Merge ctlplane-tls-cert-rotation tests into ctlplane-tls-custom-issuers

Consolidate these two TLS-related kuttl tests into a single comprehensive test
suite that covers:

- TLS ingress-only to full pod-level TLS transitions
- Custom and default certificate issuer switching
- Certificate rotation triggered by secret deletion
- Custom certificate duration configuration
- Certificate fingerprint verification before/after rotation

Key changes:
- Remove ctlplane-tls-cert-rotation test suite (merged into custom-issuers)
- Renumber test steps (00-16) for proper sequencing
- Add certificate fingerprint comparison to rotation assertions
- Replace symlink with actual assert file for custom issuer deployment
- Increase timeout for certificate issuer assertions (60s → 900s)
- Improve error messages with namespace context

This reduces test execution time by eliminating redundant OpenStack
deployments while maintaining full TLS functionality coverage.

Co-authored-by: Claude Assistant assistant@cursor.sh

Author: abays

test/kuttl/common/osp_check_noapi_service_certs.sh

@@ -56,7 +56,7 @@ for service in "${!services_secrets[@]}"; do
         pod_cert=$(oc rsh -n "$NAMESPACE" openstackclient openssl s_client -connect "$cluster_ip:$port" -servername "$cluster_ip" </dev/null 2>/dev/null | sed -ne '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p')
 
         if [[ -z "$pod_cert" ]]; then
-            echo "Error retrieving certificate from $service at $cluster_ip:$port."
+            echo "Error retrieving certificate from $service at $cluster_ip:$port in namespace $NAMESPACE."
             continue
         fi
 

test/kuttl/tests/ctlplane-tls-cert-rotation/02-assert-endpoint-proto.yaml

@@ -300,11 +300,11 @@ commands:
       echo "Waiting for OpenStack control plane to be ready..."
       oc wait openstackcontrolplane -n $NAMESPACE --for=condition=Ready --timeout=400s -l core.openstack.org/openstackcontrolplane
   - script: |
-      echo "Fail if internal https endpoints are registered"
+      echo "Fail if internal https endpoints are registered (ingress-only mode)"
       oc exec -i openstackclient -n $NAMESPACE -- bash -c "openstack endpoint list --interface internal -f value -c URL" | grep 'https:' && exit 1
       exit 0
   - script: |
-      echo "check ovn sb internalDbAddress use tcp"
+      echo "check ovn sb internalDbAddress use tcp (not ssl)"
       oc get -n $NAMESPACE OVNDBCluster ovndbcluster-sb -o jsonpath={.status.internalDbAddress} | grep -q tcp
   - script: |
       echo "check ovn sb DB connection use tcp"

test/kuttl/tests/ctlplane-tls-cert-rotation/02-get-endpoints-certs.yaml

@@ -1,3 +1,5 @@
+# Deploy with TLS ingress-only (podLevel.enabled: false)
+# This tests the transition from ingress-only TLS to full TLS
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 commands: