fix(secrets): key/cert generation check req

hash.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"crypto/sha1"
+	"encoding/base64"
+	"encoding/json"
+)
+
+func hash(values ...interface{}) string {
+	ba, err := json.Marshal(values)
+	if err != nil {
+		panic(err) // should not happen
+	}
+
+	h := sha1.Sum(ba)
+
+	enc := base64.StdEncoding.WithPadding(base64.NoPadding)
+	return enc.EncodeToString(h[:])
+}

secrets.go

@@ -38,6 +38,7 @@ type CA struct {
 type KeyCert struct {
 	Key     []byte
 	Cert    []byte
+	ReqHash string
 }
 
 func loadSecretData(config *config.Config) (*SecretData, error) {
@@ -161,8 +162,9 @@ func (sd *SecretData) KeyCert(cluster, caName, name, profile, label string, req
 		return
 	}
 
+	rh := hash(req)
 	kc, ok := ca.Signed[name]
-	if ok {
+	if ok && rh == kc.ReqHash {
 		return
 	}
 
@@ -192,6 +194,7 @@ func (sd *SecretData) KeyCert(cluster, caName, name, profile, label string, req
 	kc = &KeyCert{
 		Key:     key,
 		Cert:    cert,
+		ReqHash: rh,
 	}
 
 	ca.Signed[name] = kc