Implement webhook certificate management in the controller

[simu]

Summary

As an operator of the APPUiO Cloud control-api
I want to get valid webhook TLS certificates out of the box
So that I can run the control-api without having to manually create and maintain TLS certificates

Context

Currently, the control-api expects that the webhook serving certificates are managed externally, and configured by hand, cf.

control-api/local-env/kind.mk

Lines 21 to 23 in 37b1020

	webhook-certs/tls.key:
	mkdir -p webhook-certs
	openssl req -x509 -newkey rsa:4096 -nodes -keyout webhook-certs/tls.key -out webhook-certs/tls.crt -days 3650 -subj "/CN=webhook-service.control-api.svc" -addext "subjectAltName = DNS:webhook-service.control-api.svc, DNS:webhook-service.default.svc"

for the helper tooling in the local-env setup and https://hub.syn.tools/control-api/how-tos/tls.html for the instructions for the Commodore component for the control-api.

Out of Scope

• TBD

Further links

• https://github.com/kyverno/kyverno/tree/ad19108d34f80592dcbeafdbc9943673ee120f99/pkg/tls

Acceptance Criteria

• The control-api issues and renews TLS serving certificates for the provided webhooks itself

Implementation Ideas

• Model implementation after Kyverno's implementation, cf. https://github.com/kyverno/kyverno/tree/ad19108d34f80592dcbeafdbc9943673ee120f99/pkg/tls and usages of that package.

[simu]

Consider updating controller-runtime to use builtin facilities to achieve this.