Goal: Ensure rukpak can work in downstream environments by removing the upstream's cert-manager dependency in favor of OCP's service-ca-operator component. The upstream rukpak repository uses cert-manager for creating and managing certificates for its webhooks, which isn't installed by default downstream.

The service-ca-operator has support for generating service serving certificates for downstream OCP components that services that require a self-signed CA.

See the 4.10 service-ca-operator documentation for more information.

Open Question:

• Add a test that specifies different provisioner IDs for a BundleDeployment resource (registry+v1 source, plain+v0 bundle apply)
• One workaround is to disable client auth for kube-rbac-proxy

Notes:

• The ValidatingWebhookConfiguration manifests will likely need to specify the inject-cabundle annotation key, and set the value to "true".
• Create a ConfigMap for the validating webhook certs and specify the inject-cabundle annotation key.
• The webhook service manifests will likely need to specify the serving-cert-secret-name annotation key, and set the value to the ConfigMap that specifies the inject-cabundle annotation key.
• Update any webhook deployments to mount the same secret name specified in the webhook services' serving-cert-secret-name annotation key.

AC:

• Remove the cert-manager resources from rukpak's set of manifests
• Specify the requisite service.beta.openshift.io/* annotation keys for rukpak resources to ensure service serving certificates are properly injected