[tls] always create CA certs

always create required CAs and CA bundle, even if TLS should be
not enabled. This is to allow an easier way to enable TLS at some
point, where the CA bundle should be distributed to the edpm nodes
as a pre step, this also applies to adoption.

Jira: OSPRH-3268

pkg/openstack/ca.go

@@ -36,15 +36,9 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 		map[string]string{},
 	)
 
-	// Note (mschuppert) - right now additional custom CA certs can only be passed to the services if
-	// tls is enabled, otherwise CA bundle creation will be skipped and no bundle will be passed to the
-	// service CAs.
-	if !instance.Spec.TLS.Enabled(service.EndpointInternal) && !instance.Spec.TLS.Enabled(service.EndpointPublic) {
-		// we are not deleting certificates if tls gets disabled
-		instance.Status.Conditions.Remove(corev1.OpenStackControlPlaneCAReadyCondition)
-
-		return ctrl.Result{}, nil
-	}
+	// Note (mschuppert) - we always create required CAs and CA bundle, even if TLS should be not enabled.
+	// This is to allow easy switch to enable TLS later and also be able to distriute the bundle as a pre
+	// step for adoption
 
 	helper.GetLogger().Info("Reconciling CAs", "Namespace", instance.Namespace, "Name", issuerReq.Name)
 
@@ -139,6 +133,7 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 				Name: caName,
 			}
 			if len(caOnlyBundle.certs) > 0 {
+				helper.GetLogger().Info(fmt.Sprintf("BOO %+v", caOnlyBundle.certs[0]))
 				status.Expires = caOnlyBundle.certs[0].expire.Format(time.RFC3339)
 			}