Custom cert-manager certificates can't be renewed

Context

We implemented support for securing custom console routes with Let's Encrypt certificates requested by cert-manager in #9, cf. the implementation:

component-openshift4-console/component/tls.libsonnet

Lines 38 to 54 in 4c37a22

    
           local certs = std.filter( 
        
             function(it) it != null, 
        
             [ 
        
               local cert = params.cert_manager_certs[c]; 
        
               if cert != null then 
        
                 cm.cert(c) { 
        
                   metadata+: { 
        
                     // Certificates must be deployed in namespace openshift-config 
        
                     namespace: 'openshift-config', 
        
                   }, 
        
                   spec+: { 
        
                     secretName: '%s' % c, 
        
                   }, 
        
                 } + com.makeMergeable(cert) 
        
               for c in std.objectFields(params.cert_manager_certs) 
        
             ] 
        
           );

However, by creating the Certificate resource in namespace openshift-config we run into the issue that OpenShift doesn't admit the route/ingress for the HTTP01 solver, because a route using the same hostname already exists in namespace openshift-console.

After some research, I only see two possible workarounds::

Create Certificate resource in namespace openshift-console and copy certificate into namespace openshift-config (e.g. with Kyverno, this creates a hard dependency for Kyverno on any OCP4 cluster which wants to use a custom console route with a Let's Encrypt certificate)
Use DNS01 challenge with an acme-dns client and issuer configured by the component. This would mean that setting up a custom Let's Encrypt certificate for the console would require configuring additional DNS records for the cluster.

Note that there appears to be no way to selectively allow sharing hostnames across namespaces, only the option to globally allow using hostnames across namespaces on an ingresscontroller, cf. routeAdmission.namespaceOwnership.InterNamespaceAllowed in https://docs.openshift.com/container-platform/4.9/networking/ingress-operator.html#nw-ingress-controller-configuration-parameters_configuring-ingress and https://docs.openshift.com/container-platform/4.9/networking/routes/route-configuration.html#nw-route-admission-policy_route-configuration, so we can't inform the ingress controller that in this specific case sharing the hostname between two namespaces is fine.

Actual Behaviour

Custom certificate managed by cert-manager for OpenShift console can't be renewed (using HTTP01 challenge)

Expected Behaviour

Custom certificate managed by cert-manager for OpenShift console is renewed

Acceptance Criteria

Support for custom console route secured with cert-manager certificate works as expected

The proposed fix in #22 implements option 1 described in the issue. We chose option 1 because it is simpler to configure for users, as it only requires users to ensure that component-kyverno is enabled on any clusters which use custom web console routes secured with Let's Encrypt certificates.

For option 2, we'd have to either replicate the self-registration logic on an acme-dns endpoint (cf. projectsyn/component-cert-manager#42), or users would have to manually register a client and configure it in this component. Additionally, users would have to ensure that the _acme-challenge DNS record exists for the custom console route.

	local certs = std.filter(
	function(it) it != null,
	[
	local cert = params.cert_manager_certs[c];
	if cert != null then
	cm.cert(c) {
	metadata+: {
	// Certificates must be deployed in namespace openshift-config
	namespace: 'openshift-config',
	},
	spec+: {
	secretName: '%s' % c,
	},
	} + com.makeMergeable(cert)
	for c in std.objectFields(params.cert_manager_certs)
	]
	);