Default to installing the TLS CA into the operator's target namespace (#397)

* Default to installing the TLS CA into the operator's target namespace

* Changelog

* Changelog formatting

* Tag the changelog entry with the PR

Author: nightkr

CHANGELOG.md

@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Changed
+
+- [BREAKING] The TLS CA Secret is now installed into the Namespace of the operator (typically `stackable-operators`), rather than `default` ([#397]).
+  - Existing users can either migrate by either:
+      - (Recommended) Copying the CA into the new location
+        (`kubectl -n default get secret/secret-provisioner-tls-ca -o json | jq '.metadata.namespace = "stackable-operators"' | kubectl create -f-`)
+      - Setting the `secretClasses.tls.caSecretNamespace` Helm flag (`--set secretClasses.tls.caSecretNamespace=default`)
+
+[#397]: https://github.com/stackabletech/secret-operator/pull/397
+
 ## [24.3.0] - 2024-03-20
 
 ### Added

deploy/helm/secret-operator/templates/secretclasses.yaml

@@ -11,5 +11,5 @@ spec:
       ca:
         secret:
           name: secret-provisioner-tls-ca
-          namespace: default
+          namespace: {{ .Values.secretClasses.tls.caSecretNamespace | default .Release.Namespace }}
         autoGenerate: true

deploy/helm/secret-operator/values.yaml

@@ -84,3 +84,9 @@ affinity: {}
 
 # Kubelet dir may vary in environments such as microk8s, see https://github.com/stackabletech/secret-operator/issues/229
 kubeletDir: /var/lib/kubelet
+
+secretClasses:
+  tls:
+    # The namespace that the TLS Certificate Authority is installed into.
+    # Defaults to the namespace where secret-op is installed.
+    caSecretNamespace: null