Certificates should be stored as TLS secrets

[elevran]

Currently all ClusterLink secrets are created as type Opaque:

$ kubectl get secret --namespace clusterlink-system
NAME              TYPE     DATA   AGE
cl-controlplane   Opaque   2      19h
cl-dataplane      Opaque   2      19h
cl-fabric         Opaque   1      19h
cl-peer           Opaque   1      19h

Typically, certificates (such as cl-peer) should be using Spec.SecretType: SecretTypeTLS. These have predefined fields for certificate and key.

Search for SecretTypeTLS in corev1 and the kubectl documentation.

The change should affect the clusterlink CLI and any manual deployment documentation (if present).

[elevran]

the ROI on this is low: some risk, low reward (having predefined data fields in secrets and clearer secret type).
Pushing out on fixing this to later with lower priority.
Changes are needed in documentation and YAML templates (mostly adding type: kubernetes.io/tls and changing cert and key to tls.cert and tls.key in secrets. Mount paths need to change accordingly)