Add labels and annotations to TLS secrets for discoverability

[rene-dekker]

Surface certificate metadata (issuer, expiry, DNS SANs, IP SANs) as annotations and add filtering labels (secret-type, signer) on TLS secrets produced by Secret() and CreateSelfSignedSecret().

This allows filtering secrets by secret type and /or issuer. It allows us to quickly see the signer, expiry and other metadata using describe, it can really speed up troubleshooting certificate misconfigurations and other issues.

Surface certificate metadata (issuer, expiry, DNS SANs, IP SANs) as annotations and add filtering labels (secret-type, signer) on TLS secrets produced by Secret() and CreateSelfSignedSecret().

This is now possible, which would be very helpful to our users:

$ kubectl get secrets -n tigera-operator -l operator.tigera.io/signer     -o custom-columns='NAME:.metadata.name,EXPIRY:.metadata.annotations.operator\.tigera\.io/cert-expiry,SIGNER:.metadata.annotations.operator\.tigera\.io/cert-signer'
NAME                                        EXPIRY                 SIGNER
calico-apiserver-certs                      2028-05-28T23:56:09Z   tigera-operator-signer
calico-kube-controllers-metrics-tls         2028-05-28T23:56:09Z   tigera-operator-signer
calico-node-prometheus-client-tls           2028-05-29T18:28:09Z   tigera-operator-signer
calico-node-prometheus-server-tls           2028-05-28T23:56:09Z   tigera-operator-signer
calico-node-prometheus-tls                  2028-05-29T18:28:09Z   tigera-operator-signer
deep-packet-inspection-tls                  2028-05-29T18:31:16Z   tigera-operator-signer
internal-manager-tls                        2028-05-30T22:13:17Z   tigera-operator-signer
intrusion-detection-tls                     2028-05-29T18:31:16Z   tigera-operator-signer
manager-tls                                 2028-05-30T22:13:17Z   tigera-operator-signer
node-certs                                  2028-05-28T23:56:08Z   tigera-operator-signer
policy-recommendation-tls                   2028-05-29T18:28:09Z   tigera-operator-signer
tigera-ca-private                           2126-01-30T23:56:06Z   tigera-operator-signer
tigera-ee-elasticsearch-metrics-tls         2028-05-30T22:17:24Z   tigera-operator-signer
tigera-fluentd-prometheus-tls               2028-05-29T18:28:10Z   tigera-operator-signer
tigera-secure-elasticsearch-cert            2028-05-30T22:17:24Z   tigera-operator-signer
tigera-secure-internal-elasticsearch-cert   2028-05-30T22:17:24Z   tigera-operator-signer
tigera-secure-kibana-cert                   2028-05-30T22:17:24Z   tigera-operator-signer
tigera-secure-linseed-cert                  2028-05-30T22:17:25Z   tigera-operator-signer
typha-certs                                 2028-05-28T23:56:08Z   tigera-operator-signer
typha-certs-noncluster-host                 2028-05-28T23:56:08Z   tigera-operator-signer