feature: configurable certificate and private key settings

[embik]

Feature Description

We should allow users to tune the settings of certificates (e.g. lifetime) and private key settings across our fleet of objects (e.g. RootShard and Kubeconfig objects). Currently, this is hardcoded, see e.g.

kcp-operator/internal/resources/rootshard/certificates.go

Line 44 in 8d4d66b

PrivateKey: &certmanagerv1.CertificatePrivateKey{

We have to make sure that we provide a sensible default (maybe 4096 RSA private keys are not the state of the art anymore either), but users should be able to configure this.

Proposed Solution

Add fields to to resources that end up generating certificates and make them configurable. In general, we shouldn't make this available per certificate but allow users to set global sensible defaults in their object.

In addition, we should provide flags on the kcp-operator binary to make the defaults configurable.

Alternative Solutions

No response

Want to contribute?

• I would like to work on this issue.

Additional Context

No response