Use CA rather than the server cert in patching webhook

[nrfox]

When running the istio-operator with a 3.0 istiod, both will try to patch the validator webhook's caBundle. This isn't a problem if both try to patch the same bundle but with the istiod-tls secret present, the 2.6 operator will actually patch the istiod server cert tls.crt rather than the CA cert ca.crt. This patches changes the operator to patch the CA cert ca.crt.

[openshift-ci]

Hi @nrfox. Thanks for your PR.

I'm waiting for a maistra member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[nrfox]

/do-not-merge

[nrfox]

/hold

[nrfox]

@FilipB here's the maistra-test-tool test for this: maistra/maistra-test-tool#773. Covers ClusterWide mode but not MultiTenant yet.

[FilipB]

/test push-images

[openshift-ci]

@nrfox: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/push-images	b89eed3	link	true	/test push-images

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[FilipB]

We had some failures when running MTT against this PR. Checking.