Add support for cert-manager

[jsoref]

Is your feature request related to a problem? Please describe.

We'd like to replace ingress-nginx + cert-manager with skipper + cert-manager (where ingress-nginx or skipper is public facing and responsible for terminating TLS)

Describe the solution you would like
Be able to install cert-manager.io, configure ClusterIssuer, and Certificate, and configure a Skipper object similar to the kind: Ingress example in https://cert-manager.io/docs/tutorials/acme/nginx-ingress/#step-4---deploy-an-example-service

Describe alternatives you've considered (optional)

Additional context (optional)

I'm told the development work involves:

have cert-manager to do the cert challenge and provide a secret that is mounted to your skipper pod, then

skipper/secrets/certregistry/certregistry.go

Lines 23 to 29 in 154fa30

	func NewCertRegistry() *CertRegistry {
	l := make(map[string]*tls.Certificate)
	return &CertRegistry{
	lookup: l,
	}
	}

skipper/secrets/certregistry/certregistry.go

Lines 23 to 29 in 154fa30

	func NewCertRegistry() *CertRegistry {
	l := make(map[string]*tls.Certificate)
	return &CertRegistry{
	lookup: l,
	}
	}

The expectation is that there would be a lot more work to establish testing than.

Would you like to work on it?
Maybe

[szuecs]

Thanks for the issue I am digging a bit more into the current implementation and I think it should already work if you do not use routesrv.
The dataclient/kubernetes will use https://github.com/zalando/skipper/blob/master/secrets/certregistry/certregistry.go#L33 from https://github.com/zalando/skipper/blob/master/dataclients/kubernetes/ingressv1.go#L296

This means the ConnectionManager has already the updated certs via the dataclient/kubernetes.

ref slack: https://gophers.slack.com/archives/C82Q5JNH5/p1767380991349159?thread_ts=1767372290.506829&cid=C82Q5JNH5