result, "privateKey")
			
 
				+				assert.Contains(t, result, "publicKey")
			
 
				+				assert.True(t, strings.HasPrefix(string(result["publicKey"]), "ecdsa-sha2-"))
			
 
				+			},
			
 
				+		},
			
 
				+		{
			
 
				+			name:     "ecdsa key with comment",
			
 
				+			jsonSpec: &apiextensions.JSON{Raw: []byte(`{"spec":{"keyType":"ecdsa","comment":"test@example.com"}}`)},
			
 
				+			wantErr:  false,
			
 
				+			validate: func(t *testing.T, result map[string][]byte) {
			
 
				+				assert.Contains(t, result, "privateKey")
			
 
				+				assert.Contains(t, result, "publicKey")
			
 
				+				assert.True(t, strings.HasPrefix(string(result["publicKey"]), "ecdsa-sha2-"))
			
 
				+				assert.Contains(t, string(result["publicKey"]), "test@example.com")
			
 
				+			},
			
 
				+		},
			
 
				+		{
			
 
				+			name:     "ecdsa key with bits specified",
			
 
				+			jsonSpec: &apiextensions.JSON{Raw: []byte(`{"spec":{"keyType":"ecdsa","keySize":521}}`)},
			
 
				+			wantErr:  false,
			
 
				+			validate: func(t *testing.T, result map[string][]byte) {
			
 
				+				assert.Contains(t, result, "privateKey")
			
 
				+				assert.Contains(t, result, "publicKey")
			
 
				+				assert.True(t, strings.HasPrefix(string(result["publicKey"]), "ecdsa-sha2-"))
			
 
				+				assert.True(t, len(result["privateKey"]) > 0)
			
 
				+				assert.True(t, len(result["publicKey"]) > 0)
			
 
				+			},
			
 
				+		},
			
 
				+		{
			
 
				 			name:     "key with comment",
			
 
				 			jsonSpec: &apiextensions.JSON{Raw: []byte(`{"spec":{"keyType":"rsa","comment":"test@example.com"}}`)},
			
 
				 			wantErr:  false,