feat: Add self-signed certificate init container

[PurseChicken]

Definition of Ready

• I am happy with the code
• Short description of the feature/issue is added in the pr description
• PR is linked to the corresponding user story
• Acceptance criteria are met
• All open todos and follow ups are defined in a new ticket and justified
• Deviations from the acceptance criteria and design are agreed with the PO and documented.
• No debug or dead code
• My code has no repetitions
• Documentation/examples are up-to-date
• All non-functional requirements are met
• If possible, the test configuration is adjusted so acceptance tests cover my changes

This PR adds the ability to enable an init container which will generate and store a self signed certificate for each pod that runs in the replica set.

The certificate is signed with the CN of "zitadel" and contains the following SAN's: localhost, Pod IP Address and Pod Name. Additionally, it can contain one more DNS name, specified in values, which will be added to the SAN.

By default, this is disabled in the values file, but if required can be enabled by setting selfSignedCert.enabled to true. You can add the DNS name you want to add the certificate in selfSignedCert.additionalDnsName. Omit this value if this is not required.

The init container uses a small alpine/openssl image to generate the certificate using the following command:

openssl req -nodes -x509 -sha256 -newkey rsa:4096 -keyout /etc/tls/tls.key -out /etc/tls/tls.crt -days 3560 -subj "/CN=zitadel" -addext "subjectAltName = DNS:localhost,DNS:${POD_IP},DNS:${POD_NAME}"

Enabling selfSignedCert also adds the correct volume and volumeMount for the /etc/tls directory. This is where the tls.crt and tls.key files will be stored. They can then be referenced in zitadel config directly. E.G. KeyPath: /etc/tls/tls.key CertPath: /etc/tls/tls.crt

[eliobischof]

Thank you @PurseChicken 🙏

I made some minor changes and added an example in #141 because I couldn't push to your fork.