feat: certificate rotation

[fabriziosestito]

Description

This PR introduces a new runnable (CertController) that rotates CA root and leaf certificates:

• CA root rotation: see Rotate CA root #818
• Server certificate rotation: see Rotate TLS certificates #819

It removes the cert-manager dependency.

NOTE: this PR requires helm chart changes, see: kubewarden/helm-charts#488

TODO:

• remove cert-manager from the kustomize configurations.
• use some certificate generation settings as helm (see: https://github.com/Masterminds/sprig/blob/master/crypto.go, sprig is the library used by helm to add genCA and genSignedCert to the templates)

Testing

The cert controller has been tested by using gingko/envtest.

Additional information

Part-of label

Before these changes, we used the kubewarden: true label in the webhook configuration, to filter kubewarden resources.
However, using the recommended label app.kubernetes is better.io/part-of is more idiomatic.
Also, the label is already set by the helm chart on the controller's webhook configurations.
Unfortunately, we need to support both labels to be compatible with the older versions.

Injecting the CA bundle

There was the need to use the retry.RetryOnConflict utility when injecting the caBundle in the validating/mutating webhook configuration since there could be a chance to have a conflict with the neighbor controllers (namely the policy controllers).
(Cluster)AdmissionPolicyController will eventually converge to the new bundle, since it reads the secret (from the cache) every time it restores the webhook configuration.
Instead, the CertController reconciliation loop is ticker-based, so we cannot wait for the next tick to reconcile again. Therefore retrying with a certain backoff is a good strategy in this situation. See: kubernetes-sigs/controller-runtime#1748

Fixes #819, fixes #818

[codecov]

Codecov Report

Attention: Patch coverage is 61.39706% with 105 lines in your changes missing coverage. Please review.

Project coverage is 70.14%. Comparing base (aa0a426) to head (4146066).
Report is 14 commits behind head on main.

Files	Patch %	Lines
internal/controller/cert_controller.go	53.52%	42 Missing and 24 partials ⚠️
internal/certs/certs.go	72.85%	10 Missing and 9 partials ⚠️
internal/certs/secrets.go	33.33%	8 Missing and 8 partials ⚠️
.../controller/policyserver_controller_cert_secret.go	86.36%	1 Missing and 2 partials ⚠️
internal/controller/policy_subreconciler.go	85.71%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #829      +/-   ##
==========================================
- Coverage   70.96%   70.14%   -0.83%     
==========================================
  Files          27       29       +2     
  Lines        2435     2599     +164     
==========================================
+ Hits         1728     1823      +95     
- Misses        562      601      +39     
- Partials      145      175      +30     

Flag	Coverage Δ
integration-tests	61.04% <61.39%> (-0.22%)	⬇️
unit-tests	35.92% <0.00%> (-3.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[flavio]

Looks really good, I like it! 👏

I left some minor comments

[flavio]

Also here, I think we're not using these labels right now (KW 1.16). I haven't finished to review the whole PR, I guess that if this PR changes the PolicyServer reconciler to add these labels everything will be fine.

[fabriziosestito]

good catch, we are using those for the default policy server: https://github.com/kubewarden/helm-charts/blob/735ccfd74a44eca62f4f35093877f6197221913b/charts/kubewarden-defaults/templates/policyserver-default.yaml#L6 but they are not reconciled

[viccuad]

LGTM! great work!

[jvanz]

LGTM. Thanks for the great work!

[flavio]

LGTM, thanks for the hard work!

[jvanz]

Congrats! 🚀

[jvanz]

@kubewarden/kubewarden-developers I've rebased this PR on top of the latest main branch. I think that after tests passes, we can merge it.

[viccuad]

Thanks! everything green, merging 🚀

[viccuad]

Moved the TODO tasks on this PR to the certs epic #7.