[bug]: SAN in Certificate for Service is incorrect

[YC]

Describe the bug

The first SAN in svc.pem does not seem to match name of service.

To reproduce

1. In examples\WebhookOperator directory
2. KubeOps.Cli.exe gen operator namepassedin --out config
3. kubectl kustomize config/ -o combined.yaml
4. The output is follows:

   apiVersion: v1
   kind: Service
   metadata:
   labels:
   operator: namepassedin
   name: namepassedin-operator
   namespace: namepassedin-system
   spec:
   ports:
   - name: https
   port: 443
   targetPort: https
   selector:
   operator: namepassedin
   operator-deployment: kubernetes-operator

5. The certificate svc.pem, when viewed with openssl:

   X509v3 Subject Alternative Name:
   DNS:namepassedin.namepassedin-system.svc, DNS:*.namepassedin-system.svc, DNS:*.svc

Expected behavior

I believe the first SAN should be namepassedin-operator.namepassedin-system.svc. Also, I wonder if the other 2 are needed? I think the second should cover the first, and the third may not be needed?

Screenshots

No response

Additional Context

Reproduced in: v9.1.1

Relevant Code: https://github.com/buehler/dotnet-operator-sdk/blob/v9.1.1/src/KubeOps.Cli/Commands/Generator/OperatorGenerator.cs#L82 https://github.com/buehler/dotnet-operator-sdk/blob/v9.1.1/src/KubeOps.Operator.Web/Certificates/CertificateGenerator.cs#L143-L145

[ian-buse]

@buehler, I checked the old Bouncy Castle generator + CLI command, and it looks like this issue would have been in there too. I think there is an inconsistency between the default name in the kustomization after generation vs the one given to the certificates during generation.

[buehler]

Hey @ian-buse and @YC

You are correct. This is an issue with the generated SAN. However the *.svc should actually cover the wrongly named one. Nonetheless it is an error and should be fixed.