Im trying to generate client certs for a secure cluster (deployed in Kubernetes via Helm chart downloaded from your repo) and the ca.key file is not on any of the pods. Its not on the client-secure pod or the cockroachdb nodes. The ca.crt and node certs are present on the node pods.
If you’re using the configs in our repo, the CA key will never be available to you, it’s held by the kubernetes control plane and cannot be exported.
Instead, the certificates are obtained through the kubernetes certificates API.
Client certificates can be obtained from by pod running in the same kubernetes cluster, as described in the secure client apps section of the README.