Whether or not a dataplane service requires a tlsCert is currently defined within the service spec.  This definition includes a definition of the issuer and a definition of the secret (caCerts) containing a caBundle.  it might be good to validate that the relevant issuer and cacert secrets exist, rather than throwing a run-time error

Currently, this information is evaluated when a deployment is defined.  This is because it is possible to overwrite the services that are to be deployed.  Given that, its not clear whether it makes sense or adds value to try to validate this information in the node set.

Note that the validation takes place before any ansible jobs are triggered, but is still exposed as a run-time error.

—

Checking existence of referenced `CACerts` secret is simple enough. As for the issuer, it should be possible to move some of the `EnsureTLSCerts` logic into webhook. Only the retrieval parts obviously.

However, this would only make sense if secrets are not supposed to be created dynamically.