feat!: Add working conversion webhook with cert rotation

[sbernauer]

Description

Part of stackabletech/issues#642

An working example usage can be found in stackabletech/zookeeper-operator#958 (mainly look at rust/operator-binary/src/main.rs)

Definition of Done Checklist

• Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
• Please make sure all these things are done and tick the boxes

Author

• Changes are OpenShift compatible
• CRD changes approved
• CRD documentation for all fields, following the style guide.
• Integration tests passed (for non trivial changes)
• Changes need to be "offline" compatible

Reviewer

• Code contains useful comments
• Code contains useful logging statements
• (Integration-)Test cases added
• Documentation added or updated. Follows the style guide.
• Changelog updated
• Cargo.toml only contains references to git tags (not specific commits or branches)

Acceptance

• Feature Tracker has been updated
• Proper release label has been added

[sbernauer]

reminder to bump these before merging. Currently they are so low for easy testing

[Techassi]

Partial review, I didn't look at the CertificateResolver yet.

[Techassi]

I left a bunch of comments.

I encountered the ConversionWebhookServer which is missing the changes we talked about a few weeks back. As such, it doesn't make a whole lot of sense to continue the review before these changes are implemented. I've sent you an appropriate patch as a private message which should be a good starting point for the changes we discussed.

[Techassi]

note: I still feel like all these CLI unit tests are pretty much useless and should be removed to speed up the testing runs.

[Techassi]

note: Please combine these imports with the others above.

[sbernauer]

hmm, what imports exactly can be combined? rustfmt groups them like this

[Techassi]

Yeah this is sub-optimal formatting sadly. You need to manually move them to the top imports above line 11.

[Techassi]

We are mostly there, just some small things left.

[Techassi]

Suggested change

	- BREAKING: Add two new required CLI arguments: `--operator-namespace` and `-operator-service-name`.
	- BREAKING: Add two new required CLI arguments: `--operator-namespace` and `--operator-service-name`.

[Techassi]

Suggested change

	ReceiverCertificateFromChannel,
	ReceiveCertificateFromChannel,

[Techassi]

note: Let's avoid pulling in a type from stackable_operator here. Instead, split it into two separate fields.

Suggested change

	/// The environment the operator is running in, notably the namespace and service name it is
	/// reachable at.
	pub operator_environment: OperatorEnvironmentOptions,
	pub namespace: String,
	pub service_name: String,

[Techassi]

note: This is already re-exported via stackable_webhook::servers::conversion::ConversionReview. As such, please remove it from here again.

[Techassi]

suggestion: Rename this to certificate_pair to better indicate what this is.

Suggested change

	let certificate = ca
	.generate_ecdsa_leaf_certificate(
	"Leaf",
	"webhook",
	subject_alterative_dns_names.iter().map(|san| san.as_str()),
	WEBHOOK_CERTIFICATE_LIFETIME,
	)
	.context(GenerateLeafCertificateSnafu)?;
	let certificate_der = certificate
	.certificate_der()
	.context(EncodeCertificateDerSnafu)?;
	let private_key_der = certificate
	.private_key_der()
	.context(EncodePrivateKeyDerSnafu)?;
	let certificate_key =
	CertifiedKey::from_der(vec![certificate_der], private_key_der, &tls_provider)
	.context(DecodeCertifiedKeyFromDerSnafu)?;
	Ok((certificate.certificate().clone(), Arc::new(certificate_key)))
	let certificate_pair = ca
	.generate_ecdsa_leaf_certificate(
	"Leaf",
	"webhook",
	subject_alterative_dns_names.iter().map(|san| san.as_str()),
	WEBHOOK_CERTIFICATE_LIFETIME,
	)
	.context(GenerateLeafCertificateSnafu)?;
	let certificate_der = certificate_pair
	.certificate_der()
	.context(EncodeCertificateDerSnafu)?;
	let private_key_der = certificate_pair
	.private_key_der()
	.context(EncodePrivateKeyDerSnafu)?;
	let certificate_key =
	CertifiedKey::from_der(vec![certificate_der], private_key_der, &tls_provider)
	.context(DecodeCertifiedKeyFromDerSnafu)?;
	Ok((certificate_pair.certificate().clone(), Arc::new(certificate_key)))

[Techassi]

note: I feel like this can be moved into its own function, because we repeat the exact same code below.

[Techassi]

note: We renamed Options to WebhookOptions. As such, I think we should also rename the builder accordingly.

Suggested change

	pub struct OptionsBuilder {
	pub struct WebhookOptionsBuilder {

[Techassi]

note: I still feel like the webhhok should not take care of reconciling the CRDs, but the operator should do it instead. Let's tackle this in a follow-up PR and leave it as is to get something out of the door.

[Techassi]

note: I feel like this should go under the "Changed" section instead. We additionally need to mention the Options renames.

[Techassi]

note: (Addition to the comment above) This would be the perfect trigger for the operator (the caller if this function) to reconcile the CRDs.