[bug]: SAN in Certificate for Service is incorrect

[YC]

Describe the bug

The first SAN in svc.pem does not seem to match name of service.

To reproduce

1. In examples\WebhookOperator directory
2. KubeOps.Cli.exe gen operator namepassedin --out config
3. kubectl kustomize config/ -o combined.yaml
4. The output is follows:

apiVersion: v1
kind: Service
metadata:
  labels:
    operator: namepassedin
  name: namepassedin-operator
  namespace: namepassedin-system
spec:
  ports:
  - name: https
    port: 443
    targetPort: https
  selector:
    operator: namepassedin
    operator-deployment: kubernetes-operator

5. The certificate svc.pem, when viewed with openssl:

X509v3 Subject Alternative Name:
DNS:namepassedin.namepassedin-system.svc, DNS:*.namepassedin-system.svc, DNS:*.svc

Expected behavior

I believe the first SAN should be namepassedin-operator.namepassedin-system.svc.
Also, I wonder if the other 2 are needed?
I think the second should cover the first, and the third may not be needed?

Screenshots

No response

Additional Context

Reproduced in: v9.1.1

Relevant Code:
https://github.com/buehler/dotnet-operator-sdk/blob/v9.1.1/src/KubeOps.Cli/Commands/Generator/OperatorGenerator.cs#L82
https://github.com/buehler/dotnet-operator-sdk/blob/v9.1.1/src/KubeOps.Operator.Web/Certificates/CertificateGenerator.cs#L143-L145

[ian-buse]

@buehler, I checked the old Bouncy Castle generator + CLI command, and it looks like this issue would have been in there too. I think there is an inconsistency between the default name in the kustomization after generation vs the one given to the certificates during generation.

[buehler]

Hey @ian-buse and @YC

You are correct. This is an issue with the generated SAN. However the *.svc should actually cover the wrongly named one. Nonetheless it is an error and should be fixed.