RoleCert Warning or Disabled for 3rd party generated InstanceCert

[mlajkim]

Background

The current SIA can generate RoleCert with its own generated Instance Certificate under the architecture Identityd. Yet the current sia also can generate AccessToken/RoleToken/RoleCert based on the 3rd party generated InstanceCert.

The RoleCert using X509 Certificate format requires a private key but the current architecture does not warn/or disable Generating RoleCert when ROLE_CERT_KEY_FILE_OUTPUT=true is a must.

TODOs

- [ ] Do either of the following
  - Disable Fetching role certificate when 3rd party InstanceCert is detected
  - At least leave a warning log for users where their role certificates may not work as the renewing cycle may differ (most of the time as it is incapable of setting two different runners do the renewing at the exactly same time manner)

[mlajkim]

| Identityd | IsGeneratingEachKeyForRoleCert | IsProblematic? | Why ? |
|:---------:|:------------------------------:|:--------------:|:-----:|
|    No     |               No               |      Yes       | [^1]  |
|    Yes    |               No               |       No       |  --   |
|    No     |              Yes               |       No       |  --   |
|    Yes    |              Yes               |       No       |  --   |

[^1]: The rotation period of SIA and 3rd party is most-likely differ, and the end user is unable to use the fetched role cert

[WindzCUHK]

Do you refer to this warning log? https://github.com/AthenZ/k8s-athenz-sia/blob/58ba7cfaed5098fdd7637550fc8aa5c65f08d79e/pkg/config/config.go#L254-L259

[mlajkim]

@WindzCUHK oh wow.. it already exists! this is possibly closable if we decide not to stop the sia rotation and warning is enough when external cert is used!