[docker-openvpn] Track OpenVPN User Certificate Expiration with `updatecli`

[jayfranco999]

Service(s)

VPN

Summary

User certificates in jenkins-infra/docker-openvpn have no automated expiration tracking. When certificates expire, users lose VPN access without warning. We need an automated system to alert users 30 days before their certificates expire.

Task:

Implement an updatecli manifest (following patterns in jenkins-infra/azure) that:

• Reads the current expiration date from each certificate as source (using openssl)
• Calculates if the source's date is less than 30 days ahead (as condition)
• Replaces the content of the user certificate file (cert/pki/issued/xxx.crt) with dummy text such as EXPIRED (as target since we need a file change)
• Opens a draft PR (we will never merge these, it's only a notification technique) which mentions the user in the PR body (telling them to renew soon)

Similar pattern used in jenkins-infra/azure:

• Template: https://github.com/jenkins-infra/azure/blob/main/updatecli/updatecli.d/fs-sp-writer-end-dates_infra.ci.jenkins.io.tf.tpl
• Values: https://github.com/jenkins-infra/azure/blob/561338686daadad4650bba8f278fb0c9c561c8f4/updatecli/values.yaml#L10-L26

Reproduction steps

No response

[jayfranco999]

• chore(updatecli): add OpenVPN certificate expiration tracking manifest docker-openvpn#496 introduces an Updatecli manifest and helper scripts to track OpenVPN user
  certificate expiration in docker-openvpn.

The manifest:

• Extracts certificate expiration dates using openssl
• Evaluates whether certificates expire within 30 days
• Triggers a draft GitHub PR as a notification mechanism when expiration is near

This follows the same Updatecli pattern used in jenkins-infra/azure for
service principal end-date tracking.

The openSSL commands, manifest and helper scripts were tested locally with success:

####################################################
# CHECK VPN CERTIFICATE EXPIRATION FOR JAY_JENKINS #
####################################################

source: source#certExpiryDate
---------------------
The shell 🐚 command "/bin/sh /var/folders/z4/fyxqp95j0k9_lvjd8w18w9b40000gp/T/updatecli/bin/60036b786636e5cf5b73aaa2a8e598f038b00ce85e878d719e990908b4484a02.sh" ran successfully with the following output:
----
2028-09-10T15:28:13Z
----
✔ shell command executed successfully

condition: condition#checkIfExpiringSoon
-----------------------------
The shell 🐚 command "/bin/sh /var/folders/z4/fyxqp95j0k9_lvjd8w18w9b40000gp/T/updatecli/bin/768462e21d8f8e0062edd3b9796fba3e179ec78dbb503a9f749ade29e8cb9a57.sh" exited on error (exit code 1) with the following output:
----
Certificate expires in 976 days
Certificate not expiring soon
----

command stderr output was:
----
----
shell command failed. Expected exit code 0 but got 1
✗ shell condition of type "console/output" not passing

- Check VPN certificate expiration for jay_jenkins:
        Source:
                ✔ [certExpiryDate] Extract expiration date from jay_jenkins's certificate
        Condition:
                ✗ [checkIfExpiringSoon] Check if certificate expires within 30 days
        Target:
                - [markCertExpired] Mark jay_jenkins's certificate as expiring

Note: No test certificate is included in this commit; validation will be
performed in a follow-up PR.