tls: Add PEM file update script and config

Documentation so we can avoid researching this in the future. The
new PEM files have 3560 day expirations.

kubernetes/tls/ssl-extensions-x509.cnf

@@ -0,0 +1,7 @@
+[v3_ca]
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+basicConstraints = critical, CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+subjectAltName = IP:127.0.0.1, DNS: localhost, DNS: *.example.com

kubernetes/tls/update-tls.sh

@@ -0,0 +1,42 @@
+#!/bin/sh
+set -e
+
+openssl genrsa \
+  -out ca-key.pem 2048
+
+openssl req \
+  -x509 \
+  -new \
+  -nodes \
+  -key ca-key.pem \
+  -days 3560 \
+  -extensions v3_ca \
+  -out ca.pem \
+  -subj "/O=Kubernetes"
+
+openssl x509 -in ca.pem -text
+
+openssl genrsa \
+  -out key.pem 2048
+
+openssl req \
+  -new \
+  -key key.pem \
+  -out csr.pem \
+  -subj "/O=Kubernetes/CN=*.example.com"
+
+openssl x509 \
+  -req \
+  -in csr.pem \
+  -CA ca.pem \
+  -CAkey ca-key.pem \
+  -CAcreateserial \
+  -out cert.pem \
+  -extensions v3_ca \
+  -extfile ssl-extensions-x509.cnf \
+  -days 3560
+
+openssl x509 -in cert.pem -text
+
+rm ca.srl
+rm csr.pem