This PR includes temporary fixes to get `Certificate` option working with `self-signed` certificates.
Currently, Whenever the `Certificate` config option is set to a
specific secret, we seem to assume **by default** that they are
publicly signed. This currently has the following issues when they
are `self-signed` :
- Due to the usage of `Certificate` in internal facing services like
`registry-facade`, Internal clients fail to communicate as the
self-signed CA is not in their trust store.
(Fix: Update `registry-facade` to use `builtin-registry-facade-cert`,
generated by `cert-manager`)
- Due to the fact that internal `registry` communication also flows
through the `proxy`, This communication fails as the `proxy` cert is
self-signed as its not available in the trust store.
(Fix: Update the `registry-facade` daemonset to also include `crt` of
`Certificate` in its trust store).
This PR also fixes an issue with `image-builder-mk3` when the
`customCACert` option is set, by removing `InternalVolumeCAMount` as
it makes the `etc/ssl/certs` empty and readOnly (which prevents
from mounting the customCACert cert into `etc/ssl/certs`
This is not needed as the directory probably exists, or we don't need
to mount it specifically. Individually cert files can be attached
directly into the folder while keeping the existing files the
same.
Signed-off-by: Tarun Pothulapati <tarun@gitpod.io>
