From 42c433eb00dc9049a13a96f0bc5cd66bba41962f Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Sun, 11 Jan 2026 13:03:20 -0500
Subject: [PATCH] Fix proxy auth tls

---
 .../k8s-ca/files/requestheader-client-ca.conf | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/nix/kubernetes/keys/package/k8s-ca/files/requestheader-client-ca.conf b/nix/kubernetes/keys/package/k8s-ca/files/requestheader-client-ca.conf
index f31e75c7..a25c4797 100644
--- a/nix/kubernetes/keys/package/k8s-ca/files/requestheader-client-ca.conf
+++ b/nix/kubernetes/keys/package/k8s-ca/files/requestheader-client-ca.conf
@@ -11,7 +11,10 @@ keyUsage         = cRLSign, keyCertSign
 C   = US
 ST  = Washington
 L   = Seattle
-CN  = CA
+CN  = Kubernetes
+O   = Kubernetes
+OU  = CA
+
 
 [controller0-proxy]
 distinguished_name = controller0_distinguished_name
@@ -23,7 +26,7 @@ basicConstraints     = CA:FALSE
 extendedKeyUsage     = clientAuth, serverAuth
 keyUsage             = critical, digitalSignature, keyEncipherment
 nsCertType           = client
-nsComment            = "controller0 Certificate"
+nsComment            = "controller0-proxy Certificate"
 subjectAltName       = @controller0_alt_names
 subjectKeyIdentifier = hash
 
@@ -36,8 +39,8 @@ L  = Seattle
 
 [controller0_alt_names]
 IP.0  = 127.0.0.1
-IP.4  = 10.215.1.221
-IP.5  = 2620:11f:7001:7:ffff:ffff:0ad7:01dd
+IP.1  = 10.215.1.221
+IP.2  = 2620:11f:7001:7:ffff:ffff:0ad7:01dd
 DNS.0 = controller0
 
 [controller1-proxy]
@@ -50,7 +53,7 @@ basicConstraints     = CA:FALSE
 extendedKeyUsage     = clientAuth, serverAuth
 keyUsage             = critical, digitalSignature, keyEncipherment
 nsCertType           = client
-nsComment            = "controller1 Certificate"
+nsComment            = "controller1-proxy Certificate"
 subjectAltName       = @controller1_alt_names
 subjectKeyIdentifier = hash
 
@@ -77,7 +80,7 @@ basicConstraints     = CA:FALSE
 extendedKeyUsage     = clientAuth, serverAuth
 keyUsage             = critical, digitalSignature, keyEncipherment
 nsCertType           = client
-nsComment            = "controller2 Certificate"
+nsComment            = "controller2-proxy Certificate"
 subjectAltName       = @controller2_alt_names
 subjectKeyIdentifier = hash
 
@@ -90,6 +93,6 @@ L  = Seattle
 
 [controller2_alt_names]
 IP.0  = 127.0.0.1
-IP.6  = 10.215.1.223
-IP.7  = 2620:11f:7001:7:ffff:ffff:0ad7:01df
+IP.1  = 10.215.1.223
+IP.2  = 2620:11f:7001:7:ffff:ffff:0ad7:01df
 DNS.0 = controller2