From 0cc86936fd4d2777cd86fa5cc3a4443cd7e56e9a Mon Sep 17 00:00:00 2001
From: Anders Eknert <anders@eknert.com>
Date: Tue, 19 Jul 2022 23:45:32 +0200
Subject: [PATCH] docs: update kube tutorial cert install procedure

Two unrelated issues would break the Kubernetes tutorial in
recent kube versions. The first one being the SHA1 hash used
by default in at least older versions of OpenSSL, which is no
longer accepted by Kubernetes. Easy fix.

The next one is definitely a head scratcher - for whatever
reason, the subjectAltName previously provided in the config
didn't seem to be picked up in certificate signing requests.
Older versions of Kubernetes - or Go, really - would accept
the common name (CN), but more recent ones require the use of
subjectAltName, so it's possible this never "worked" as intended
but was ignored as the CN was used instead.

The docs on the topic however all suggest that the previous
config _should_ have worked, and after having spent a long time
trying to figure out why it didn't, I've found nothing to
provide any insights here. Best I have is "works on my
machine", so if anyone else would want to try this out to make
sureit works on theirs too, that'd be great.

* Use explicit hashing algorithm
* Specify -extensions as this does not seem to be picked up when
  provided in config only.

Fixes #4902

Signed-off-by: Anders Eknert <anders@eknert.com>
---
 docs/content/kubernetes-tutorial.md | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/docs/content/kubernetes-tutorial.md b/docs/content/kubernetes-tutorial.md
index ae92a56797..cb4bab8fc1 100644
--- a/docs/content/kubernetes-tutorial.md
+++ b/docs/content/kubernetes-tutorial.md
@@ -70,33 +70,33 @@ certificate authority (CA) and certificate/key pair for OPA:
 
 ```bash
 openssl genrsa -out ca.key 2048
-openssl req -x509 -new -nodes -key ca.key -days 100000 -out ca.crt -subj "/CN=admission_ca"
+openssl req -x509 -new -nodes -sha256 -key ca.key -days 100000 -out ca.crt -subj "/CN=admission_ca"
 ```
 
 Generate the TLS key and certificate for OPA:
 
 ```bash
 cat >server.conf <<EOF
-[req]
-req_extensions = v3_req
-distinguished_name = req_distinguished_name
+[ req ]
 prompt = no
-[req_distinguished_name]
+req_extensions = v3_ext
+distinguished_name = dn
+
+[ dn ]
 CN = opa.opa.svc
-[ v3_req ]
+
+[ v3_ext ]
 basicConstraints = CA:FALSE
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 extendedKeyUsage = clientAuth, serverAuth
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = opa.opa.svc
+subjectAltName = DNS:opa.opa.svc,DNS:opa.opa.svc.cluster,DNS:opa.opa.svc.cluster.local
 EOF
 ```
 
 ```bash
 openssl genrsa -out server.key 2048
-openssl req -new -key server.key -out server.csr -config server.conf
-openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 100000 -extensions v3_req -extfile server.conf
+openssl req -new -key server.key -sha256 -out server.csr -extensions v3_ext -config server.conf
+openssl x509 -req -in server.csr -sha256 -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 100000 -extensions v3_ext -extfile server.conf
 ```
 
 > Note: the Common Name value and Subject Alternative Name you give to openssl MUST match the name of the OPA service created below.