CertificateRequest name collisions in v1.13.0

[mghantous]

Describe the bug:
This started happening after upgrading from v1.12.4 to v1.13.0

For Certificate: ad-data-1088-add-multiple-genb-209601f.stg.addgene.org-private (note "-private" suffix) there exists CertificateRequest: ad-data-1088-add-multiple-genb-209601f.stg.addgene.o-3

However for Certificate: ad-data-1088-add-multiple-genb-209601f.stg.addgene.org-public (note "-public" suffix), it is trying to create a CertificateRequest with the same name, and so we see the Warning Event that it already exists:

Failed to create CertificateRequest: certificaterequests.cert-manager.io "ad-data-1088-add-multiple-genb-209601f.stg.addgene.o-3" already exists

Another example

For Certificate: kcd-dev-14571-fix-duplicate-id-1e144fe.stg.addgene.org-private (note "-private" suffix) there exists CertificateRequest: kcd-dev-14571-fix-duplicate-id-1e144fe.stg.addgene.o-11

However for Certificate: kcd-dev-14571-fix-duplicate-id-1e144fe.stg.addgene.org-public (note "-public" suffix), it is trying to create a CertificateRequest with the same name, and so we see the Warning Event that it already exists:

Failed to create CertificateRequest: certificaterequests.cert-manager.io "kcd-dev-14571-fix-duplicate-id-1e144fe.stg.addgene.o-11" already exists

Older CertificateRequests from v1.12.4 had longer names. Was there something in v1.13.0 that makes them shorter and causes collisions? Examples of longer names from v1.12.4

kcd-dev-14571-fix-duplicate-id-1e144fe.stg.addgene.o-6jp4n
kcd-dev-14571-fix-duplicate-id-1e144fe.stg.addgene.o-j25m4

ad-data-1088-add-multiple-genb-209601f.stg.addgene.o-7h9hr
ad-data-1088-add-multiple-genb-209601f.stg.addgene.o-wz76x

Certificates with shorter names don't seem to have this issue, so it feels like something around truncation and collision.

Expected behaviour:
Unique CertificateRequest names are used and there are no Event Warnings that the name already exists.

Steps to reproduce the bug:

1. Create a Ceritifcate with a long name (e.g. kcd-dev-14571-fix-duplicate-id-1e144fe.stg.addgene.org-private)
2. Observe that the Certificate is ready and there are no warning events
3. Create a 2nd Certificate that uses a similar long name but has a different suffix (e.g. kcd-dev-14571-fix-duplicate-id-1e144fe.stg.addgene.org-public)
4. Observe that there is a warning event for the second certificate (e.g. Failed to create CertificateRequest: certificaterequests.cert-manager.io "kcd-dev-14571-fix-duplicate-id-1e144fe.stg.addgene.o-11" already exists)

Anything else we need to know?:
Certificates with shorter names don't seem to have this issue, so it feels like something around truncation and collision.

Environment details::

• Kubernetes version: v1.27.2
• Cloud-provider/provisioner: self-hosted
• cert-manager version: v1.13.0
• Install method: helm

/kind bug

[inteon]

@mghantous You are correct, this is a bug in the "StableCertificateRequestName" feature and we will release a patch release to fix this.
If you want, you can disable the StableCertificateRequestName feature to continue using v1.13.0