Cilium helm install mode results in non-functioning clustermesh vm status command.

[jspaleta]

Bug report

Looks like classic install mode is populating a cert secret needed for external workload functionality, that the helm chart isn't aware of.

General Information

$ cilium version
cilium-cli: v0.14.7 compiled with go1.20.4 on linux/amd64
cilium image (default): v1.13.3
cilium image (stable): v1.13.4
cilium image (running): unknown. Unable to obtain cilium version, no cilium pods found in namespace "kube-system"

kubectl version
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.3", GitCommit:"25b4e43193bcda6c7328a6d147b1fb73a33f1598", GitTreeState:"clean", BuildDate:"2023-06-14T09:53:42Z", GoVersion:"go1.20.5", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v5.0.1
Server Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.1", GitCommit:"4c9411232e10168d7b050c49a1b59f6df9d7ea4b", GitTreeState:"clean", BuildDate:"2023-05-12T19:03:40Z", GoVersion:"go1.20.3", Compiler:"gc", Platform:"linux/amd64"}

$kind version
kind v0.19.0 go1.19.5 linux/amd64

How to reproduce the issue

** First use classic install mode to show it works as expected

1. kind create cluster
2. unset CILIUM_CLI_MODE
3. cilium install
4. cilium status --wait
5. cilium clustermesh enable --service-type NodePort
6. cilium status --wait

cilium clustermesh vm status
⚠️  Service type NodePort detected! Service may fail when nodes are removed from the cluster!
✅ Cluster access information is available:
	 - 172.18.0.2:30758
✅ Service "clustermesh-apiserver" of type "NodePort" found
⚠️ No external workloads found.

kubectl -n kube-system get secrets | grep clustermesh
clustermesh-apiserver-admin-cert               kubernetes.io/tls               3      2m52s
clustermesh-apiserver-external-workload-cert   kubernetes.io/tls               3      2m52s
clustermesh-apiserver-remote-cert              kubernetes.io/tls               3      2m52s
clustermesh-apiserver-server-cert              kubernetes.io/tls               3      2m52s

** repeat using helm mode and watch clustermesh vm status fail**

1. cilium uninstall
2. kubectl -n kube-system get secrets | grep clustermesh confirm no secrets
3. export CILIUM_CLI_MODE=helm
4. cilium install
5. cilium status --wait
6. cilium clustermesh enable --service-type NodePort
7. cilium status --wait

cilium clustermesh vm status
Trying to get secret clustermesh-apiserver-client-cert by deprecated name clustermesh-apiserver-client-certs

Error: Unable to determine status: unable to get external workload secret to access clustermesh service

vm status command now returns error

kubectl -n kube-system get secrets | grep clustermesh
clustermesh-apiserver-admin-cert    kubernetes.io/tls               3      55s
clustermesh-apiserver-remote-cert   kubernetes.io/tls               3      55s
clustermesh-apiserver-server-cert   kubernetes.io/tls               3      55s

The external-workload-cert secret is missing!!!!