certmanager: solve CannotRegenerateKey

[universam1]

CertManager throws a warning with the current Helm chart because the .spec.privateKey.rotationPolicy is unset.

This will set the field to Always which allows rotation in case there is a need for, which can resolve potential issues of an invalid cert.

  Type     Reason               Age   From                                   Message
  ----     ------               ----  ----                                   -------
  Warning  CannotRegenerateKey  12m   cert-manager-certificates-key-manager  User intervention required: existing private key in Secret "hubble-relay-client-certs" does not match requirements on Certificate resource, mismatching fields: [spec.privateKey.algorithm[], but cert-manager cannot create new private key as the Certificate's .spec.privateKey.rotationPolicy is unset or set to Never. To allow cert-manager to create a new private key you can set .spec.privateKey.rotationPolicy to 'Always' (this will result in the private key being regenerated every time a cert is renewed)

Please ensure your pull request adheres to the following guidelines:

• For first time contributors, read Submitting a pull request
• All code is covered by unit and/or runtime tests where feasible.
• All commits contain a well written commit description including a title,
  description and a Fixes: #XXX line if the commit addresses a particular
  GitHub issue.
• If your commit description contains a Fixes: <commit-id> tag, then
  please add the commit author[s] as reviewer[s] to this issue.
• All commits are signed off. See the section Developer’s Certificate of Origin
• Provide a title or release-note blurb suitable for the release notes.
• Are you a user of Cilium? Please add yourself to the Users doc
• Thanks for contributing!

[maintainer-s-little-helper]

Commit 4b2184a does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[maintainer-s-little-helper]

Commit 4b2184a does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[gandro]

Thanks for the PR! Looks good to me!

I had to look it up, but for context, this is what certmanager also recommends: https://cert-manager.io/docs/usage/certificate/

[gandro]

/test

[gandro]

@universam1 It seems the failed CI test in Gateway API is due your branch lagging behind main a bit. Could you rebase on origin/main? Thanks!

[universam1]

@universam1 It seems the failed CI test in Gateway API is due your branch lagging behind main a bit. Could you rebase on origin/main? Thanks!

Thanks for the heads up @gandro - rebased on current main

[gandro]

/test