Update script and testdata CA keypair

If we generate with the wrong type (usages), the keypair will be
regenerated.

tests/integration/update_cluster/public-jwks/README.md

@@ -4,6 +4,6 @@ We have to use a fixed CA because the fingerprint is inserted into the AWS WebId
 
 ca.crt & ca.key generated with:
 
-`openssl req -new -newkey rsa:512 -days 3650 -nodes -x509 -subj "/CN=kubernetes" -keyout ca.key -out ca.crt`
-
-
+```
+openssl req -new -newkey rsa:512 -days 3650 -nodes -x509 -subj "/CN=kubernetes" -keyout ca.key -out ca.crt -config <(cat /etc/ssl/openssl.cnf <(printf "[ v3_ca ]\nkeyUsage = critical,keyCertSign,cRLSign"))
+```

tests/integration/update_cluster/public-jwks/ca.crt

@@ -1,11 +1,11 @@
 -----BEGIN CERTIFICATE-----
-MIIBgTCCASugAwIBAgIUZrxLCo6MlBXbjRWuIBXdlRkM2EcwDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKa3ViZXJuZXRlczAeFw0yMDA4MTUyMTM3NDhaFw0zMDA4
-MTMyMTM3NDhaMBUxEzARBgNVBAMMCmt1YmVybmV0ZXMwXDANBgkqhkiG9w0BAQEF
-AANLADBIAkEA5eJVxg/iR9zq2wQrk2VjdavGYiPu1Q0cmNb4LvItHBO0eiSVA7EV
-D/7qAgnB13ASaQHLMuG50qK3wihMJC9/6QIDAQABo1MwUTAdBgNVHQ4EFgQU4/Jf
-ZYu5ziuhZRnpcxvDOlYGA+4wHwYDVR0jBBgwFoAU4/JfZYu5ziuhZRnpcxvDOlYG
-A+4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAANBAEHceMm6tpH6Yc+H
-5uu5wY8Q4pmYJt+HOkIpoXO1KD4/8h90y6XY8Z0Nu3dOZSwBSCWChrYAIndtzJfC
-PtQHwNM=
+MIIBkTCCATugAwIBAgIUCpH+vP36aaPhoMAXYKNtGDRpO+0wDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKa3ViZXJuZXRlczAeFw0yMDA5MTIyMDE3MjhaFw0zMDA5
+MTAyMDE3MjhaMBUxEzARBgNVBAMMCmt1YmVybmV0ZXMwXDANBgkqhkiG9w0BAQEF
+AANLADBIAkEA4WWjrM1cq9lYsgmBYOZyjDaVYwCgb1zW4Bf5FMbWiWNuMjHPlVW2
+z17Q5ecKd0viUtF0A8/rrg3y7Lm0N3lIVwIDAQABo2MwYTAdBgNVHQ4EFgQU1d6Y
+G7ISO0T1baFPjv6ecnRFtJkwHwYDVR0jBBgwFoAU1d6YG7ISO0T1baFPjv6ecnRF
+tJkwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEL
+BQADQQBG1IGyIUyg1/1JcqJv97CQdu2N+J/Ktgw7NIDsGwvYp4OW0y3mXSxWoIFk
+8l05a0McT3dLZawJ9VzpxMzJS4pG
 -----END CERTIFICATE-----

tests/integration/update_cluster/public-jwks/ca.key

@@ -1,10 +1,10 @@
 -----BEGIN PRIVATE KEY-----
-MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEA5eJVxg/iR9zq2wQr
-k2VjdavGYiPu1Q0cmNb4LvItHBO0eiSVA7EVD/7qAgnB13ASaQHLMuG50qK3wihM
-JC9/6QIDAQABAkEAug/7RJfOmkOggyxY6LADVFZ39y8GO8KlBr/XmIfDIxj20yIG
-W2SmoSGPqoWDpr8G2LUSVrdaQ9ZyDqG0AqUN0QIhAPx5JQRoRDo2hiS+Ioaty/NA
-7/iInYFkS5hMvud1QSKDAiEA6RhpLIFZbLAoof6/fdIUy7QWU1UHJ6PKq/3qpR7u
-mCMCIQCVmHKGmgFTPNtfCgoLIw+louSNruUktfjU1SSIoMFnYQIgLxR8Ib4ahsZp
-3pZqrQoioyZDoB87a7k8dVK68xD1VgsCIHFjAVxGmS2MgT80UjwPNs9XkT5WOpoR
-BzhivO3D3oOn
+MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEA4WWjrM1cq9lYsgmB
+YOZyjDaVYwCgb1zW4Bf5FMbWiWNuMjHPlVW2z17Q5ecKd0viUtF0A8/rrg3y7Lm0
+N3lIVwIDAQABAkAyOuFf6CAn1/bxLjcb7h9G6f8eogwe5TSpmg4TOEClOw0+Zy/y
+vgK2QlNQE0UPbpVXLVTr8/hKeExEpQpWhPoZAiEA91yvETWsBfhd14kiXXtROedu
+eeA7VFEKVAs3e6GkoeMCIQDpRJjgK1v66NRR0gWiDUknQg+O92BIX5SZ8F4CC4t5
+/QIhANUjwZ2cl6tVRNbxTPErzuOL7P+LHNQcOEAOojIfKBJtAiEAlJsN5WnaDCu9
+724kBov+OZNdRBAWd6Tkj3lQ+m6OaaUCIFiopekX5mvhslM7+ghbrwOTTY0Di1W9
++ZFYs9l9pitG
 -----END PRIVATE KEY-----

tests/integration/update_cluster/public-jwks/kubernetes.tf

@@ -206,7 +206,7 @@ resource "aws_iam_instance_profile" "nodes-minimal-example-com" {
 
 resource "aws_iam_openid_connect_provider" "minimal-example-com" {
   client_id_list  = ["amazonaws.com"]
-  thumbprint_list = ["d89b37ccc0b574f3e40051ea08a7b60a9db11924"]
+  thumbprint_list = ["a8de31f85544b9e73aeb26ded19330e0e996fb79"]
   url             = "https://api.minimal.example.com"
 }
 

upup/pkg/fi/fitasks/keypair.go

@@ -164,7 +164,7 @@ func (_ *Keypair) Render(c *fi.Context, a, e, changes *Keypair) error {
 			klog.V(8).Infof("creating certificate new Subject")
 		} else if changes.Type != "" {
 			createCertificate = true
-			klog.V(8).Infof("creating certificate new Type")
+			klog.Infof("creating certificate %q as Type has changed (actual=%v, expected=%v)", name, a.Type, e.Type)
 		} else if changes.LegacyFormat {
 			changeStoredFormat = true
 		} else {