Do not set FLEET_CA for well known CAs

[pebrc]

If a customer wants to use custom (i.e. not ECK issued) certificates we have this documentation

https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-tls-certificates.html#k8s-setting-up-your-own-certificate

which says it is not necessary to specify the CA certificate for well-known CAs when setting up custom certificates

ca.crt: CA certificate (optional if tls.crt was issued by a well-known CA).

In the case of Elastic Agent the CA is indicated to Elastic Agent through the FLEET_CA environment variable. Setting it to a non-empty value overrides OS-level CA trust in favour of the specified CA.

If a user sets up custom certificates as indicated by the documentation for Agent they will end up with a non-functional configuration. This is because of

cloud-on-k8s/pkg/controller/common/certificates/http_reconcile.go

Lines 114 to 117 in 85aa75b

	// Ensure that the CA certificate is never empty, otherwise Elasticsearch is not able to reload the certificates.
	// Default to our self-signed (useless) CA if none is provided by the user.
	// See https://github.com/elastic/cloud-on-k8s/issues/2243
	expectedSecretData[CAFileName] = EncodePEMCert(ca.Cert.Raw)

where we fill the ca.crt file with the self-signed CA in the absence of a user provided one. With the behaviour of Elastic Agent I described above that means that only the self-signed CA is trusted and not the CAs trusted by the container's OS.

We should fix this behaviour for Elastic Agent by only setting the FLEET_CA variable if the user provided secret actually contains a ca.crt file or if self-signed certs are in use.