certrotation: restructure controller to own plumbing and cert creation

[sanchezl]

Context

This addresses structural concerns raised during review of PR #2145. The certrotation package had hybrid data+behavior structs (RotatedSigningCASecret, CABundleConfigMap, RotatedSelfSignedCertKeySecret) that carried informers, listers, clients, event recorders, AND CRUD methods. This PR restructures the package so the controller owns all plumbing and cert creation logic, and the caller passes pure config structs.

PKI support is added separately in PR #2152.

Proof PR: openshift/cluster-kube-apiserver-operator#2089

What changed

New config types replace old hybrid structs

Old (data + behavior)	New (pure config)
RotatedSigningCASecret	SigningCAConfig
CABundleConfigMap	CABundleConfig
RotatedSelfSignedCertKeySecret	TargetCertKeyPairConfig

The new types carry only configuration (Namespace, Name, Validity, Refresh, AdditionalAnnotations, etc.) — no Informer, Lister, Client, or EventRecorder fields.

Sealed interface replaces TargetCertCreator

The TargetCertCreator interface and its implementations (ClientRotation, ServingRotation, SignerRotation) are removed. In their place:

type TargetCertConfig interface {
    targetCertConfig() // unexported marker, seals the interface
}

type ClientCertConfig struct { UserInfo user.Info }
type ServingCertConfig struct { Hostnames func() []string; ... }
type SignerCertConfig struct { SignerName string }

The controller type-switches on the variant to create certs. No more KeyPairGeneratorConfigurable interface or runtime mutation.

Controller owns all plumbing

NewCertRotationController now takes kubernetes.Interface and KubeInformersForNamespaces and derives informers/listers from the config struct Namespace+Name fields:

func NewCertRotationController(
    name string,
    signingCA SigningCAConfig,
    caBundle CABundleConfig,
    targetCert TargetCertKeyPairConfig,
    kubeClient kubernetes.Interface,
    kubeInformers v1helpers.KubeInformersForNamespaces,
    recorder events.Recorder,
    reporter StatusReporter,
) factory.Controller

All Ensure*, set*, and needNew* methods moved from the data structs to the controller.

Removed types and interfaces

• TargetCertCreator interface
• TargetCertRechecker interface
• KeyPairGeneratorConfigurable interface
• ClientRotation, ServingRotation, SignerRotation structs
• ServingHostnameFunc type
• configurablePKIEnabled bool fields

Files guide

File	What to look at
signer.go	SigningCAConfig struct (pure data), helper functions stay as package-level
cabundle.go	CABundleConfig struct (pure data), manageCABundleConfigMap stays as package-level function
target.go	TargetCertKeyPairConfig, sealed TargetCertConfig interface, ClientCertConfig/ServingCertConfig/SignerCertConfig variants, needNewTargetCertKeyPair with integrated hostname checking
client_cert_rotation_controller.go	CertRotationController with all moved methods, ensureSigningCertKeyPair/ensureConfigMapCABundle/ensureTargetCertKeyPair
*_test.go	Incremental migration — tests construct controller directly (same-package access to unexported fields)

Test plan

• go build ./... passes
• go test ./pkg/operator/certrotation/... passes
• go vet ./pkg/operator/certrotation/... passes
• CKAO proof PR builds clean (PROOF: certrotation refactor (structural only) cluster-kube-apiserver-operator#2089)

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sanchezl
Once this PR has been reviewed and has the lgtm label, please assign jsafrane for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/operator/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@sanchezl: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[p0lyn0mial]

@sanchezl please ask people who work with you on the feature for review. thanks.

[sanchezl]

Closing in favor of library-go#2145. The structural refactor approach didn't work well with how cluster-etcd-operator uses the certrotation package — went with the original PR instead.