Reduce restrictions on spec.commonName in an app's certificate

[William-Reames]

When deploying an app using the websphere liberty operator, we find that there is sometimes an error occurs due to the certificate spec.commonName being too long:

    message: 'admission webhook "webhook.cert-manager.io" denied the request: spec.commonName:
      Too long: must have at most 64 bytes'

This can be a problem since spec.commonName seems to be '{app-instance-name}.{namespace}.svc'. There are cases when both app-instance-name and namespace can be long. This can cause to the total length of spec.commonName to exceed 64 characters, producing the above error.

Would it be possible to either remove this restriction, or automatically truncate the spec.commonName value to reduce the length to 64 characters, rather than cause an error?

• RCO
• OLO
• WLO
• Tests
• docs

[idlewis]

It isn't possible to remove this restriction as it is part of the certificate spec.
Our implementation also sets a subject alternative DNS name, which has no restriction on length, and this is the field which should be checked by clients when connecting.
So I think we could put something else into/truncate the common name field to fix this issue.
Choosing how to truncate the common name field does need to be done with care.
@leochr in reconciler.go, we currently set the common name field to:
svcCert.Spec.CommonName = bao.GetName() + "." + bao.GetNamespace() + ".svc"
Could we change this too:
svcCert.Spec.CommonName = bao.GetName()

[leochr]

I discussed with @idlewis earlier and we'll make the following change:
Continue to formulate the CommonName as now, but check whether the length exceeds the limit and if it does, then use the instance/CR name. This way, existing application instances that don't hit this limitation will continue to function as is, but those hit the limitation, hence broken, will benefit from this change.