🐛Remove invalid ClusterRoleBinding from CertManager

[wfernandes]

Removes the cert-manager-leaderelection ClusterRoleBinding from
cert-manager v0.11.0 manifest

What this PR does / why we need it:
To get velero backup working we needed to get rid of dangling ClusterRoleBinding cert-manager-leaderelection from cert-manager v0.11.0. This PR stores a local copy of the cert-manager v0.11.0 release manifest which has been edited with the CRB removed and bindata regenerated.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #2928

Release Notes

• ⚠️ Removes the cert-manager-leaderelection ClusterRoleBinding from being installed during clusterctl init. For existing clusters, the cert-manager-leaderelection ClusterRoleBinding needs to be manually removed if running into issues regarding Removes leaderelection ClusterRoleBinding cert-manager/cert-manager#2207

[wfernandes]

Not sure where to keep the cert-manager yaml. It could also go into the top level hack directory. But feedback appreciated.

[fabriziopandini]

@wfernandes thanks!
overall LGTM to me. Only one minor nit to check if it is possible to skip the copy step

[voor]

This PR will be a great first step to then adding PSP for cert-manager, once this is done you'd just need to re-generate this yaml with the PSP stuff turned on.

[voor]

Related Issue (this would make doing this issue for cert-manager much easier): #2934

[wfernandes]

@fabriziopandini I moved the cert-manager manifest under cmd/clusterctl/config/assets. Let me know if that works. Thanks.

[fabriziopandini]

@wfernandes thanks! the PR is ok for me!
/approve

I leave to @vincepri final world on the PR/the asset location

[fabriziopandini]

/assign @vincepri

@wfernandes, one additional question. what is the plan for existing clusters? to provide instruction to the users about how to manually delete the invalid role binding or are we planning to make clusterctl to delete it automatically?

[wfernandes]

That's a good point. We could add some documentation about it. I can make a note of deleting the ClusterRoleBinding in the Release Notes.
I'm leaning more towards the documentation solution for now because we have #2635 that could revamp how we manage the cert-manager.

[wfernandes]

Also...clusterctl delete doesn't remove the cert-manager components so it doesn't matter I guess 🤷‍♂️

[ncdc]

+1 to relnotes/docs for removing the bogus binding from existing clusters.

[fabriziopandini]

Also...clusterctl delete doesn't remove the cert-manager components so it doesn't matter I guess

This should be tracked by an issue

[wfernandes]

@ncdc I added my release notes in the description of my PR. Let me know if I should make any changes to that.

[detiber]

/lgtm

[ncdc]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fabriziopandini, ncdc, wfernandes

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ncdc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment