From 675d4c87b271174d238bc41c9dcfd9ec9765cf96 Mon Sep 17 00:00:00 2001
From: junqian <junqian@tencent.com>
Date: Wed, 20 Jan 2021 15:14:02 +0800
Subject: [PATCH] new crt with SAN

---
 build/docker/ca.crt  | 32 +++++++++++++---------------
 build/docker/tls.crt | 34 ++++++++++++++++--------------
 build/docker/tls.key | 50 ++++++++++++++++++++++----------------------
 hack/gencerts.sh     | 26 +++++++++++++++++++++--
 4 files changed, 82 insertions(+), 60 deletions(-)

diff --git a/build/docker/ca.crt b/build/docker/ca.crt
index 2cf0fd1..c33a71a 100644
--- a/build/docker/ca.crt
+++ b/build/docker/ca.crt
@@ -1,19 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIIDITCCAgmgAwIBAgIJAMSASpzVWFKeMA0GCSqGSIb3DQEBCwUAMCYxJDAiBgNV
-BAMMG0FkbWlzc2lvbiBXZWJob29rIFNlcnZlciBDQTAgFw0xOTA1MTQxNTMzMjNa
-GA8yMjkzMDIyNjE1MzMyM1owJjEkMCIGA1UEAwwbQWRtaXNzaW9uIFdlYmhvb2sg
-U2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqaBzPVOp
-SCG5Wb2tav28dyypvZMeGkVelr38bOibn9lcZ/BYQZL9UuRp4kfK2E9jWC1lyWS7
-5r6c6DgouFsYMq/5J2t57Z8lQw5LD+QS4hVT7KS/01YO4BDiEe/mOhfq6xrf9b5s
-VVL5t7VEYROncZGmx91CMPHDb9kCaes1LPWWTvoFYrppeqAurAt6IDYDItZ9txlH
-9gYXuiSJ+6YSVe2j6Rpr9RMCVKtqjvbAm8JMq7m0cfDQ05AgCaVZuFP8n+o8pZv9
-Lsx9+kPdzD3PEoGSKZVR8zY4Fmo5R2UYpT9++pj14eQl0r8+XaXynB9er6vNSJB6
-vUb3pyjL27vDkQIDAQABo1AwTjAdBgNVHQ4EFgQUxVagI6pfgcveZT6h62n9w+/C
-xcEwHwYDVR0jBBgwFoAUxVagI6pfgcveZT6h62n9w+/CxcEwDAYDVR0TBAUwAwEB
-/zANBgkqhkiG9w0BAQsFAAOCAQEAJIUD0RB54TDvzZcYg9rpFPlxeH78qUSYfBPf
-PIJqvrBt5pad6AyUx3fEfsZMbz3F7dqbzDTeoU2be+KmPx44QBrOy6AY561fcjYF
-jAhoL7hQKzJpUJ1WffmU1/+rGrArWP5txjK7QUz5EuLy4w3YzoUf3ElOgWWwP73k
-Tgu76TYkgmjwSYHXqQbVHMb8L77BSPilBqQaeCJR4yK3G4OgtpYKdJ2claiC/Nmp
-QLu9Gi9RGnKk8pxxCGxUXZpOkvVZaQRS94N3ii5CBWIs4TBhWrPF63wK/M/OVjVX
-VMinMKL6fUpco95Ge90wklTXpzPQkJcBEXQJn6XGZsbPA+/SAQ==
+MIICyjCCAbICCQCvul1DxkEzIzANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtB
+ZG1pc3Npb24gV2ViaG9vayBTZXJ2ZXIgQ0EwIBcNMjEwMTIwMTExNjA0WhgPMjI5
+NDExMDUxMTE2MDRaMCYxJDAiBgNVBAMMG0FkbWlzc2lvbiBXZWJob29rIFNlcnZl
+ciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKfJGUxPH/jmz/dp
+uMvNQaw13l23Dbxny66mhCGoTpFbWovaEe8774qF9jsjOTIBJPUxEV4rVlO2po6M
+uH1v3Rw9daC4mlzfZAyCygZsY4zCNoAVOw8kZ7d62mPK3RZdrPxBkKwaauIBQsdw
+dgm3oxwouwZ2MIEdg4Cp/ZnQiDx06689J+FLMBcp4kIlHJJn/mNnfj23ahHAD3uW
+pfSivrv0pQOchLe/+p5tcvNEUehDcOtagIEI4HCOG5cdx7mgsrf4DTVY8ZS7iPH/
+Ymcb8/bofyA6xA3tGS2q2WIkBLp1hjp3VeQSrrAxV7ViJ0VUeuAuq2DUW3UOYKs5
+Dt7XyKUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAB25Z5RxqI4VaID8Ut88Qm1uB
+9UfVpdY3SkNgeT8ucsGo+2RPx9vXymdHKvdzu6E8xfAVgYe83C8sLh8XrwrIkdJ/
+scsfQwW7b+TdDsBKtx572GhvXOyQueTffDNy20gnTiKaMW3w5iEETs6yglFkmENk
+IvN8lTh8UT15mg30jOA5iZY4llLAab0Q827YCpS+Y1G4Vcn0ef/49tNBW07dDvsu
+IQsQWX1Jp1UU3L3CaqUJgB++kYf2oEymG9OXmNWx6i+042BvI1ICcr9m6kOyl/Ca
+L68EfXf2AJjOnvnpKwIXNuQ9NhP1dnX/VTq99aP2It0oTEyOeCw43WxctbXO6Q==
 -----END CERTIFICATE-----
diff --git a/build/docker/tls.crt b/build/docker/tls.crt
index a72f795..de14a09 100644
--- a/build/docker/tls.crt
+++ b/build/docker/tls.crt
@@ -1,18 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIICzjCCAbYCCQCGuh5L8cZFODANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtB
-ZG1pc3Npb24gV2ViaG9vayBTZXJ2ZXIgQ0EwIBcNMTkwNTE0MTUzMzIzWhgPMjI5
-MzAyMjYxNTMzMjNaMCoxKDAmBgNVBAMMH3RhcHAtY29udHJvbGxlci5rdWJlLXN5
-c3RlbS5zdmMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3N85P9BP7
-sInAm8O4mjtxuuA6edw83CuY4BoEw368uXLU3q6XCPied0TeDbI7nUWH5ywWWrHu
-p6GliEM0ob50bWm9O0nvDy8XaA8JvRTtoP6t5l/R0RWMz8vZjuenCFXUxWjz3yBJ
-gi0wthqEU15o0szeNm5QN8BKIF6lWJI/q5lVEMducsCjnhWXSQ+rpIAPU/n5J3Lm
-0iULZyko0roLFN+1posUeHM3oOX3tv1c6qiwXITV3+qmK/XkAg1+c8tYF8PX38t7
-M4ORZ0i2cmfBL5a9auTYuRHd6e5WhcvscWAm2S5C/+1iu3Xnic/2qGeMbSy4U8l4
-8q+WtKg9U54XAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKZRlvIEar5GjYlAGQoE
-IgdHzkJ+HK3rGPT+FA34GViJAvU8uBMIe2PCdd+lBpXwoZRu1+3hCEDGSm7nM4DD
-kibFcLUZxhVju/1EOKvoJK/GqEl0/WxRlp6m6jywh2RjJeKAPb8F4xr5SoEty4DF
-fyXRv4abbZSZZReMM8R9XE7e6yHcF6yLtiXjxISySW9nU1B2IJf0n19rlTAvt9FX
-buZgGyucNao600wuALIbceMMje0zXm04uzqmIJxCE5JZXbehd1Ikc2SmhrPYfJB2
-0XmpIeZgIxsWtJ5ICsMChyyNKkp1LElUUfIsKJYr1HpMnzlzlOmxJrkfOzQ12+J2
-d+E=
+MIIDUjCCAjqgAwIBAgIJALiiZ6FAH0h7MA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV
+BAMMG0FkbWlzc2lvbiBXZWJob29rIFNlcnZlciBDQTAgFw0yMTAxMjAxMTE2MDRa
+GA8yMjk0MTEwNTExMTYwNFowSjELMAkGA1UEBhMCQ04xETAPBgNVBAoMCHRrZXN0
+YWNrMSgwJgYDVQQDDB90YXBwLWNvbnRyb2xsZXIua3ViZS1zeXN0ZW0uc3ZjMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu8wZaTuq2vYdxWq/VDxnAMqI
+BKinyTtxRmgJhA8e7p1Qpxs9omLbiX79HbLaazuZGGqi+aR4+8ixmjPOCJltdGlk
+gc5UVppKyrMVUoQsB+5BbCbjSvTMM0FMTdOj0tFXWH0TLvzfDKL37JFmeEiGiUS6
+16AYYg0i153PigjwHMXKRtz/LyPALNlUNnAP+Ql8TVPLb2JhF19E+blMb6wqIrVx
+xEOihzcHYzHs6OR09+xJUNGKlqxFyKm5Brby3NzpkZzuqU2SaRy7E69v4hW53358
+HJ80ZEUlN6Ttahd0LnhJ14qwP2Mu0O1+FNpd1Y0zSZGZiIGH0OCXBXtkemN32wID
+AQABo10wWzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG
+AQUFBwMBMCoGA1UdEQQjMCGCH3RhcHAtY29udHJvbGxlci5rdWJlLXN5c3RlbS5z
+dmMwDQYJKoZIhvcNAQEFBQADggEBAHY1WmXIxOx4hkYuSi2Amf+hWqeIluYBLclg
+olIJrEP3s/b8XQPVv8bM1R9+cTvV/p5LFjeLZugquNiEDSDMlGCSXbvMMoYytZL7
+T8u77Ou61JcMBX65XAYKv0hZ3pgNaJVmU6hA+WIzY9tCrnIo2dwHMo4VroGUaC2p
+Ce/sopBDK3cJWXqYkxvbqukDXxdMfeZtWMJFQncYSkLExZlVdaoED0OYOmmvcfWK
+uVG6QZ4Fel/sKi3cw4AXsgGZuqFNZFSD4kbK8gf8FOpbmQ6GVctLz2enEx8BHbi0
+DlziHIkIikTQRcgYN4zcLFljggd5LERyHdsLRSuj0G8opc32GyE=
 -----END CERTIFICATE-----
diff --git a/build/docker/tls.key b/build/docker/tls.key
index f5ae048..3423a2b 100644
--- a/build/docker/tls.key
+++ b/build/docker/tls.key
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAtzfOT/QT+7CJwJvDuJo7cbrgOnncPNwrmOAaBMN+vLly1N6u
-lwj4nndE3g2yO51Fh+csFlqx7qehpYhDNKG+dG1pvTtJ7w8vF2gPCb0U7aD+reZf
-0dEVjM/L2Y7npwhV1MVo898gSYItMLYahFNeaNLM3jZuUDfASiBepViSP6uZVRDH
-bnLAo54Vl0kPq6SAD1P5+Sdy5tIlC2cpKNK6CxTftaaLFHhzN6Dl97b9XOqosFyE
-1d/qpiv15AINfnPLWBfD19/LezODkWdItnJnwS+WvWrk2LkR3enuVoXL7HFgJtku
-Qv/tYrt154nP9qhnjG0suFPJePKvlrSoPVOeFwIDAQABAoIBACyaBz1re5nfxgj/
-YkwEL8hl58QUekrOhkZ2956FQMsMkinD89iMtIlPG5K63tKoXI7S9eaTOZGReUZk
-v4eGgGizYfRRBJSPq7UU/eQvBXM7qAQJevYG4iofQ864fSgqXUqoq/4CKUf7yqh7
-DEV+ThNSjdDii0Q37jWdX6z8vM2GvNvehfVnPoNo9Vcz4QjF6kHrCMYPv4W+6axm
-QoPPRmTThQYH9ayJ28etkHhbiRxTKymk1U2j16y/tFI9M2yGqs1rEGwyhh2zyNOq
-dZYasft/s1jhmLuGAAOhHiwxipfMusoN0HqnaazMPBBMGFAvzipA+ZdfOKWVDxq0
-nJWYbMECgYEA6KlKdY1ko7NqpMsiqAj0iRkYu1VF4ZFu9KwPvAqr+nzVw/Cd9vKj
-2sgRGMRp0UYL8JzilvhheNrQlF7y6pZ+6/38ybkiLECwvX0QdHkteUI5ZZve1e1W
-JHiAe15daMg/9x+Ub+XLOQM7QlWmS/dfQsdHNZ7l3gM/JoAHwVXH9ycCgYEAyZjR
-bTDZazugUU/3KUUPGgqW22Su3lz0SZNtpslVumMdq7XvMsnPEgpzE5yxPpOj5vMo
-0RpaxNbzxRpcKcc4kNpZJG32GW6pkJcooNGH8FqroMVMfVzy/zaabNGWYw5AtXWn
-/xYv+1NfEYLuYpWrDS5suy1xIPHWwwTWLxvW95ECgYAIYqGWXwQzijHbwp57I+d8
-UXU8uzQLjyxKkTD3/AJ6wqkJqNBoqBITvoYvOFT//+BKSb0457bLnkdKManbnpTw
-eHT16EA9DA/SpIFFUWC8MBDVgqqjVyx1oAoxaBNBxYXYqEC3T7blVSJ7n46gykea
-pogAfLuYJtHN12twImFUnQKBgDU82RmHy/LolSbEAlZwuVM8NqiLhy6Lx6tidpOU
-GcKWCDDfY+K6rqdqAQfN2nTXEnKcBkxqNExFI60KkAosZUDDmMTpEROYSMk5Ue5e
-RxLvLuHPGKsGj9lb9x4Dnz5bdjU1c/8GQfeSBcofFIsOUVSyzN4FWxnDI97ueQ2J
-wZQxAoGBAMgBooy6NY46u5OmkqTl04wj7KNauIoJSLvswFzJgraF1QFce/69Zjel
-Y2vYiFgOUTs3aMSXgm95t3bazki5mhZ4kOMdCdMxKIzTAJZDrM2Kaq6MfQ02XZSD
-uFSupA7YzFVDHz6t4p4TrhckG64hg3cBK338N9i5+ScONjKrBujp
+MIIEogIBAAKCAQEAu8wZaTuq2vYdxWq/VDxnAMqIBKinyTtxRmgJhA8e7p1Qpxs9
+omLbiX79HbLaazuZGGqi+aR4+8ixmjPOCJltdGlkgc5UVppKyrMVUoQsB+5BbCbj
+SvTMM0FMTdOj0tFXWH0TLvzfDKL37JFmeEiGiUS616AYYg0i153PigjwHMXKRtz/
+LyPALNlUNnAP+Ql8TVPLb2JhF19E+blMb6wqIrVxxEOihzcHYzHs6OR09+xJUNGK
+lqxFyKm5Brby3NzpkZzuqU2SaRy7E69v4hW53358HJ80ZEUlN6Ttahd0LnhJ14qw
+P2Mu0O1+FNpd1Y0zSZGZiIGH0OCXBXtkemN32wIDAQABAoIBAAUWFw4ZlpwNlGrX
+ZE00wZls4tg1dS3nFT9R7AgOnMjbq+aKv1WZldaYgOSABphm6dOWd8mJIdm36s+B
+XbAv7536iMVXQEOENEhfJ1Gv0L16P31dZESQcsNknltxQvufvdzgrldUc/oUo+Bd
+Y8gYNsSa/vB+HorxTiNG2+siKNaunNY1WBklK2BO1a8m/DOuAHx9hijQl/XVPY5y
+ISMT3E0ldDS7D/zX1Ol4tDZvMSHKPqZ/pAwT9xZRFzo6dbTpxGUDew7MtBphDikZ
+HRvZpbunYt1yLyuY6mIhKkK+OHDiu3wyyBwW20qCue/WvK9AWcDZJRg/aupf/M0f
+37jQfRECgYEA3UkqUXLJe5VlLbEWtptwMkUHhdYCMiDoFYbabdnP9AHgAZppHd8G
+jKOgCzmQNHVLn1Gd3B/QLmv9aTSIWVOb2fDEeoMM3bGM9EmMGHRuryQxKrlute36
+q5One5sur+QvpsmKq161BSqCJWpRIJjcdZ8Sg41riPfqsiDsqfoPjzMCgYEA2UII
+4ZYYIzTq2Vy5o/p8kHzUnYcYP1fJ6h8e9zfTW+oQOzTGp9yRuQKLubbqKihustTm
+3/lhw6uu1FFvE+3/06mEXCrnAwT84JV0zItl6YQw1KgfPgZcEs0ozNPjQnjX8YX1
+A3Q6S3108eVtVAa+uuWkvKYQM/PM6KBiww43FLkCgYBAVR4Ncc6rtCInJ33P9t6m
+brUiLraStkhiwcLM/u7bJJRoQujee1FfH87OlJyc86DZn5PCRCl05YZVyKT/OzRr
+JvkoGONrrEurVZp6HZd0KZR1tFVAZQBkU1f0soffMPq9hYhgC/eameIeWItfa7Fk
+LKvoPPwPZOwBf1rui7lsSwKBgCaqqgn8PK+Ha4TkC+YzXpgYn36p3JbpePZCM7Cs
+LuHc9qaS7ghSKV1UJqoW8/Ys3AbX/X8/UzcQBz2igLJ7WVzCftwohpTy/k66St9c
+r/avoEE46taPKzPtb6WE0J20BDroLINA3F8zJO0oeBzMVoXM+VTZ+WhFq+J7KRiu
+Hv+BAoGAUGUo4gEvrqSDhWflS/HGPjrV+OFI0oSkuusxEqB7KR6Nla3ktHvIbHmQ
+/S2NsrhbJFRvEKcTTULjVBs+mqmelqeU0RbA8EXrLqJC50qfuCv2zsNU0oqpUcD+
+HSneW4Iske38XOEdwIfwwKwN/51VicOOaoFqPnoCMHDybI5fh9o=
 -----END RSA PRIVATE KEY-----
diff --git a/hack/gencerts.sh b/hack/gencerts.sh
index 8bc1630..9d6ca3a 100755
--- a/hack/gencerts.sh
+++ b/hack/gencerts.sh
@@ -17,10 +17,32 @@ mkdir -p $key_dir
 chmod 0700 $key_dir
 cd $key_dir
 
+SANCNF=san.cnf
+
+cat << EOF > ${SANCNF}
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = CN
+O = tkestack
+CN = tapp-controller.kube-system.svc
+
+[v3_req]
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, serverAuth
+subjectAltName = @alt_names
+[alt_names]
+DNS.1=tapp-controller.kube-system.svc
+EOF
+
+
 # Generate the CA cert and private key
 openssl req -nodes -new -x509 -days 100000 -keyout ca.key -out ca.crt -subj "/CN=Admission Webhook Server CA"
 # Generate the private key for the webhook server
 openssl genrsa -out tls.key 2048
 # Generate a Certificate Signing Request (CSR) for the private key, and sign it with the private key of the CA.
-openssl req -new -days 100000 -key tls.key -subj "/CN=tapp-controller.kube-system.svc" \
-    | openssl x509 -req -days 100000 -CA ca.crt -CAkey ca.key -CAcreateserial -out tls.crt
+openssl req -new -sha256 -days 100000 -key tls.key -subj "/CN=tapp-controller.kube-system.svc" -reqexts v3_req -config ${SANCNF} \
+  | openssl x509 -req -days 100000 -CA ca.crt -CAkey ca.key -CAcreateserial -extensions v3_req  -extfile ${SANCNF}  -out tls.crt