Feature: ClusterTrustBundle as Sources

[SgtCoDFish]

The upstream ClusterTrustBundle resource is reaching beta in k8s 1.33 which gives us a great incentive to adopt the resource. It'll be usable as both a source and a target; this issue focuses on using it as a source.

Key Differences from Existing Sources

1. The key is not configurable; only the trustBundle field is available.
2. No extra permissions are needed in the general case; all service accounts can read CTBs
3. CTBs are more strict about their contents being valid PEM data, and impose requirements on ordering too.
4. CTBs have a "signer linked" mode, which requires additional permissions and imposes requirements on what the bundle is named.

Testing

See #591 for a kindconfig for testing this

[arsenalzp]

Hello,
I can support this feature.

[cert-manager-bot]

Issues go stale after 6 months of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues remain open for an additional 3 months of inactivity and then close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

[erikgb]

/remove-lifecycle stale