resourcebuilder/core: Keep ciphersuites order when injecting TLS

Although Go TLS ignores ciphersuites order, and has some complicated
rules about ciphersuites content, other implementations (and perhaps
future Go implementations) have different bahaviors, so we shouldn't
optimize for the current implementation too closely.

Also, ciphersuites opinions should be have a single source of truth,
and be implemented at the APIServer level. Applying changes at the
CluserVersionOperator level makes the config flow harer to follow.

* Don't sort ciphersuites, and document the rationale
* Add testscases and remove redundant ones
* Clarify test labels and testdata name/comments
* Reorder testcases and data to be more thematic
* Simplify test helpers

Author: vincentdephily

lib/resourcebuilder/core.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"sort"
 
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 
@@ -145,11 +144,11 @@ func (b *builder) observeTLSConfiguration(ctx context.Context, cm *corev1.Config
 	}
 
 	// Extract cipherSuites from the observed config
+	// We pass the list as-is, even though TLS implementations may ignore the order and/or content (Go currently does).
+	// This future-proofs for other implementations, and avoids inconsistencies between the CVO-injected list and the original.
 	if cipherSuites, ciphersFound, err := unstructured.NestedStringSlice(observedConfig, "servingInfo", "cipherSuites"); err != nil {
 		return nil, err
 	} else if ciphersFound {
-		// Sort cipher suites for consistent ordering
-		sort.Strings(cipherSuites)
 		config.cipherSuites = optional[[]string]{value: cipherSuites, found: true}
 	}