feat!(stackable-certs): Support adding SAN entries

[sbernauer]

Description

As #1044 didn't move along, splitting the relevant change out to unblock CRD versioning.

Definition of Done Checklist

• Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
• Please make sure all these things are done and tick the boxes

Author

• Changes are OpenShift compatible
• CRD changes approved
• CRD documentation for all fields, following the style guide.
• Integration tests passed (for non trivial changes)
• Changes need to be "offline" compatible

Reviewer

• Code contains useful comments
• Code contains useful logging statements
• (Integration-)Test cases added
• Documentation added or updated. Follows the style guide.
• Changelog updated
• Cargo.toml only contains references to git tags (not specific commits or branches)

Acceptance

• Feature Tracker has been updated
• Proper release label has been added

[NickLarsenNZ]

Just some changes to the changelog, and the rest (I think) are only suggestions.

[NickLarsenNZ]

LGTM

[sbernauer]

Thanks for the review!

[Techassi]

I didn't take a close look at this, but I will soon.

Blocking it for now.

[Techassi]

note: This is a change, not an addition. As such, this should live in the "Changed" section.

suggestion: Slight reword.

Suggested change

	- BREAKING: `CertificateAuthority::generate_leaf_certificate` (and `generate_rsa_leaf_certificate` and `generate_ecdsa_leaf_certificate`)
	now take an additional parameter `subject_alterative_dns_names`. The passed SANs are added to the generated certificate,
	this is needed when the HTTPS server is accessible on multiple DNS names and/or IPs.
	Pass an empty list (`[]`) to keep the existing behavior ([#1057]).
	- BREAKING: The functions `generate_leaf_certificate`, `generate_rsa_leaf_certificate` and
	`generate_ecdsa_leaf_certificate` of `CertificateAuthority` accept an additional parameter
	`subject_alterative_dns_names` ([#1057]).
	- The passed SANs are added to the generated certificate, this is needed when the HTTPS server is
	accessible on multiple DNS names and/or IPs.
	- Pass an empty list (`[]`) to keep the existing behavior.

[Techassi]

note: This also a change and should be moved.

[Techassi]

suggestion: Slight reword.

Suggested change

	- Added the function `CertificateAuthority::ca_cert` to easily get the CA `Certificate` ([#1057]).
	- Add the function `CertificateAuthority::ca_cert` to easily get the CA `Certificate` ([#1057]).

[Techassi]

note: This link reference is in the wrong place.

[Techassi]

note: Get rid of the escaped quotes.

Suggested change

	#[snafu(display(
	"failed to parse subject alternative DNS name \"{subject_alternative_dns_name}\" as a Ia5 string"
	))]
	#[snafu(display(
	"failed to parse subject alternative DNS name {subject_alternative_dns_name:?} as a Ia5 string"
	))]

[Techassi]

question: Can we use a non-product specific test value here? This comes to mind:

Suggested change

	const TEST_SAN: &str = "airflow-0.airflow.default.svc.cluster.local";
	const TEST_SAN: &str = "example-0.example.default.svc.cluster.local";

[Techassi]

note: In a similar fashion, we should replace "Airflow" with "Example" here as well.

[Techassi]

praise: Nicely done!

note: The message should instead read why this will never fail.

[Techassi]

note: This should state why it should never fail. Something like this comes to mind:

Suggested change

	let extensions = cert.extensions.as_ref().expect("cert had no extension");
	let extensions = cert.extensions.as_ref().expect("cert must have extensions");

[Techassi]

note: This should state why it should never fail.