NO-JIRA: fix(certs): handle IPv6 address normalization in certificate validation

[qinqon]

What this PR does / why we need it:

In dual-stack environments, IPv6 addresses can be represented in different formats (e.g., "::1" vs "0:0:0:0:0:0:0:1"). The previous certificate validation used byte comparison via cmp.Diff, which incorrectly identified semantically identical IPv6 addresses as different.

This caused certificate regeneration failures in KubeVirt dual-stack clusters because the addresses stored in x509 certificates use expanded format while the calculated expected addresses use compressed format.

Which issue(s) this PR fixes:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

[coderabbitai]

Walkthrough

Adds semantic IP address comparison supporting IPv6 normalization to certificate validation. New compareIPAddresses function normalizes IPv6 addresses, sorts both slices, and compares them semantically. ValidateKeyPair integrates this function for IP validation. Includes comprehensive tests for IPv6 normalization and dual-stack scenarios.

Changes

Cohort / File(s)	Changes
IP address comparison logic support/certs/tls.go	Added compareIPAddresses function for semantic IP comparison with IPv6 normalization and sorting. Integrated into ValidateKeyPair to replace direct positional IP diff. Added sort and strings imports.
IPv6 normalization tests support/certs/ipv6_fix_test.go	Added TestCompareIPAddresses_IPv6Normalization and TestCompareIPAddresses_DualStackScenario test functions covering IPv6 compression/expansion, mixed-case handling, ordering invariance, count mismatches, and dual-stack scenarios.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jparrill]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jparrill, qinqon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jparrill]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[qinqon]

/retest-required

[orenc1]

/lgtm

[qinqon]

/retest-required

[openshift-ci-robot]

@qinqon: This pull request explicitly references no jira issue.

Details

In response to this:

What this PR does / why we need it:

In dual-stack environments, IPv6 addresses can be represented in different formats (e.g., "::1" vs "0:0:0:0:0:0:0:1"). The previous certificate validation used byte comparison via cmp.Diff, which incorrectly identified semantically identical IPv6 addresses as different.

This caused certificate regeneration failures in KubeVirt dual-stack clusters because the addresses stored in x509 certificates use expanded format while the calculated expected addresses use compressed format.

Which issue(s) this PR fixes:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[qinqon]

/jira refresh

[openshift-ci-robot]

@qinqon: This pull request explicitly references no jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[qinqon]

/verify

[qinqon]

/verified

[openshift-ci-robot]

@qinqon: The /verified command must be used with one of the following actions: by, later, remove, or bypass. See https://docs.ci.openshift.org/docs/architecture/jira/#premerge-verification for more information.

Details

In response to this:

/verified

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[orenc1]

/verified by @qinqon

[openshift-ci-robot]

@orenc1: This PR has been marked as verified by @qinqon.

Details

In response to this:

/verified by @qinqon

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[orenc1]

/test e2e-aks

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 2633a97 and 2 for PR HEAD 00b1068 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD cf9ea7c and 1 for PR HEAD 00b1068 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD b91b466 and 0 for PR HEAD 00b1068 in total

[openshift-ci]

@qinqon: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aks	00b1068	link	true	/test e2e-aks

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

/hold

Revision 00b1068 was retested 3 times: holding