Allow customers to request CA cert (e.g. for external clients)

[sbernauer]

There is a similar Issue for Pods: https://github.com/stackabletech/secret-operator/issues/320

As a SDP user I need to get the current ca.crt so that I can put it in external clients or e.g. OpenShift routes.

### Things to watch out
- [ ] The mechanism must work wit CA cert rotation. We e.g. need to return a list of certs that are not expired yet
- [ ] The mechanism is aligned with the Discovery 2.0. The reason is that Discovery 2.0 might include the ca cert for the stacklet as well. But even *if* so, this API might give all certs (see rotation above) and the discovery only the current one. However, this is speculation as Discovery 2.0 is not there yet

Workaround

Until this is implemented you can use one of the following workarounds:

1. Read the ca.crt from the referenced Secret in the SecretClass. Usually it is called secret-provisioner-tls-ca and is located either in the default or stackable-operators namespace.
2. Use a Pod similar to the following

   apiVersion: v1
   kind: Pod
   metadata:
   name: extract-ca-cert
   spec:
   volumes:
   - name: tls
     ephemeral:
       volumeClaimTemplate:
         metadata:
           annotations:
             secrets.stackable.tech/class: tls
             secrets.stackable.tech/scope: pod
         spec:
           storageClassName: secrets.stackable.tech
           accessModes:
             - ReadWriteOnce
           resources:
             requests:
               storage: "1"
   containers:
   - name: extract-ca-cert
     image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable24.3.0
     command: [bash, -c]
     args:
       - |
         cat /tls/ca.crt
         sleep infinity
     volumeMounts:
       - name: tls
         mountPath: /tls
   securityContext:
   fsGroup: 1000

[fhennig]

This needs to be documented as well (once implemented)