Use *.svc.cluster.local wildcard as the CN

[sed-i]

Issue

CN is deprecated, but the TLS charmlib requires it
canonical/tls-certificates-interface#369

Currently we set it as the app name, but that is invalid because the CN must be derived from the SANs DNS.
Let's Encrypt complains (via Lego charm):

An error occurred executing the lego command: error: couldn't request certificate: coudn't obtain cert: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Invalid identifiers requested :: Cannot issue for "mimir": Domain name needs at least one dot

"urn:ietf:params:acme:error:malformed" :: Invalid identifiers requested :: Domain name does not end with a valid public suffix (TLD).

We cannot use socket.getfqdn() because it's too long.
https://community.letsencrypt.org/t/simplifying-issuance-for-very-long-domain-names/207924

Solution

Use a (silly) wildcard, *.svc.cluster.local.

Very different circumstances, but google practices the same.

Context

Mimir, Loki, Tempo charms do not have an analogue to traefik's external_hostname config option, meaning they currently cannot obtain a cert from e.g. Let's Encrypt. Only internal CA. So the *.local should be safe for now.

If we keep using self-signed-certificates, then this PR is not needed, because that "CA" is very permissive. But for a more strict internal CA this is probably a good change.

Testing Instructions

Upgrade Notes