Stop using a self-signed CA and use LetsEncrypt

[nacx]

Instead of using a self-signed CA we could be creating a LetsEncrypt issuer to issue certificates. we have all the bits needed to manage DNS so we should be able to create LetsEncrypt configs with DNS-based challenges.

[kurktchiev]

i think there is something to be said about this and external-dns be simply a toggleable component in the vars file.

If the intent for this to be a universal tool that allows tetrands to spin up what they need and also be something external customers can consume, we cannot make some of these assumptions about external reachability/etc.

my 2c

[nacx]

I agree. When it comes to implementing this it should be configurable, and we can support multiple CAs.
For the external-dns thing, the current PR adds it as a completely optional add-on that is only installed when running make external-dns.

[smarunich]

SubCa using Letsencrypt is not an option, however we can use cloud provided private CAs to implement if required

https://community.letsencrypt.org/t/can-i-create-my-own-subca-certificate/174394

Absolutely, external-dns is an option, but in my opinion it is a win functionality to which we should converge as a baseline foundation, i.e. VM onboarding operator dns record or even TSB MP DNS record generation

[shamusx]

letsencrypt ratelimits may cause headaches
https://github.com/tetrateio/tsb-labs/issues/100