In a deployment where both "caCert" and "generateCaCert" are provided, if an Issuer already exists for the provided "caCert" name, then operator is unable to "update" the existing issuer.

That is a bad usage, as caCert provided already exists and the "generateCaCert" was set to true.

But we should have a mechanism to handle it. For example something that verifies if a given Issuer already exists (when generateCaCert is set to true) and then skip CA cert generation (instead of attempting to update it) saying that Issuer already exists, then use it.