Add Cert manager and trust manager to BB maintained applications

Feature Request

Why

In UP, we rely heavily on cert-manager to issue, rotate, and manage TLS certificates for in-cluster workloads (ingress gateways, internal services, webhooks, etc.). Today, deploying cert-manager (and related certificate trust components) typically requires patching in our own version or maintaining overlays outside of the Big Bang (BB) managed deployment flow.

That creates a few recurring problems:

• Drift from BB-managed state: custom patches/overlays can diverge from BB defaults and complicate upgrades.
• Operational overhead: teams have to repeatedly re-implement the same deployment patterns (values, RBAC, namespaces, policies) across environments.
• Inconsistent trust distribution: managing CA bundles and trust anchors across namespaces/workloads is harder without a first-class, BB-managed approach.
• Security/compliance friction: policy enforcement for certificate approval/issuance is harder to standardize when these components are “bolt-on”.

Having cert-manager (and supporting components) available as BB-managed apps would allow UP teams to deploy them consistently through the standard Big Bang lifecycle (install/upgrade/rollback), with the same security and configuration patterns used for other platform components.

Proposed Solution

Add the following as BB-managed applications (preferably) or core apps if dependencies/ordering require it:

1. cert-manager

   • Provide a BB-managed deployment of cert-manager (controller, cainjector, webhook).
   • Include sensible defaults aligned with BB patterns (namespace conventions, image sourcing/Iron Bank where applicable, security context, network policies if used, etc.).
   • Support common configuration hooks (install CRDs, extraArgs, leader election namespace, resource requests/limits, tolerations/affinity).

2. trust-manager

   • Provide a BB-managed deployment of trust-manager to distribute trust bundles (ConfigMaps/Secrets) across namespaces/workloads.
   • Enable a consistent mechanism for propagating CA trust (especially useful for internal PKI chains, service mesh integration, and workloads needing shared trust anchors).

3. (If possible) approver-policy

   • Include approver-policy to enforce and standardize certificate request approval rules (e.g., restrict DNS names, issuer references, namespaces, SAN patterns).
   • This would allow UP to apply centralized policy guardrails for certificate issuance in a repeatable BB-native way.

Behavior / Impact

This addition should reduce the need for custom patches and standardize certificate management across UP environments. It would not change existing BB behavior unless enabled via values; these components can be optional toggles consistent with other BB apps.

Success Criteria

• UP can enable cert-manager/trust-manager (and optionally approver-policy) via BB values without maintaining external overlays.
• Upgrades follow BB-managed lifecycle with minimal drift.
• Trust distribution and certificate issuance are consistent across namespaces and clusters.
• Policy enforcement for certificate requests is possible using approver-policy when enabled.