Hey @Pacyfik , thanks for sharing the files!
I would like to explain a little bit what happens. With tls settings generate: true/false, you are saying the operator (via Helm) to self-certify the CB db (generate: true) or you can generate your own certs and supply to the operator (generate: false) which reloads the certs in the CB db.
But unfortunately, once you have opted false in the beginning and supplied the certs, those certs are permanently loaded now and operator can’t remove it anymore 
and replace with a self-signed cert. Although, you can rotate/supply new certs via secrets again, which will be reloaded.
Also another point about TLS you mentioned in the beginning, which I guess was more about TLS certs than enabling/disabling TLS itself. But just to clarify, from CB server 7.0+, TLS is always enabled by default, which is a server(db) feature rather than operator.
By default, both TLS and non-TLS ports are active and will accept traffic. You can see the all ports listed here