Add CA generation annotation to secrets

[mrogers950]

After the CA rollover, we'll need to trigger an update of all serving certs. To do this, add a CA generation annotation to secrets that holds a generation number of the CA used to issue the cert. When checking for regeneration, check to see if the annotation does not match the current generation. For now the generation number given to controllers is always 1. When we actually perform the CA rollover during operator sync, the controller configurations will be updated with the current CA generation number and we will need to wire it in from the config. @openshift/sig-auth

[openshift-ci-robot]

@mrogers950: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/prow/unit	8d296e33a2a3fc41d62de45ae2741a797cdf4d43	link	/test unit

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).

[openshift-bot]

@mrogers950: PR needs rebase.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.