new certificate with SAN

build/docker/ca.crt

@@ -1,19 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIIDITCCAgmgAwIBAgIJALwezbB84FA9MA0GCSqGSIb3DQEBCwUAMCYxJDAiBgNV
-BAMMG0FkbWlzc2lvbiBXZWJob29rIFNlcnZlciBDQTAgFw0xOTA1MTQxNjUxMjZa
-GA8yMjkzMDIyNjE2NTEyNlowJjEkMCIGA1UEAwwbQWRtaXNzaW9uIFdlYmhvb2sg
-U2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuWrYVeKO
-cbhHD3spB3at0WGI29DOobCNjxb9KKQqY0rCnkgKygsTOM4LP0mXUEz/7jCOJqYE
-dyLV+PQBSfYSpS543+RbKFv9gAz1cV/8udCZ5PJCvRggEMLRxvr3QwZDZQKHhETD
-A7MFEKIBk/pLMhDYx15fNY4ryif2TH9Gc8DXkn5JAAgtXWi3kxf9N3Ie+EqLFYa9
-mBQdenlc9njJXzHKUKOqoiV6BzmJ6rVpHbVPFgE4OvMm1rlky32ARl07tD4bYzaZ
-ak2JQPCBkHjJ68G5vS3qAa1VU66yqqbeBtykgdiFHKpOJMkwgLI8IJ/TMztuZxBk
-AG8ZyiPX4PumlQIDAQABo1AwTjAdBgNVHQ4EFgQU4HWijNVBZFUWJs0cC9x7eyUq
-vw0wHwYDVR0jBBgwFoAU4HWijNVBZFUWJs0cC9x7eyUqvw0wDAYDVR0TBAUwAwEB
-/zANBgkqhkiG9w0BAQsFAAOCAQEAa8TwSCf6j+xpN+NHhEP2Vyytiqj4JWx+BDzS
-nbBnC4lHmdMpw5JqRGI/oiNzO+t9qYtWfZuifB9jy46Vd0j24LmEjLQIsc+NLWEv
-5ltTEW4pmeJHMytwmYFT9py6JF2sPcqNolu70gXmVnEZ+DwzaK5cYi2ybRD/0164
-42ZUmlUfq3UdGuParVELr5+Koz18tbwevEsDR3JoMnPPK2JeGiggB78SQTUquKEy
-j3EzEdp9hLeXnffG3FyxhAnoHrDuJc/UMndjdBornWEigVO5+ClNIQiHd55ktzj2
-dWfg708whR2JJvgq43uFmTvhzu7coz9wDjMdGoLOS+m7tjGh5g==
+MIICyjCCAbICCQClzVTuRuEnBTANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtB
+ZG1pc3Npb24gV2ViaG9vayBTZXJ2ZXIgQ0EwIBcNMjEwMzA5MDY0MTUyWhgPMjI5
+NDEyMjMwNjQxNTJaMCYxJDAiBgNVBAMMG0FkbWlzc2lvbiBXZWJob29rIFNlcnZl
+ciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALcMtRva/0HuM/64
+Agf9LrJugPiBSEFFp331AXakrgBS1LqL57XSndupbHGVUtGZpeW29zvNuzS2ksqq
+XdkAuoCRxKFKM8nlZ+CLZt2qFzkUY0IFa7riU0n2uIXU231T0z3vurcSa9hI5Yl/
+Ow+JVVFy3SD1lmgAo9+c9or9sqkxFZr9wJNWuz96oM98yOzOpgY8nkeQqAg2DDmQ
+P7pj/I6h6Ir+TpDHDWr+XQfdx8dXSZl7tVi8N8ugE6Hy98v2y1B5DcdEnfmPjzcc
+cRUBHNiwnFeJIiUYxfGcgYP31s6v0juMOX+qRue8WnEat2kTuW+c4O8UUoBoFhvB
+DykPSNsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQwXRQfVsRpAlkr3VJ49ACRlY
+k8XlyILL3f2FiYijLEYAHpqRt51CYGYqlFEZYFq2F7PB3lCAB+vAV/QvZjTXO9O2
+r+m6EGNSeoVBkfVhkFo4vFJLqrczG4kA6HCHhdu4qMhzfV5i5+kiG50iLcyWTHl+
+npZm3cFzMxBlI/DjE/OfFDjn8+wzti8mjPtOY9Tw2+bml0urof81rOh50A7+D7t3
+a1cAMnmYjFojWtrBJmmjSb4x89agLhxgAN9wZ6PgCmvizftxB3ASNjhh9TiOmwmJ
+H30pznf4+Fgpze+qk0YQ2RQ29nCb+xKGp7dZX++i7tYEjNJLNoJ9net37oNN0w==
 -----END CERTIFICATE-----

build/docker/tls.crt

@@ -1,18 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIC0jCCAboCCQD8dzANQe5A8jANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtB
-ZG1pc3Npb24gV2ViaG9vayBTZXJ2ZXIgQ0EwIBcNMTkwNTE0MTY1MTI2WhgPMjI5
-MzAyMjYxNjUxMjZaMC4xLDAqBgNVBAMMI2Nyb24taHBhLWNvbnRyb2xsZXIua3Vi
-ZS1zeXN0ZW0uc3ZjMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzJrg
-0l0KWpT9CELiSjKdqDETRlqecoG4O5v3Zxq+sB+Z2hpIgIsJL23HngUjllyMrZXr
-DdyZwugsPKuO2U7oPH187J3OyLU9P8gcKrkSMhzVMS9KWXg/BSHaINIWzwI6+Bqz
-odz7NmyL43Z6CGSCNq90uTU9u31J+9c13q8beXav4mBIg6O55rJuXofqCqMyNJp2
-7jrko3X6xUjDV1hDtNvvKXwvstohLL2X4/5lKWhAr3hn1z5Zb3G34Uwua20lSpPh
-1EJWjioAx8S4T4VvJbQ9o25bSYktn2NsnN5X1/WrbmecjlabjRKxPvQA1HzgYTnn
-kSKaC1fAPEII7OBJIwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBVdbDPNAVAa1PY
-k6boR9RGOjMnEJ7R+dHDgeFOY6VsrI7kOwTp5HWGbNVUoIV7xqL3x8XE0snQ7+8m
-Z0uhaBKVuD4trs0oyOgL+x78vJpDnt7Ki9/m/xbOPNlg0D28k4AOsu57R0K5b5gH
-8iFjfhqYM28o1keQIqlX5vI51pqOqOorysefAV9C8SfYpTXYc9InsJvH8PPb7ZF4
-7REzSOuPDh506FvAO7LWFiSfFrFghuavNraZuF7Fqiw78WixFfSGWtWckiF5Je2B
-Z3BNrYTnGyYP0IDqQ2g8QmLax5hMd/7xOn6aRaCFr0vIHWkrruQkZ+zoBSif1AJs
-1YVM04+/
+MIIDWjCCAkKgAwIBAgIJAPidYVq65UEMMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV
+BAMMG0FkbWlzc2lvbiBXZWJob29rIFNlcnZlciBDQTAgFw0yMTAzMDkwNjQxNTJa
+GA8yMjk0MTIyMzA2NDE1MlowTjELMAkGA1UEBhMCQ04xETAPBgNVBAoMCHRrZXN0
+YWNrMSwwKgYDVQQDDCNjcm9uLWhwYS1jb250cm9sbGVyLmt1YmUtc3lzdGVtLnN2
+YzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKtz5nHDIx+Sqmm1J2xy
+mYwKTkSEdZ+YiiyfQ7h+PgwyO54Im6F647CFfItS9CEARGdvItuZOLE2fq0icYh3
+YCj2z/BsjOi1oXQMgfXSG+4TY+UPTjMe8JfglGHECmN3Ggy7dIY0Yf1aUo7gj2Fh
+jFfNnTSZXaP+dU34Rev8bo0O0ODSpeJO38h16wqmD6sCnNEBQIhWGtPLhMGMoaed
+pg/IyLsVUAERhB1TVHWFmXglM6klSESGqqNTJSPYVfpg7SPC0raN2NiBP1sYZcke
+qNL/WCYQjig9ASpFNzbkZrVHbePLU5OhIPlVMYz3lZhRL/SSeH9BqcMalCbEwqBL
+8/UCAwEAAaNhMF8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMC
+BggrBgEFBQcDATAuBgNVHREEJzAlgiNjcm9uLWhwYS1jb250cm9sbGVyLmt1YmUt
+c3lzdGVtLnN2YzANBgkqhkiG9w0BAQUFAAOCAQEAJQz2+A7eC1dptaHLnSqGtuLf
+DqHkPvFJ6ZTmak8/UlGrdO3y/LMk7eVSkwQ4F9zPz0D9Xd9Uw+biu1EOiiHetggY
+BVGRpfObxd54luA5EGVMHQy8IC9y5DOB/m4ehEq3An1zjS4yGTpozhf/R5+bbR3G
+8pcNUCyXrzCpXLoSOzCtyCPcP80QrfncMgxpDQlrJVxuyT7qsCGddfTocbIiVZJE
+yew5OxppFtC0k+sL9IOHCgSK84DNsoHGkMmYzLY2U1ZpnNASYdNQaxkwZvsZh6Jy
+EN4/olD6tqJLkxOHfTCVN0ic07Hh6wSLUY1sEHuPFVO9RKU62XvTJ2KyHID27w==
 -----END CERTIFICATE-----

build/docker/tls.key

@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAzJrg0l0KWpT9CELiSjKdqDETRlqecoG4O5v3Zxq+sB+Z2hpI
-gIsJL23HngUjllyMrZXrDdyZwugsPKuO2U7oPH187J3OyLU9P8gcKrkSMhzVMS9K
-WXg/BSHaINIWzwI6+Bqzodz7NmyL43Z6CGSCNq90uTU9u31J+9c13q8beXav4mBI
-g6O55rJuXofqCqMyNJp27jrko3X6xUjDV1hDtNvvKXwvstohLL2X4/5lKWhAr3hn
-1z5Zb3G34Uwua20lSpPh1EJWjioAx8S4T4VvJbQ9o25bSYktn2NsnN5X1/Wrbmec
-jlabjRKxPvQA1HzgYTnnkSKaC1fAPEII7OBJIwIDAQABAoIBAG+gU+YRIrP2svHN
-472NTdxUIerxR567TPMgjWKwAbb/FqYaTtHqiPFaWFzK+vZuucV+lEX0w+LFXlUf
-WAkQ9r0BzaUeF5IC506j81IPtHCosFtsLIkRhHhdVq8vT4hS9C8mCjjV4ix4Hf3U
-RpHLnAsPwIPHG03t9e4zJM3ABSJHdmRzWyJfLBgqVxxoNqN6fFYLTcvfYlNAED4V
-LLPVRCalNLe1LdO+2jTw97rOKguXEhDqWIpUra15EnBiTWXholLHvpTkF8U5gI4X
-DaoL9wVuuk6TaaWxrk9zzEVVeTYcfqQrCkv4R6KTD7JzbI0ipijD+jjkGyWVvVEE
-HLe16GECgYEA/jqsgoJyYwFu5YvaYyzp+Ou/zwHFt+ItNRwVF7Nu5MZIgh5ZltRP
-s98rpRUu9Q3uPzHYe6EA7NGUoOb91Scl4orheK7Cj/HjjLZfzBsolP3FYE0T7ySa
-DSTr6lE2DyyO7jAf/yeP0hpMTATjdiTv53CoFKbP7CTG20IiL0W/fRECgYEAzge3
-q9+KD5EccmobKG4X9s08JTvfk2TXP9Xa0YQJRnIoJcLB0FR3LoFrn8xem2tAK84y
-1QfXtilTIndN6du67SvlWbK6sHv5qJaZQXS9TUazYBhjBudFbng0G7VcIL/PGHvH
-IqkJY/rr5Y5bRNoSTtcqYO6AgIJt569qZKe7cvMCgYATYlvm85VPMTvIatpy92i7
-nxYX7ZWqyKcTxplhHkBVVz0OFsxT8MpG97w3MR9Mdgx1axKLkqIkbHJ9tj8icoKz
-/Ezmy8Rv/0yPXRR+1o9IlPTou9fKQysv12HZkumhTI91X9wAs36G0ZSBs1m4l2Zn
-ajKWqIVwBvnWm/tJSXMpUQKBgDZm8UfP8eukXIeVnvAxCeDgVoZaZfHMic3QUURL
-ggt470LxRy4Ub5f3Eo0ScNTHIB2xB9kahgoSpWIPcKJUo+omUhw6RnN9ePHcOkF/
-atDx30F7jwJupPXDhbbfT6FSJIQJgw6S5ejhg9KMoWrvzi/FPupzb7j/N7gaqJRF
-egijAoGAX+H3eggr1qz8cQjrE4DXTNzT8+S3zeTOea5FYNhu2HbMCeszPhUNLm04
-xhKCZp5vs9UY3nnJzSApj1BR68Ao4xOFe4kZ2zD69OM6ly9wzAsjuMtCwmt03QgN
-W7QtcNiPOexBGkvfK6IlHNsqVhHdmQbblv8lltGc4ejnFC3HDbs=
+MIIEowIBAAKCAQEAq3PmccMjH5KqabUnbHKZjApORIR1n5iKLJ9DuH4+DDI7ngib
+oXrjsIV8i1L0IQBEZ28i25k4sTZ+rSJxiHdgKPbP8GyM6LWhdAyB9dIb7hNj5Q9O
+Mx7wl+CUYcQKY3caDLt0hjRh/VpSjuCPYWGMV82dNJldo/51TfhF6/xujQ7Q4NKl
+4k7fyHXrCqYPqwKc0QFAiFYa08uEwYyhp52mD8jIuxVQARGEHVNUdYWZeCUzqSVI
+RIaqo1MlI9hV+mDtI8LSto3Y2IE/WxhlyR6o0v9YJhCOKD0BKkU3NuRmtUdt48tT
+k6Eg+VUxjPeVmFEv9JJ4f0GpwxqUJsTCoEvz9QIDAQABAoIBAEzLKsqFprO7k4yp
+UTEn21J4Qzo5Qh3ryufVphV6pfv8e+t624pmaplkELauvx4Q6pKRmsFVTalCSVbu
++H8xSObQNa7wT+TjhZ9fAs7B/zSRhsrQIiyPjR/ZvVxU3HpUnFxbkgOSbtl1nUjV
+mCL7+EpTlDg9AU406QG1VEww0qtm3ZOkpCys7Sw3hQBs0goIJc8fMrsj9MG/Mu5D
+0h0XJvQ+n0EVslg3uW0zXoqDJHHIrRrb6F2m6GfS8OSFfvePoa92eACluelNZjtS
+dlVVlmWcPdqtpBHymGTeBmdRGRunOt294aetesfhJR6Y84Y71GcgtmB1w/Pl0HOy
+Gan3doECgYEA22Ydy42guuAdcG1mIXzbDOOmUUY3pDVplsmWfICv7e2fNqvXdQGT
+Ny/mlYZiznmGEYmRIITuyfUiXC+aUEzvtcQcZTnKMMqETEbUdLz3XwNIZ0feh8Gr
+cztlgLY4g8zkPGZ8cYRMWuY+++jWgERDJMb6dlG0dPQsqmKwNeCC+RECgYEAyA4k
+2eaTO2pjmLPftwDEpghqtCS9gLPxCZEiAlRR2tlK1lk5L5f9i3wYcx0ZWS0CHD/W
+jBj5RlPYao+vLK/GOA/QyDrMzwvrIKq700IEDqvz0axVGEhV2LrtW+5D9jE9py5t
+f90jzy9cfjzwsorhqj49zS2aSMzSJFvXLRPqrKUCgYEAj9kHJgPI4123z5Pax5AO
+KwhDbrxEFQT0IuovIZhaQPxwTC8lB9EtjZx5aYX/2HJzBaKVpaWizoVLrveDDK00
+6Y8YMwJN3+mYDk7OU2/mHMSRPy4u6AGCAP5rkZVnvnqjFjr30pG0YlDd8Np7cQPQ
+phdT9imh0KCbfGdSMzDtjpECgYBP+t+ewgEQ2vrQfPEuv77exjSqqpmcj9QIyB45
+oi5LeV3jDi6/qVszXbyEoRiWP1k9pAQJZJ6cED9QcvtMuUVc+m2071UcXZ52I+wN
+jLIEj5hdtjEbEShJCoqEm2BOV+dXJEegu+9qEHxA9+oe50lK/7FDizzIaCKHaLRB
+EFpdBQKBgGmV/X7pLS244Hmbt4HXLIzAE5CQg5IIdUKT+v0Ih3Hz3Ku1VlIZYnZ5
+5NdULo5O79CkOBug5sSpd+AI8Q36qvzmLArcooFhmhpS/aCr8oZceJrcmb2Q8W2U
+fYM9Mj+KNIR883dk20/y2S96OpqmT4FVp7TH+S0qwKHbJsZZDmIi
 -----END RSA PRIVATE KEY-----

hack/gencerts.sh

@@ -36,10 +36,31 @@ mkdir -p $key_dir
 chmod 0700 $key_dir
 cd $key_dir
 
+SANCNF=san.cnf
+
+cat << EOF > ${SANCNF}
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = CN
+O = tkestack
+CN = cron-hpa-controller.kube-system.svc
+
+[v3_req]
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, serverAuth
+subjectAltName = @alt_names
+[alt_names]
+DNS.1=cron-hpa-controller.kube-system.svc
+EOF
+
 # Generate the CA cert and private key
 openssl req -nodes -new -x509 -days 100000 -keyout ca.key -out ca.crt -subj "/CN=Admission Webhook Server CA"
 # Generate the private key for the webhook server
 openssl genrsa -out tls.key 2048
 # Generate a Certificate Signing Request (CSR) for the private key, and sign it with the private key of the CA.
-openssl req -new -days 100000 -key tls.key -subj "/CN=cron-hpa-controller.kube-system.svc" \
-    | openssl x509 -req -days 100000 -CA ca.crt -CAkey ca.key -CAcreateserial -out tls.crt
+openssl req -new -sha256 -days 100000 -key tls.key -subj "/cron-hpa-controller.kube-system.svc" -reqexts v3_req -config ${SANCNF} \
+  | openssl x509 -req -days 100000 -CA ca.crt -CAkey ca.key -CAcreateserial -extensions v3_req  -extfile ${SANCNF}  -out tls.crt