Allow for the use of service serving certificates with OpenShift

[benemon]

When TFE is deployed into OpenShift environments, a platform feature called 'service serving certificates' can be leveraged to generate, maintain, and rotate platform-issued certificates for components deployed onto it. Service Serving Certificates.

In the context of TFE, this feature allows us to sidestep the creation, deployment, and management of an internal certificate chain, by using one generated on behalf of the TFE workload by the OpenShift platform.

We can also use this feature to provide the platform's CA bundle to the TFE workload as a configmap, which in turn allows us to trust these service serving certificates.

Use of this feature, in conjunction with OpenShift Routes / ClusterIP services eases the onboarding of workloads into OpenShift, without requiring customisation of the helm chart, as all certificate operation will be offloaded to the platform.

This PR:

• Enables support for Service Serving Certificates
• Allows this to be enabled or disabled via the use of the sub flag openshift.serviceServingCertificates
• Allows for the cluster CA bundle to be provided to the deployment if this flag is set
• Allows for a route to be configured that specifically leverages service serving certificates between the router and the TFE workload if the flag is set.

[p0pr0ck5]

@benemon is this something we still want to pursue? If so, can you rebase to resolve the conflict? Thanks!

[benemon]

Hi @p0pr0ck5 - apologies, I lost focus on this. Let me review the conflict and see what needs to be resolved here.

[benemon]

@p0pr0ck5 I've resolved the conflicts as requested.

[benswinney]

Will this PR be merged for use on OpenShift?

[dtiesling-sphere]

Hi @nikolasrieble and @jkerry, we have a similar use case but want to use Google managed certs with a GKE Gateway that will terminate the SSL. I wanted to float the idea of a more generic option to have the helm chart ignore cert so people can configure routes independently.