Support Kubernetes style TLS Secrets

[aryan9600]

There are several Flux APIs that provide a way to configure TLS authentication. These APIs expect the specified Secret to contain three keys, namely caFile, certFile and keyFile. This allows for users to specify their TLS data, but it doesn't align with the API of a Kubernetes Secret of type TLS.
A TLS secret needs to contain the keys tls.crt for the certificate and tls.key for the private key. While it doesn't specify an exact key for the CA file, the common convention is to use ca.crt as used by cert-manager and ingress-nginx.

To make adoption and usage easier, we should adopt these standards in the Flux project as well. This change would require the following things:

• OCIRepository, ImageRepository, Provider: Add support for tls.crt, tls.key and ca.crt keys in the Secret specified in .spec.certSecretRef and deprecate the currently supported keys, in a way that is similar to the deprecation of .spec.secretRef for TLS data in HelmRepository. Support for the existing keys would be completely dropped when the API receives it's next version bump.

  Note: Since Provider only supports accepting a set of CA certificates via caFile, only support for ca.crt shall be added. If and when, support for TLS client authentication is added, support for the tls.crt and tls.key keys shall also be added

• HelmRepository: Drop support for the currently supported keys in the Secret specified in .spec.certSecretRef and replace it with the tls.crt, tls.key and ca.crt.

• GitRepository: Since GitRepository is v1, we can't drop support for the caFile key as a Secret's supported keys are a part of the API and this'd be a breaking change. We can either leave the API as it is or add support for the ca.crt key and support both keys in the controller, but use the new key in docs and for generating Secrets using the Flux CLI.

• CLI: Atm, we have two commands to generate a Secret with TLS data, flux create secret tls, flux create secret helm where both support the --ca-file, --cert-file and --key-file flags. Since we are separating TLS Secrets throughout the project, we should remove these flags from flux create secret helm and have one standard command for generating Secrets with TLS data. Furthermore, the logic behind flux create secret tls should be updated to generate Secrets using the new keys using the flags --ca-crt, --tls-key, --tls-crt.
  While flux create secret git also supports the --ca-file flag, since GitRepository expects the CA certificate to be in the same Secret as other auth data, it doesn't make sense to remove the flag altogether. Instead it should also be updated to be --ca-crt and use ca.crt as the key in the Secret.

• source-controller (Adopt Kubernetes style TLS Secrets source-controller#1194)
• image-reflector-controller (imagerepo: adopt Kubernetes style TLS secrets image-reflector-controller#434)
• notification-controller (Adopt Kubernetes style TLS Secret  notification-controller#597)
• flux2 (Adopt Kubernetes style TLS Secrets and add relevant flags #4147

[hiddeco]

Instead of deleting flux create secret helm right away, I would like it to be a more gradual deprecation in which we first log a deprecation warning. Which is a tad less aggressive towards users.

[stefanprodan]

As a first step we can add the new flags to all commands and deprecate the old flags. The controllers and the CLI should work with both formats in the next release. I agree that we should update the docs to use the new CLI args and Secret format.