csiaddons: add support for TLS

[bipuladh]

Description

This PR introduces a controller to approve CSR requests intended for Ceph CSI TLS communications.

Context

To have a secure gRPC communication between the CSI add-ons sidecar and CSI manager we need to create certificates that can be verified by a CA. We use the k8s CSR resource to sign our certificates. Related to: https://github.com/csi-addons/kubernetes-csi-addons/pull/692

Is the change backward compatible?

No

Are there concerns around backward compatibility?

We will move ahead with disabled by default approach so that it doesn't introduce breakages.

Provide any external context for the change, if any.

For example:

• Kubernetes links that explain why the change is required
• Ceph-CSI spec related changes/catch-up that necessitates this patch
• golang related practices that necessitates this change

Checklist:

• [ ] Commit Message Formatting: Commit titles and messages follow guidelines in the developer guide.
• [ ] Reviewed the developer guide on Submitting a Pull Request
• [ ] Pending release notes updated with breaking and/or notable changes for the next major release.
• [ ] Documentation has been updated, if necessary.
• [ ] Unit tests have been added, if necessary.
• [ ] Integration tests have been added, if necessary.

[leelavg]

pls excuse I partly understood what the code is doing but don't get the "why". Why should csi-op behave like a trimmed down CertificateAuthority? A CA has much more functionalities like rotation, revocation to name a few in addition to a lot of options in x509 cert.

btw, I was OOO during some of csi-op meetings, pls do let me know if this PR premise was already discussed based on https://github.com/ceph/ceph-csi-operator/pull/172#discussion_r1843193781 and this PR is being reworked/removed. thanks!