From b62129b2fb1b43557c871aea0f4176a9a4e497bb Mon Sep 17 00:00:00 2001
From: junqian <junqian@tencent.com>
Date: Wed, 20 Jan 2021 15:14:02 +0800
Subject: [PATCH] new crt with SAN

---
 build/docker/ca.crt  | 34 +++++++++++++++---------------
 build/docker/tls.crt | 34 ++++++++++++++++--------------
 build/docker/tls.key | 50 ++++++++++++++++++++++----------------------
 hack/gencerts.sh     | 26 +++++++++++++++++++++--
 4 files changed, 84 insertions(+), 60 deletions(-)

diff --git a/build/docker/ca.crt b/build/docker/ca.crt
index 2cf0fd1..506323d 100644
--- a/build/docker/ca.crt
+++ b/build/docker/ca.crt
@@ -1,19 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIDITCCAgmgAwIBAgIJAMSASpzVWFKeMA0GCSqGSIb3DQEBCwUAMCYxJDAiBgNV
-BAMMG0FkbWlzc2lvbiBXZWJob29rIFNlcnZlciBDQTAgFw0xOTA1MTQxNTMzMjNa
-GA8yMjkzMDIyNjE1MzMyM1owJjEkMCIGA1UEAwwbQWRtaXNzaW9uIFdlYmhvb2sg
-U2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqaBzPVOp
-SCG5Wb2tav28dyypvZMeGkVelr38bOibn9lcZ/BYQZL9UuRp4kfK2E9jWC1lyWS7
-5r6c6DgouFsYMq/5J2t57Z8lQw5LD+QS4hVT7KS/01YO4BDiEe/mOhfq6xrf9b5s
-VVL5t7VEYROncZGmx91CMPHDb9kCaes1LPWWTvoFYrppeqAurAt6IDYDItZ9txlH
-9gYXuiSJ+6YSVe2j6Rpr9RMCVKtqjvbAm8JMq7m0cfDQ05AgCaVZuFP8n+o8pZv9
-Lsx9+kPdzD3PEoGSKZVR8zY4Fmo5R2UYpT9++pj14eQl0r8+XaXynB9er6vNSJB6
-vUb3pyjL27vDkQIDAQABo1AwTjAdBgNVHQ4EFgQUxVagI6pfgcveZT6h62n9w+/C
-xcEwHwYDVR0jBBgwFoAUxVagI6pfgcveZT6h62n9w+/CxcEwDAYDVR0TBAUwAwEB
-/zANBgkqhkiG9w0BAQsFAAOCAQEAJIUD0RB54TDvzZcYg9rpFPlxeH78qUSYfBPf
-PIJqvrBt5pad6AyUx3fEfsZMbz3F7dqbzDTeoU2be+KmPx44QBrOy6AY561fcjYF
-jAhoL7hQKzJpUJ1WffmU1/+rGrArWP5txjK7QUz5EuLy4w3YzoUf3ElOgWWwP73k
-Tgu76TYkgmjwSYHXqQbVHMb8L77BSPilBqQaeCJR4yK3G4OgtpYKdJ2claiC/Nmp
-QLu9Gi9RGnKk8pxxCGxUXZpOkvVZaQRS94N3ii5CBWIs4TBhWrPF63wK/M/OVjVX
-VMinMKL6fUpco95Ge90wklTXpzPQkJcBEXQJn6XGZsbPA+/SAQ==
+MIIDITCCAgmgAwIBAgIJAPHdVHB0WDfrMA0GCSqGSIb3DQEBCwUAMCYxJDAiBgNV
+BAMMG0FkbWlzc2lvbiBXZWJob29rIFNlcnZlciBDQTAgFw0yMTAxMjAwODAxNTBa
+GA8yMjk0MTEwNTA4MDE1MFowJjEkMCIGA1UEAwwbQWRtaXNzaW9uIFdlYmhvb2sg
+U2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2ws8tO16
+TMyPhG6fA5nlhBzsmlYw6Ag5fVbuZavxY9v9ictP7LZNRNQTCqCeI8dW2WOrmAHG
+SA11R0rZMOeEoSTmc1xsQ0MK/ee9D1chKttjUz9iHTCDWGjNI4AEOD6WOto5S8Qt
+rEmFcIlwusQ+9Bj/yqSJ8xLNLRI2p2OG61P8G31S9iMtvV3TYWr81CuUYR7efCfO
+2HNIZS8eCxnjo36zQWH0krO1fNis0tHel+TSomL5Az/cTFkiYaSKHfC+QoPYkZlH
+A3fD5W3eWR4jiaqEHGrikYvd34GEBoIJHlCFumZbDLHNUVVpQ5slU+9rik/i2xfI
+cqVmfmkYKYwOiQIDAQABo1AwTjAdBgNVHQ4EFgQUpvuG4TEN4aXUfXl9ZypAyB0p
+O+QwHwYDVR0jBBgwFoAUpvuG4TEN4aXUfXl9ZypAyB0pO+QwDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEAMatFoZwAfoFIC1GV55WoRyyCZvtrGsDdiofZ
+p/uoOu46L3XXEWaVO3z9MXHuULc5xVH8lXc3R9OXKCm0s6Nn8DQ8s6zeBP8b8wmT
+xaev24yD6ScYlseHKzxqn01ANdd9CuWOlgZgv1NCrdvr0GZCguH141IuTFQ+/eM+
+M9Hv/szVbdFOwYODAmqgFjA8e19yVE4dzgZCUKXCSXoBbjHFa+fDlVQZWilSOszh
+lIY+CDPlCvShQnHtcbQrzkR9x3znMiSxpVR8dS3qvhL8K2r3Vfk/Tf28meV8wyky
+B8AekVql8xKLC++wtSBCE6vDgxHUVGxRdR2uhRoOAzUGoPRV+Q==
 -----END CERTIFICATE-----
diff --git a/build/docker/tls.crt b/build/docker/tls.crt
index a72f795..07ae54a 100644
--- a/build/docker/tls.crt
+++ b/build/docker/tls.crt
@@ -1,18 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIICzjCCAbYCCQCGuh5L8cZFODANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtB
-ZG1pc3Npb24gV2ViaG9vayBTZXJ2ZXIgQ0EwIBcNMTkwNTE0MTUzMzIzWhgPMjI5
-MzAyMjYxNTMzMjNaMCoxKDAmBgNVBAMMH3RhcHAtY29udHJvbGxlci5rdWJlLXN5
-c3RlbS5zdmMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3N85P9BP7
-sInAm8O4mjtxuuA6edw83CuY4BoEw368uXLU3q6XCPied0TeDbI7nUWH5ywWWrHu
-p6GliEM0ob50bWm9O0nvDy8XaA8JvRTtoP6t5l/R0RWMz8vZjuenCFXUxWjz3yBJ
-gi0wthqEU15o0szeNm5QN8BKIF6lWJI/q5lVEMducsCjnhWXSQ+rpIAPU/n5J3Lm
-0iULZyko0roLFN+1posUeHM3oOX3tv1c6qiwXITV3+qmK/XkAg1+c8tYF8PX38t7
-M4ORZ0i2cmfBL5a9auTYuRHd6e5WhcvscWAm2S5C/+1iu3Xnic/2qGeMbSy4U8l4
-8q+WtKg9U54XAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKZRlvIEar5GjYlAGQoE
-IgdHzkJ+HK3rGPT+FA34GViJAvU8uBMIe2PCdd+lBpXwoZRu1+3hCEDGSm7nM4DD
-kibFcLUZxhVju/1EOKvoJK/GqEl0/WxRlp6m6jywh2RjJeKAPb8F4xr5SoEty4DF
-fyXRv4abbZSZZReMM8R9XE7e6yHcF6yLtiXjxISySW9nU1B2IJf0n19rlTAvt9FX
-buZgGyucNao600wuALIbceMMje0zXm04uzqmIJxCE5JZXbehd1Ikc2SmhrPYfJB2
-0XmpIeZgIxsWtJ5ICsMChyyNKkp1LElUUfIsKJYr1HpMnzlzlOmxJrkfOzQ12+J2
-d+E=
+MIIDUTCCAjmgAwIBAgIJALBgje0le4QCMA0GCSqGSIb3DQEBCwUAMCYxJDAiBgNV
+BAMMG0FkbWlzc2lvbiBXZWJob29rIFNlcnZlciBDQTAgFw0yMTAxMjAwODAzMzFa
+GA8yMjk0MTEwNTA4MDMzMVowSTELMAkGA1UEBhMCQ04xEDAOBgNVBAoMB1RlbmNl
+bnQxKDAmBgNVBAMMH3RhcHAtY29udHJvbGxlci5rdWJlLXN5c3RlbS5zdmMwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDfnc0JCisOMPTr09wppeI4I6Ct
++c718EW+39fTjYF5gw8UW7UZGWvh4mb3b8kNUuQcf34wyh/7kLOzyxVnXXyTqMe9
+kzRYYiXTH5vVuT7o+iTzzBuSnVkf4poS0U/d1JD8v4EC+5N1yefsqgCAri+Crygn
+ACnUXv9DYt8DgsNKMhoRFdvQoMzS9feq7yUKyC4Hp7JOILGuEGN/kx7S8Zw5uPvA
+bMZwnBsgNrXvlG5jrUTqJKhM5eH+NL6tRLFwse6/5EvuA1CXMFuc2wvz3SODojjj
+fXlETovAeD1g3R0NkleU1OQA58RL9xe6lYfycsROYJmdN5ZLEV0jEgcKuo6nAgMB
+AAGjXTBbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYB
+BQUHAwEwKgYDVR0RBCMwIYIfdGFwcC1jb250cm9sbGVyLmt1YmUtc3lzdGVtLnN2
+YzANBgkqhkiG9w0BAQsFAAOCAQEAbMqDgeWu7HrErnnXvLTYmocxFHntPePLC1vS
+wldQiChsmVjNaumYOrephEdqUFtJU5To7u1/cnY7zbL0bsgAhxeTn180qEwYvW6T
+Kz9XuXB2mZKs3A8BHJfZOtnSXnz45c3+hvb+4pH/4Dgnq9w/NVWRVTA/8z5vhtFH
+DZSPySw2lLYLYvZTsbBd+xb4cEgV8t3TO/B4ek0+fASWTtieD+wkWM7JZk7LaBRn
+IUh8/9mg2MmdbBJZJlokkhuBaChTrlFRNdlkzT8jvGC1HRrSJlNtPl56tCpDTuBg
+EPsfcXLT4qSYHjEPGYLjxbnGAzqCp23farYJ3xZa7LCWuFW6cg==
 -----END CERTIFICATE-----
diff --git a/build/docker/tls.key b/build/docker/tls.key
index f5ae048..86c697e 100644
--- a/build/docker/tls.key
+++ b/build/docker/tls.key
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAtzfOT/QT+7CJwJvDuJo7cbrgOnncPNwrmOAaBMN+vLly1N6u
-lwj4nndE3g2yO51Fh+csFlqx7qehpYhDNKG+dG1pvTtJ7w8vF2gPCb0U7aD+reZf
-0dEVjM/L2Y7npwhV1MVo898gSYItMLYahFNeaNLM3jZuUDfASiBepViSP6uZVRDH
-bnLAo54Vl0kPq6SAD1P5+Sdy5tIlC2cpKNK6CxTftaaLFHhzN6Dl97b9XOqosFyE
-1d/qpiv15AINfnPLWBfD19/LezODkWdItnJnwS+WvWrk2LkR3enuVoXL7HFgJtku
-Qv/tYrt154nP9qhnjG0suFPJePKvlrSoPVOeFwIDAQABAoIBACyaBz1re5nfxgj/
-YkwEL8hl58QUekrOhkZ2956FQMsMkinD89iMtIlPG5K63tKoXI7S9eaTOZGReUZk
-v4eGgGizYfRRBJSPq7UU/eQvBXM7qAQJevYG4iofQ864fSgqXUqoq/4CKUf7yqh7
-DEV+ThNSjdDii0Q37jWdX6z8vM2GvNvehfVnPoNo9Vcz4QjF6kHrCMYPv4W+6axm
-QoPPRmTThQYH9ayJ28etkHhbiRxTKymk1U2j16y/tFI9M2yGqs1rEGwyhh2zyNOq
-dZYasft/s1jhmLuGAAOhHiwxipfMusoN0HqnaazMPBBMGFAvzipA+ZdfOKWVDxq0
-nJWYbMECgYEA6KlKdY1ko7NqpMsiqAj0iRkYu1VF4ZFu9KwPvAqr+nzVw/Cd9vKj
-2sgRGMRp0UYL8JzilvhheNrQlF7y6pZ+6/38ybkiLECwvX0QdHkteUI5ZZve1e1W
-JHiAe15daMg/9x+Ub+XLOQM7QlWmS/dfQsdHNZ7l3gM/JoAHwVXH9ycCgYEAyZjR
-bTDZazugUU/3KUUPGgqW22Su3lz0SZNtpslVumMdq7XvMsnPEgpzE5yxPpOj5vMo
-0RpaxNbzxRpcKcc4kNpZJG32GW6pkJcooNGH8FqroMVMfVzy/zaabNGWYw5AtXWn
-/xYv+1NfEYLuYpWrDS5suy1xIPHWwwTWLxvW95ECgYAIYqGWXwQzijHbwp57I+d8
-UXU8uzQLjyxKkTD3/AJ6wqkJqNBoqBITvoYvOFT//+BKSb0457bLnkdKManbnpTw
-eHT16EA9DA/SpIFFUWC8MBDVgqqjVyx1oAoxaBNBxYXYqEC3T7blVSJ7n46gykea
-pogAfLuYJtHN12twImFUnQKBgDU82RmHy/LolSbEAlZwuVM8NqiLhy6Lx6tidpOU
-GcKWCDDfY+K6rqdqAQfN2nTXEnKcBkxqNExFI60KkAosZUDDmMTpEROYSMk5Ue5e
-RxLvLuHPGKsGj9lb9x4Dnz5bdjU1c/8GQfeSBcofFIsOUVSyzN4FWxnDI97ueQ2J
-wZQxAoGBAMgBooy6NY46u5OmkqTl04wj7KNauIoJSLvswFzJgraF1QFce/69Zjel
-Y2vYiFgOUTs3aMSXgm95t3bazki5mhZ4kOMdCdMxKIzTAJZDrM2Kaq6MfQ02XZSD
-uFSupA7YzFVDHz6t4p4TrhckG64hg3cBK338N9i5+ScONjKrBujp
+MIIEpgIBAAKCAQEA353NCQorDjD069PcKaXiOCOgrfnO9fBFvt/X042BeYMPFFu1
+GRlr4eJm92/JDVLkHH9+MMof+5Czs8sVZ118k6jHvZM0WGIl0x+b1bk+6Pok88wb
+kp1ZH+KaEtFP3dSQ/L+BAvuTdcnn7KoAgK4vgq8oJwAp1F7/Q2LfA4LDSjIaERXb
+0KDM0vX3qu8lCsguB6eyTiCxrhBjf5Me0vGcObj7wGzGcJwbIDa175RuY61E6iSo
+TOXh/jS+rUSxcLHuv+RL7gNQlzBbnNsL890jg6I44315RE6LwHg9YN0dDZJXlNTk
+AOfES/cXupWH8nLETmCZnTeWSxFdIxIHCrqOpwIDAQABAoIBAQCG63koeSAdQeCk
+4YE3B8WERcrO7ai3ry8FyZ05IWn7XN4eVG7iI/p5odaqeKIADgFgSHRlD69YY6hp
+VKEnarqdhPpvIYA1y5Iy3iFyRID2pObiykXgoluB54E61Vuw5m5McWdv20bPjPEI
+VFJVUcOMwA4j6e9TGbY+fEs+nQkjnBJtut0Rodu9bsCevxBd5k1CFFvBazjNpIBw
+NSNIp4d1NZklwslJ/CpXVaeT6lxfeYtekfErKygprnbbJ1Cuf4Jkm386iLS5pmRl
+TTuHHqJqk95W3x0uMXs/1t4kL7We0r9ZYXMCNpOAPO8/6nseFp8wbEha0HbN33hW
+UelIPLKxAoGBAPGeIGSqTdw0f825vzZHPgC3sB4h719D9igbFfyGajUUvUXrwooJ
+I9ZL2gnzU4Ocua+EO3TlnpUHpzV1RAG8FOYKvvouPuMIUsWZB77Yk/ntnJrr1SAZ
+0oIB17WdknqOCkuSn1Ns7laYpDq897oa9HjjIuRNhKcttmw83HrzHxC1AoGBAOzt
+XQHpuFrP7wXEmHGc2JWLGrIPA4+0tv77/HUeChbFFORvhs1/UvMrCaRFX28slTlj
+FGkrnGABKphLAnYZlSss08WzVl9gnr9wOwmKUOiT8sjLoxdKKiTZiGUX8r5Ey7ag
+gmxP6HSIKhEM1RYg0i2XoY9nmJzaKjpyXAgzRydrAoGBAJqS5fhgt5UEBStRBNIt
+u63r1gFBBom0ydsYkPVP7MxuqzP7QybZ+BJVznUFNU2Cy4xNFViQueZv0foyPkK5
+18jf4RPe2B6YqZN+dmUS24BOEh1OeLejrXe8xAqNdzNugYmdkM5nZwcBejeVwwpN
+yk84SI80RIRLi2Qtf4Qs25ftAoGBAJ+0IE15zdro7qVkr51lrFihO41qsWvc1L1r
+/fC0HvjaQAr7YlKC0Nc423bvjDTUSII2VzvNOcs8/glKBo61D+faf6V0DXSdHGTO
+sfzsTz12/OB846J/S4krWNVMH0RB+09PQprgAkEKx9BWZgxUc1hoLW8M1cJlDLH5
+BDBC4GOhAoGBAN7JsewGTJ0ay/nwLNOhVrW8Dra12im328cYwoZNbCXrlb+Ykjij
+Ayrsp6ljRXXspKeHhJOwS04S+8xMk2Mp6mlupHsnqXSkLhSDGOtvd74vhIL7g/xD
+qx/vWdifeg0fCrSqXX45EPUqDaC+G8LLHpVS4rMM2hTh8Vh/LwnqHkpM
 -----END RSA PRIVATE KEY-----
diff --git a/hack/gencerts.sh b/hack/gencerts.sh
index 8bc1630..e5c9484 100755
--- a/hack/gencerts.sh
+++ b/hack/gencerts.sh
@@ -17,10 +17,32 @@ mkdir -p $key_dir
 chmod 0700 $key_dir
 cd $key_dir
 
+SANCNF=san.cnf
+
+cat << EOF > ${SANCNF}
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = CN
+O = Tencent
+CN = tapp-controller.kube-system.svc
+
+[v3_req]
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, serverAuth
+subjectAltName = @alt_names
+[alt_names]
+DNS.1=tapp-controller.kube-system.svc
+EOF
+
+
 # Generate the CA cert and private key
 openssl req -nodes -new -x509 -days 100000 -keyout ca.key -out ca.crt -subj "/CN=Admission Webhook Server CA"
 # Generate the private key for the webhook server
 openssl genrsa -out tls.key 2048
 # Generate a Certificate Signing Request (CSR) for the private key, and sign it with the private key of the CA.
-openssl req -new -days 100000 -key tls.key -subj "/CN=tapp-controller.kube-system.svc" \
-    | openssl x509 -req -days 100000 -CA ca.crt -CAkey ca.key -CAcreateserial -out tls.crt
+openssl req -new -sha256 -days 100000 -key tls.key -subj "/CN=tapp-controller.kube-system.svc" -reqexts v3_req -config ${SANCNF} \
+  | openssl x509 -req -days 100000 -CA ca.crt -CAkey ca.key -CAcreateserial -extensions v3_req  -extfile ${SANCNF}  -out tls.crt