This PR #337 removed the ability to specify a cert-manager issuer from which node and client certificates are generated from. These changes force user that want to use cert-manager in some capacity to generate node and client certs from a self signed ca issuer. This is great for people that want to bootstrap a cluster right away but it introduces a feature regression of less flexibility counter to how cert-manager integrations should work.

My specific use case is that I manage all my certificates within Vault so that it is contained. I've been using a vault issuer and it worked fine with previous releases of this helm chart because I could configure the chart do so. I'm not able to anymore.

@prafull01

Hi @0fau

You should still be able to use your vault issuer by disabling the flag:

tls.certs.certManagerIssuer.isSelfSignedIssuer: false

Please try and let me know if you face any issues.

@prafull01

I tried that flag and I believe I'm still only able to specify the issuer for the CA cert while I'd let to be able to generate node and client certificates using a custom issuer. This is because I'd like the lifecycle of my certificates to be managed within vault.

Can second this. Just tried to bootstrap a CRDB cluster from newest chart version and ran into the issue I can't as a wrong (non-existing) issuer is used for requesting the certificates:

cockroachdb:
  tls:
    certs:
      certManagerIssuer:
        group: cert-manager.io
        kind: ClusterIssuer
        name: crdb-issuer
        # Make it false when you are providing your own CA issuer
        isSelfSignedIssuer: false

The values.yaml still provides these options but they aren't used breaking the setup. The screenshot above explains this.