From c8d87fb4ae5d8c22e8411e32037803fd5251b85e Mon Sep 17 00:00:00 2001
From: Tommy Li <Tommy.chaoping.li@ibm.com>
Date: Mon, 7 Feb 2022 17:34:52 -0800
Subject: [PATCH] fix(backend): make cache-deployer generate CSR using
 kubelet-serving

---
 backend/src/cache/deployer/webhook-create-signed-cert.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/src/cache/deployer/webhook-create-signed-cert.sh b/backend/src/cache/deployer/webhook-create-signed-cert.sh
index b867541a266..f6a33c03e4b 100755
--- a/backend/src/cache/deployer/webhook-create-signed-cert.sh
+++ b/backend/src/cache/deployer/webhook-create-signed-cert.sh
@@ -94,7 +94,7 @@ DNS.3 = ${service}.${namespace}.svc
 EOF
 
 openssl genrsa -out ${tmpdir}/server-key.pem 2048
-openssl req -new -key ${tmpdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf
+openssl req -new -key ${tmpdir}/server-key.pem -subj "/CN=system:node:${service}.${namespace}.svc;/O=system:nodes" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf
 
 echo "start running kubectl..."
 
@@ -111,7 +111,7 @@ spec:
   groups:
   - system:authenticated
   request: $(cat ${tmpdir}/server.csr | base64 | tr -d '\n')
-  signerName: kubernetes.io/kube-apiserver-client
+  signerName: kubernetes.io/kubelet-serving
   usages:
   - digital signature
   - key encipherment