Configure certificate manager in response to MRC and MRC status changes

[jaellio]

Please describe the Improvement and/or Feature Request

To do:

• Update the issuers in the Manager based on the MRC status changes

In response to MRC and MRC rotation stage status changes update the Manager struct.

All MRCs events should be considered valid. The validating webhook is responsible for performing validation on adds, updates, and deletions of MRCs.

Outstanding Questions:

• For the phase 1 of the auto root certificate rotation implementation should the user be responsible for setting the initial status of validatingRollout? Or should OSM handle setting this status? With manual certificate rotation, the user will be responsible for setting the remaining status to progress through rotation.
  • Proposed solution: create a mutating webhook for MRCs. On add, set the providerState to validatingIssuing. The admission request will be denied by the validating webhook if it shouldn't be created.
• How to implement controller, injector, and bootstrap specific rotation logic?
  • Proposed solution: We could have specific watches for each control plane component, but we'd either have to coordinate manager updates or support updating the manager in multiple places. One alternative is to publish manager updates to msg broker. The OSM component specific logic doesn't need to have any knowledge of the actual MRC updates, it only needs to know that the manager's issuers have been updated and it can reissue certificates.
• Who and when should the error status on the MRC be set?

events to handle	response
MRC added	See outstanding question above - If using the proposed solution above, the ProviderState is validatingRollout. Create the Issuer and set it as the validatingIssuer in the Manager struct
ProviderState status is validatingRollout	See above
ProviderState status is issuingRollout	Verify the ID of the validatingIssuer is the same as the ID on the updated MRC. Set signingIssuer to the MRC being rotated in and set the validatingIssuer to the MRC being rotated in. tempIssuer := signingIssuer signingIssuer = validatingIssuer validatingIssuer = tempIssuer Since the signingIssuer and the validatingIssuer are not equal the newly issued certs will still contain both CAs for validation. Set the providerState status of the MRC being rotated out to issuingRollback.
ProviderState status is active	Verify the ID of the signingIssuer is the same as the ID on the updated MRC. Set the validatingIssuer to the signingIssuer. At this point, the signingIssuer and validatingIssuer should be the same. Set the providerState status of the MRC being rotated out to validatingRollback.
ProviderState status is issuingRollback	Noop. Handled by status change to issuingRollout on the MRC being rolled out
ProviderState status is validatingRollback	Noop. Handled by status change to active on the MRC being rolled out
ProviderState status is inactive	Noop. After the providerState status of the MeshRootCertificate has been set to inactive it can be deleted
ProviderState status is error	See outstanding questions above

Scope (please mark with X where applicable)

• Certificate Management [x]