puppet/kubetool:7.0.0 - bad discovery_token_hash

[metode-cz]

Describe the Bug

The create_certs.rb script generates a new type of ecdsa certificate instead of the previous rsa certificate. However, the command to generate the discovery_token_hash expects an rsa certificate instead of an ecdsa.

system("openssl x509 -pubkey -in ca.pem | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //' > discovery_token_hash")

specifically this part...
openssl rsa -pubin

So, just adjust the rsa parameter to ec like this:
openssl ec -pubin

Additional Context

https://github.com/puppetlabs/puppetlabs-kubernetes/blob/main/tooling/kube_tool/create_certs.rb#L91

[LukasAud]

Hi @metode-cz, sorry for the long delay in feedback. Unfortunately, we are currently experiencing some issue with our CI system and it is somewhat difficult to implement and test the change you suggested. We have added it to our backlog and are planning to address it as soon as we can. However, I cannot really give any estimate on when this issue will be addressed.

If you feel like this update is very urgent, please feel free to put up a PR for it and we will be happy to review it. We always encourage our community members to participate and send us PRs that they think might improve our modules.

[metode-cz]

PR created

[r-tierney]

I had the same issue, fixed in this PR
#625

I used openssl pkey instead of openssl rsa