It would be nice if we could get cert-manager when the cluster starts up, as part of manifest.
If that ends up not being desirable, we should at least make a single property to enable a CA that can be used by a cert-manager issuer - the public certificate should be added to the system bundle on all kubelet VMs, and a post-deploy secret should be created for the private key, so that we can wire it up to a cert-manager issuer.
It would be nice if we could get cert-manager when the cluster starts up, as part of manifest.
If that ends up not being desirable, we should at least make a single property to enable a CA that can be used by a cert-manager issuer - the public certificate should be added to the system bundle on all kubelet VMs, and a post-deploy secret should be created for the private key, so that we can wire it up to a cert-manager issuer.