feat: Added manual cert action api

[raserva]

Tested locally with the following:

grpcurl -proto protos/v0/cert_action_service.proto \
    -H "Authorization: Bearer $(gcloud auth print-identity-token )" \
     -d '{"actions": [{"version": "<primary cert version>", "action": "ROTATE"}]}' \
     -max-msg-sz 9999999999 \
     <app endpoint>:443 \
      jvs.CertificateActionService/CertificateAction

and was able to succesfully rotate a certificate before the typical rotation period.

TODOs:

• Add terraform for this service
• Add integ tests

[yolocs]

A meta question: do we really need two services? Can this gRPC service share the same server as the https://github.com/abcxyz/jvs/tree/main/cmd/cert-rotation service?

[raserva]

A meta question: do we really need two services? Can this gRPC service share the same server as the https://github.com/abcxyz/jvs/tree/main/cmd/cert-rotation service?

Its a good question, and i thought about it. The one blocker to that at the moment is that the current cert rotator is HTTP, where this is GRPC. I intended to add it as a backlog item that we could potentially migrate cert rotator to use this api as well

[yolocs]

Its a good question, and i thought about it. The one blocker to that at the moment is that the current cert rotator is HTTP, where this is GRPC. I intended to add it as a backlog item that we could potentially migrate cert rotator to use this api as well

Oh I didn't realize that. I suppose that cert rotator being HTTP makes cloud scheduler calls easy. I'm not sure how easy it is to call a gRPC service from cloud scheduler. So the alternative (not in this PR) is to migrate this API to be a HTTP service?