fix(tls): use fixed-length cert CommonNames

[andrewazores]

Welcome to Cryostat! 👋

Before contributing, make sure you have:

• [x] Read the contributing guidelines
• [x] Linked a relevant issue which this PR resolves
• [x] Linked any other relevant issues, PR's, or documentation, if any
• [x] Resolved all conflicts, if any
• [x] Rebased your branch PR on top of the latest upstream main branch
• [x] Attached at least one of the following labels to the PR: [chore, ci, docs, feat, fix, test]
• [x] Signed all commits: git commit -S -m "YOUR_COMMIT_MESSAGE"

  ---

Fixes: #964

Description of the change:

This change adds allows the users to provide...

Motivation for the change:

This change is helpful because users may want to...

How to manually test:

1. Insert steps here...
2. ...

[andrewazores]

/build_test

[github-actions[bot]]

/build_test completed successfully ✅. View Actions Run.

[andrewazores]

The check from #897 looks like it's just checking the SecretName referenced by the CA Issuer, and the Issuer's Spec only really contains the SecretName.

https://github.com/cryostatio/cryostat-operator/blob/0ec9a84ffded9865671402790379c2884097f456/internal/controllers/common/resource_definitions/certificates.go#L51

https://github.com/cryostatio/cryostat-operator/blob/0ec9a84ffded9865671402790379c2884097f456/internal/controllers/common/resource_definitions/certificates.go#L66

https://github.com/cryostatio/cryostat-operator/blob/0ec9a84ffded9865671402790379c2884097f456/internal/controllers/certmanager.go#L310

If I'm understanding the problem correctly, it's that the Certificates' Specs have changed (because the CommonName field has changed) - the Issuers and theirs Specs actually haven't changed. But I suppose on upgrade, a new CA gets created again and the old one needs to be invalidated and all its Certificates deleted?

[ebaron]

The check from #897 looks like it's just checking the SecretName referenced by the CA Issuer, and the Issuer's Spec only really contains the SecretName.

https://github.com/cryostatio/cryostat-operator/blob/0ec9a84ffded9865671402790379c2884097f456/internal/controllers/common/resource_definitions/certificates.go#L51

https://github.com/cryostatio/cryostat-operator/blob/0ec9a84ffded9865671402790379c2884097f456/internal/controllers/common/resource_definitions/certificates.go#L66

https://github.com/cryostatio/cryostat-operator/blob/0ec9a84ffded9865671402790379c2884097f456/internal/controllers/certmanager.go#L310

If I'm understanding the problem correctly, it's that the Certificates' Specs have changed (because the CommonName field has changed) - the Issuers and theirs Specs actually haven't changed. But I suppose on upgrade, a new CA gets created again and the old one needs to be invalidated and all its Certificates deleted?

Right that's what needs to happen on upgrade. You're right, detecting this will be a little more complicated than just modifying the check done in #897.

One possibility is treating the certificate spec like an immutable field, and calling the deleteCertChain method when attempting to modify it. Something like: https://github.com/cryostatio/cryostat-operator/blob/0ec9a84ffded9865671402790379c2884097f456/internal/controllers/reconciler.go#L512-L518

[andrewazores]

I found that the cmp.Equal() check on the whole cert Spec didn't behave quite how I expected, so in that latest commit I'm checking specific properties for equality. This looks like it works as expected, including in the upgrade case as outlined in #897's test steps, so once I figure out what exactly was breaking the deep equality check on the Specs then I can clean it up and I think this will be ready.

[andrewazores]

/build_test

[github-actions[bot]]

/build_test : At least one test failed ❌. View Actions Run.

[andrewazores]

/build_test

[github-actions[bot]]

/build_test completed successfully ✅. View Actions Run.