[TLS-CM] Heartbeat and bastion mount k8s secrets containing TLS CA certs although CertManager is enabled

[MMirelli]

Heartbeat and bastion components appear to mount self-signed certs even when deploying in TLS CertManager mode (SelfSigned disabled).

When deploying with the following values

helm --set "secrets='',createCertificates.selfSigned.enabled=false,createCertificates.selfSignedPerComponent.enabled=false" install ...

The command returns:

broker-0 $ env | grep "tlsTrustCertsFilePath"
tlsTrustCertsFilePath=/etc/ssl/certs/ca-certificates.crt

Hinting that the trustCertsStore is /etc/ssl/certs/ca-certificates.crt.

However, bastion and heartbeat pods are still mounting a secret and extracting the certs from there.

pulsar-helm-chart/helm-chart-sources/pulsar/templates/bastion/bastion-deployment.yaml

Lines 91 to 98 in dff358c

	{{- if .Values.enableTls }}
	- name: certs
	secret:
	secretName: {{ .Values.tls.ssCaCert.tlsSecretName | default (.Values.tls.rootCaSecretName | default .Values.tlsSecretName) | quote }}
	items:
	- key: ca.crt
	path: ca.crt
	{{- end }}

pulsar-helm-chart/helm-chart-sources/pulsar/templates/pulsar-heartbeat/pulsar-heartbeat-deployment.yaml

Lines 64 to 71 in dff358c

	{{- if .Values.enableTls }}
	- name: certs
	secret:
	secretName: {{ .Values.tls.ssCaCert.tlsSecretName | default (.Values.tls.rootCaSecretName | default .Values.tlsSecretName) | quote }}
	items:
	- key: ca.crt
	path: ca.crt
	{{- end }}

In this scenario, to my understanding, heartbeat and bastion pods should only use the CM signed certificate: /etc/ssl/certs/ca-certificates.crt, so there is no need to mount external k8s secrets containing self signed TLS certificates.