Update TODOs to reference an issue with more details

And remove a no longer needed TODO

agent/connect/ca/provider.go

@@ -135,7 +135,7 @@ type PrimaryProvider interface {
 	// the active intermediate. If multiple intermediates are needed to complete
 	// the chain from the signing certificate back to the active root, they should
 	// all by bundled here.
-	// TODO: replace with GenerateLeafSigningCert
+	// TODO: replace with GenerateLeafSigningCert (https://github.com/hashicorp/consul/issues/12386)
 	GenerateIntermediate() (string, error)
 
 	// SignIntermediate will validate the CSR to ensure the trust domain in the

agent/connect/ca/provider_vault.go

@@ -603,7 +603,6 @@ func (v *VaultProvider) SignIntermediate(csr *x509.CertificateRequest) (string,
 // CrossSignCA takes a CA certificate and cross-signs it to form a trust chain
 // back to our active root.
 func (v *VaultProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
-	// TODO: is this necessary? Doesn't vault check this for us?
 	rootPEM, err := v.getCA(v.config.RootPKIPath)
 	if err != nil {
 		return "", err

agent/consul/leader_connect_ca.go

@@ -488,7 +488,7 @@ func (c *CAManager) primaryInitialize(provider ca.Provider, conf *structs.CAConf
 		return err
 	}
 
-	// TODO: delete this
+	// TODO: https://github.com/hashicorp/consul/issues/12386
 	interPEM, err := provider.GenerateIntermediate()
 	if err != nil {
 		return fmt.Errorf("error generating intermediate cert: %v", err)
@@ -976,7 +976,7 @@ func (c *CAManager) primaryUpdateRootCA(newProvider ca.Provider, args *structs.C
 		}
 	}
 
-	// TODO: delete this
+	// TODO: https://github.com/hashicorp/consul/issues/12386
 	intermediate, err := newProvider.GenerateIntermediate()
 	if err != nil {
 		return err