Default crv, kty, size (and min size) should be configurable per provisioner

[dopey]

trafficstars

Provisioner configuration for default key types, sizes, crvs, etc.

Why this is needed

Support more specialized use cases.

[DonOtuseGH]

I think this could be a very practical improvement, e.g. if you need certificates for backward compatibility or for special products / use cases with RSA keys. As a workaround we use the following constraint in a provisioner template to achive this:

{{- if not (and (typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey) (eq .Insecure.CR.PublicKey.Size 512)) }}
  {{ fail "This provisioner only supports 4096 bit RSA certificates." }}
{{- end }}

It would be better to have these options set globally and the possibility to overwrite the global defaults per provisioner.

[DonOtuseGH]

The signature algorithm should of course be covered by such global/provisioner settings as well...

[maraino]

Added a label to talk about this in our next triage meeting.

[dopey]

Hey @DonOtuseGH, we agree that this could be a useful feature, but it's a bit niche at the moment.

I think the way you've solved this currently (with the template) is the best we can do short term. We would need design discussion around how these attributes might interplay with values passed in from the command line. E.g., if the default on the provisioner is ECDSA, but on the command line I pass --kty rsa - would this cause an error? would my cmd line flag simply override the default? There's some stuff to iron out here and in order for us to prioritize internally, we'd need to see more support and understand the use cases.