fix: send current certificate SNIs with updates

When decK must update a certificate, retrieve the current certificate's
set of SNIs, convert them to strings, and set these on the updated
certificate.

Certificate and SNI objects have a special relationship. A PUT request
(which we use for updates) with a certificate that contains no SNI
children will in fact delete any existing SNI objects associated with
that certificate, rather than leaving them as-is. Because decK considers
SNIs separate objects and strips SNI child objects from certificate
objects, updates to other certificate fields will PUT a certificate with
no SNIs and inadvertently delete existing SNIs.

Not stripping SNIs from certificate objects in general presents its own
issues, as decK will attempt to operate on both objects and generate
conflicts.

To work around these issues, this change sets SNIs on certificates ONLY
during update requests using the current certificate's SNI list. If
there are changes to the SNIs, subsequent actions on the SNI objects
will handle those.

Fix #356

diff/cert.go

@@ -85,6 +85,18 @@ func (sc *Syncer) createUpdateCertificate(
 
 	// found, check if update needed
 	if !currentCertificate.EqualWithOpts(certificateCopy, false, true) {
+		currentSNIs, err := sc.currentState.SNIs.GetAllByCertID(*currentCertificate.ID)
+		if err != nil {
+			return nil, errors.Wrapf(err, "error looking up current certificate SNIs %v",
+				certificate.Identifier())
+		}
+		sniNames := make([]*string, 0)
+		for _, s := range currentSNIs {
+			sniNames = append(sniNames, s.Name)
+		}
+
+		certificateCopy.SNIs = sniNames
+		currentCertificate.SNIs = sniNames
 		return &Event{
 			Op:     crud.Update,
 			Kind:   "certificate",