bug: frontProxy does not support shards with non kcp-ca certificates

[BergCyrill]

Describe the bug

FrontProxy has the kcp-ca hard referenced in its configMap for rootShard access. This leads to issues (FrontProxy not working at all) when the rootShard gets a different certificate issuer (e.g. let's encrypt).

Issue seems to be in this part:

kcp-operator/internal/resources/frontproxy/configmap.go

Lines 61 to 80 in 275f021

	func (r *reconciler) defaultPathMappings() []operatorv1alpha1.PathMappingEntry {
	url := resources.GetRootShardBaseURL(r.rootShard)
	return []operatorv1alpha1.PathMappingEntry{
	{
	Path: "/clusters/",
	Backend: url,
	BackendServerCA: "/etc/kcp/tls/ca/tls.crt",
	ProxyClientCert: "/etc/kcp-front-proxy/requestheader-client/tls.crt",
	ProxyClientKey: "/etc/kcp-front-proxy/requestheader-client/tls.key",
	},
	{
	Path: "/services/",
	Backend: url,
	BackendServerCA: "/etc/kcp/tls/ca/tls.crt",
	ProxyClientCert: "/etc/kcp-front-proxy/requestheader-client/tls.crt",
	ProxyClientKey: "/etc/kcp-front-proxy/requestheader-client/tls.key",
	},
	}
	}

Suggested fix: use caBundleSecretRef (the mounted path) if provided for BackendServerCA to allow different certificate configurations.

Steps To Reproduce

1. Deploy kcp-vespucci with kcp-operator 0.4.0
2. Configure frontProxy, rootShard & alphaShard to use let's encrypt
3. Provide caBundleSecretRef property for all three resources
4. watch frontProxy logs - there doesn't happen much (unfortunately no warnings/errors)

Expected Behaviour

Since it is possible to provide own certificates for shards the frontProxy should also be able to support this scenario.

Additional Context

No response

[BergCyrill]

/assign