Allow customers to request CA cert (e.g. for external clients)

[sbernauer]

There is a similar Issue for Pods: #320

As a SDP user I need to get the current ca.crt so that I can put it in external clients or e.g. OpenShift routes.

Things to watch out

Beta Give feedback

1. The mechanism must work wit CA cert rotation. We e.g. need to return a list of certs that are not expired yet
2. The mechanism is aligned with the Discovery 2.0. The reason is that Discovery 2.0 might include the ca cert for the stacklet as well. But even if so, this API might give all certs (see rotation above) and the discovery only the current one. However, this is speculation as Discovery 2.0 is not there yet

Workaround

Until this is implemented you can use one of the following workarounds:

1. Read the ca.crt from the referenced Secret in the SecretClass. Usually it is called secret-provisioner-tls-ca and is located either in the default or stackable-operators namespace.
2. Use a Pod similar to the following

apiVersion: v1
kind: Pod
metadata:
  name: extract-ca-cert
spec:
  volumes:
    - name: tls
      ephemeral:
        volumeClaimTemplate:
          metadata:
            annotations:
              secrets.stackable.tech/class: tls
              secrets.stackable.tech/scope: pod
          spec:
            storageClassName: secrets.stackable.tech
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: "1"
  containers:
    - name: extract-ca-cert
      image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable24.3.0
      command: [bash, -c]
      args:
        - |
          cat /tls/ca.crt
          sleep infinity
      volumeMounts:
        - name: tls
          mountPath: /tls
  securityContext:
    fsGroup: 1000