Istio CA should return a cert chain instead of a single cert

[lookuptable]

Fix #56

[lizan]

In self-signed root certificate case, you don't need to include the root cert here.

Basically the only certificates needed to be included are the one before root certificate, since the root certificate is already distributed to the other end.

https://tools.ietf.org/html/rfc5246#section-7.4.2

It is just an optimization, it is ok to include, but not necessary.

[lookuptable]

Done. We are on longer sending root cert in the cert chain in self-signed case.

In non-self-signed case we have no control over what's in the chain file. So we'll blindly send over what's in the file.

[wattli]

Is there any timestamp in the cert? If so, would it still work when the cert expires?

[lookuptable]

Updated the timestamps to make the certs long-lived so expiration shouldn't be an issue.

[wattli]

lgtm

[codecov]

Codecov Report

Merging #59 into master will increase coverage by 2.28%.
The diff coverage is 91.22%.

@@            Coverage Diff             @@
##           master      #59      +/-   ##
==========================================
+ Coverage   68.45%   70.73%   +2.28%     
==========================================
  Files           6        6              
  Lines         317      352      +35     
==========================================
+ Hits          217      249      +32     
- Misses         81       84       +3     
  Partials       19       19

Impacted Files	Coverage Δ
certmanager/generate_cert.go	76% <0%> (-2.09%)	❌
certmanager/ca.go	100% <100%> (ø)	✅
controller/secret.go	78.46% <100%> (+0.33%)	✅
certmanager/util.go	50% <80%> (+2.17%)	✅

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a904257...42ab687. Read the comment docs.