fix: randomize webhook certificate serial numbers

[pm-ju]

/kind bug

Webhook self-signed certificate generation used fixed certificate serial numbers:

• CA certificate: 1
• server certificate: 2

Certificate serial numbers should be positive and unique per issuer. Reusing deterministic serial numbers for regenerated webhook certificates is weak certificate hygiene and can cause avoidable ambiguity for consumers that cache or inspect certificates.

This change:

• generates positive 128-bit random serial numbers for CA and server certificates
• returns clear errors if serial generation fails
• adds tests that verify generated certificates use positive randomized serials

Verification:
git diff --check
git diff --cached --check

Suggested test:
go test ./pkg/webhook/cert

[volcano-sh-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign yaozengzeng for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[gemini-code-assist]

Code Review

This pull request replaces hardcoded certificate serial numbers with randomly generated 128-bit integers to improve security and compliance. It introduces a generateSerialNumber utility and updates the self-signed certificate generation logic to use it. Corresponding tests have been added to ensure serial numbers are positive and unique. Feedback suggests pre-calculating the serial number limit for better performance and using the Cmp method for more robust big.Int comparisons in the test suite.

[gemini-code-assist]

Calculating the serial number limit on every call is slightly inefficient. Since CertSerialNumberBits is a constant, you could pre-calculate this limit once as a package-level variable or use a more direct approach to generate the random bits.

[gemini-code-assist]

While testify/assert handles *big.Int comparison by using reflect.DeepEqual (which compares the internal slices), it is generally more idiomatic and robust to use the Cmp method for big.Int values to ensure you are comparing the numeric values explicitly.