chart: generate a CA cert with certmanager for hubble tls generation

[vflaux]

Please ensure your pull request adheres to the following guidelines:

• For first time contributors, read Submitting a pull request
• All code is covered by unit and/or runtime tests where feasible.
• All commits contain a well written commit description including a title,
  description and a Fixes: #XXX line if the commit addresses a particular
  GitHub issue.
• If your commit description contains a Fixes: <commit-id> tag, then
  please add the commit author[s] as reviewer[s] to this issue.
• All commits are signed off. See the section Developer’s Certificate of Origin
• Provide a title or release-note blurb suitable for the release notes.
• Are you a user of Cilium? Please add yourself to the Users doc
• Thanks for contributing!

When hubble tls auto method is set to certmanager with no issuer ref, generate the CA certificate using a self-signed issuer and use this CA for the hubble issuer.

Previous behavior was to generate the CA certificate using helm. It was confusing with the method set to certmanager as we could expect for all cert to be created with certmanager.
The generated secret containing the CA by helm was also missing the "tls.crt" key.

Fixes: #24500

[meyskens]

Thanks for this! Just a few small details to note here :)

[meyskens]

This also needs to be set in the values.yaml.tmpl file for our helm chart and doc generating tool to work

[meyskens]

more info about that is at https://github.com/cilium/cilium/blob/9be3b287363bbb2c1ef3160aa5e4bb2c236574fa/Documentation/contributing/development/dev_setup.rst#making-changes-to-the-helm-chart (seems to not yet be released to our docs site)

[meyskens]

This will generate an RSA key by default, within Cilium we are already using ECDSA.

cilium/examples/kubernetes/servicemesh/ca-issuer.yaml

Line 17 in e63d79b

algorithm: ECDSA

We might consider doing the same here

[meyskens]

We might want to add Hubble here too as Cilium uses certificates for cluster mesh, service mesh, network policy... if a user sees a certificate signed by this it helps to day that it is Cilium Hubble

[maintainer-s-little-helper]

Commit 5587e8efacfb99cc977c2494be05f7da443bf180 does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[youngnick]

Looks like @meyskens' requested changes are done, LGTM now.

[giorio94]

Hey @vflaux, thanks for your contribution!

This is an heads up that we are merging #24666, which addresses #24500 in a different way. Essentially, that PR makes it mandatory to specify the issuer configuration when using cert-manager. That targets both hubble and clustermesh related configurations, and encourages the best practice of using the same CA for all components. I personally believe it also reduces the overall confusing during operations, explicitly demanding users to select which issuer type to use, since Cilium should not be concerned with the generation of the CA as much as possible. And users can just create a self-signed issuer with whatever deployment method they are using (e.g., flux2) if they are not interested in establishing a clustermesh.

Given the above, I'm closing this PR as superseded. Feel free to comment or open an issue and tag me if you feel something is still missing in this regard.