[EPIC] Certificate management on CAPI Clusters

[gawertm]

basically, this story https://github.com/giantswarm/giantswarm/issues/15981 However, let's look into missing vault on CAPI MCs as well and how it causes issues with e.g. opsctl

### Tasks
- [ ] https://github.com/giantswarm/giantswarm/issues/15981
- [ ] https://github.com/giantswarm/roadmap/issues/2476
- [ ] https://github.com/giantswarm/roadmap/issues/2475
- [ ] How to deal with certificates for MCs (bootstrapping chicken-egg-problem)
- [ ] https://github.com/giantswarm/roadmap/issues/2731
- [ ] https://github.com/giantswarm/roadmap/issues/2855
- [ ] https://github.com/giantswarm/roadmap/issues/2502
- [ ] https://github.com/giantswarm/roadmap/issues/3147
- [ ] https://github.com/giantswarm/roadmap/issues/3224

[gawertm]

there are also non-oidc clients against workload clusters run by customers that might need certificates. Marian was involved in this in the past

[kopiczko]

For the chicken-egg problem, I don't think we'll have any. Unless kubeadm controller will be somehow configured to talk to vault. In the vintage product we were using kubernetes auth backend and that required SA token to be configured in vault (https://intranet.giantswarm.io/docs/support-and-ops/installation-setup-guide/vault-kubernetes-auth-backend/), but I checked the list of configured components and we don't need any of them in CAPI or they use SOPS instead of vault.

[gawertm]

just referencing here also: cabbage would need Vault on the MC for certificates as well https://gigantic.slack.com/archives/C01F7T2MNRL/p1684846806656159?thread_ts=1684843651.470549&cid=C01F7T2MNRL