Return certificate chain for export cert

[awels]

Signed-off-by: Alexander Wels awels@redhat.com

What this PR does / why we need it:
Before we returned just the found certificate and not the entire chain. To properly verify the certificate you must have the entire chain. This commit looks up the chain until either we find the root CA or we can't find anything else in the config map.

Also checking the OnBefore and OnAfter times, to figure out which cert is most valid in case of a cert rotation and the bundle containing multiple valid certificates.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Release note:

NONE

[awels]

/test pull-kubevirt-unit-test

[mhenriks]

how does this code handle the case when there may be multiple entries for the same hostname? This will happen when certs are rotated. I think it will just return the first encountered? But what if that's an old one that will expire soon? Will the export get updated? I know these questions not entirely related to changes in this PR.

[awels]

Yeah definitely don't take rotation into account currently. I suppose the bundle could contain multiple certs with the same name. I guess if multiple are valid, I should return the one with the expiry that is furthest into the future?

[mhenriks]

Sure, but do we have to watch whatever source we got the cert from so that we catch updates/rotation?

[mhenriks]

/lgtm
/approve

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mhenriks

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mhenriks]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[kubevirt-bot]

@awels: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-kubevirt-fossa	65cd4d1	link	false	/test pull-kubevirt-fossa

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[kubevirt-bot]

@awels: cannot checkout release-v0.58: error checking out release-v0.58: exit status 1. output: error: pathspec 'release-v0.58' did not match any file(s) known to git

In response to this:

/cherrypick release-v0.58

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[awels]

/cherrypick release-0.58

[kubevirt-bot]

@awels: new pull request created: #8637

In response to this:

/cherrypick release-0.58

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.