Revert "helm: ca issuer"

This reverts commit 082fa15.

Currently, in the helm chart, if the cert-manager approach is selected
to generate the hubble and clustermesh certificates but no issuer is
specified, a new issuer is created for each of them, along with a secret
containing the CA information. Still, this approach is currently broken,
since the CA secret which is created does not match the format expected
by cert-manager. At the same time, this might also hide misconfigurations
(e.g., if there is a typo in the issuer configuration) and possibly lead
to different CAs for different components. Hence, let's just stick to
the approach documented in the user guide and make it mandatory to specify
the issuer when cert-manager is used. It is a task of the users (as
unrelated from cilium) to create the appropriate issuer in advance,
according to their own preference.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>

install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
 spec:
   issuerRef:
-    {{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }}
+    {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }}
   secretName: clustermesh-apiserver-admin-cert
   commonName: {{ include "clustermesh-apiserver-generate-certs.admin-common-name" . }}
   dnsNames:

install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
 spec:
   issuerRef:
-    {{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }}
+    {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }}
   secretName: clustermesh-apiserver-client-cert
   commonName: externalworkload
   duration: {{ printf "%dh0m0s" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }}

install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
 spec:
   issuerRef:
-    {{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }}
+    {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }}
   secretName: clustermesh-apiserver-remote-cert
   commonName: {{ include "clustermesh-apiserver-generate-certs.remote-common-name" . }}
   duration: {{ printf "%dh0m0s" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }}

install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
 spec:
   issuerRef:
-    {{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }}
+    {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }}
   secretName: clustermesh-apiserver-server-cert
   commonName: clustermesh-apiserver.cilium.io
   dnsNames:

install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
 spec:
   issuerRef:
-    {{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }}
+    {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }}
   secretName: hubble-relay-client-certs
   commonName: "*.hubble-relay.cilium.io"
   dnsNames:

install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
 spec:
   issuerRef:
-    {{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }}
+    {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }}
   secretName: hubble-relay-server-certs
   commonName: "*.hubble-relay.cilium.io"
   dnsNames:

install/kubernetes/cilium/templates/hubble/tls-certmanager/server-secret.yaml

@@ -8,7 +8,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
 spec:
   issuerRef:
-    {{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }}
+    {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }}
   secretName: hubble-server-certs
   commonName: {{ $cn | quote }}
   dnsNames:

install/kubernetes/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
 spec:
   issuerRef:
-    {{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }}
+    {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }}
   secretName: hubble-ui-client-certs
   commonName: "*.hubble-ui.cilium.io"
   dnsNames:

install/kubernetes/cilium/values.yaml.tmpl

@@ -992,7 +992,6 @@ hubble:
       #   kind: ClusterIssuer
       #   name: ca-issuer
       # -- certmanager issuer used when hubble.tls.auto.method=certmanager.
-      # If not specified, a CA issuer will be created.
       certManagerIssuerRef: {}
 
     # -- Deprecated in favor of tls.ca. To be removed in 1.13.
@@ -2172,7 +2171,7 @@ nodeinit:
   # -- bootstrapFile is the location of the file where the bootstrap timestamp is
   # written by the node-init DaemonSet
   bootstrapFile: "/tmp/cilium-bootstrap.d/cilium-bootstrap-time"
-  
+
   # -- startup offers way to customize startup nodeinit script (pre and post position)
   startup:
    preScript: ""
@@ -2538,7 +2537,6 @@ clustermesh:
         #   kind: ClusterIssuer
         #   name: ca-issuer
         # -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager.
-        # If not specified, a CA issuer will be created.
         certManagerIssuerRef: {}
       # -- base64 encoded PEM values for the ExternalWorkload CA certificate and private key.
       ca: