Automatically generate a certificate for Gitaly hosts if Gitaly TLS is turned on
Spinoff from !969 (merged) and #1579 (closed)
In !969 (merged), we require users to bring their own certificates even for the internal Gitaly instance. We should automatically generate this and use it.
Copying my comment from !969 (comment 224353659)
Looking at https://gitlab.com/gitlab-org/build/CNG/blob/master/cfssl-self-sign/scripts/generate-certificates. That script is pretty focused on generating wildcard certificates. Either we should update it to perform the generation of certificates for Gitaly or we should add a separate script for generating Gitaly certificates that take a list of hostnames as input (which will be added to the SAN).
Then, we should probably need a separate job similar to https://gitlab.com/gitlab-org/charts/gitlab/blob/master/charts/shared-secrets/templates/_self-signed-cert-job.yml which will create the kubernetes secret. (Need to check if we can reuse the same job, but from what I see it makes decision based on
configureCertmanager
oringress.tls
, which need not apply for Gitaly (being an internal communication).