feat: Enhance BackupStorageLocation with Secret-based CA certificate support

- Introduced `CACertRef` field in `ObjectStorageLocation` to reference a Secret containing the CA certificate, replacing the deprecated `CACert` field.
- Implemented validation logic to ensure mutual exclusivity between `CACert` and `CACertRef`.
- Updated BSL controller and repository provider to handle the new certificate resolution logic.
- Enhanced CLI to support automatic certificate discovery from BSL configurations.
- Added unit and integration tests to validate new functionality and ensure backward compatibility.
- Documented migration strategy for users transitioning from inline certificates to Secret-based management.

Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>

pkg/controller/backup_repository_controller.go

@@ -201,11 +201,22 @@ func (r *BackupRepoReconciler) needInvalidBackupRepo(oldObj client.Object, newOb
 		return true
 	}
 
+	// Check if either CACert or CACertRef has changed
 	if !bytes.Equal(oldStorage.CACert, newStorage.CACert) {
 		logger.Info("BSL's CACert has changed, invalid backup repositories")
 		return true
 	}
 
+	// Check if CACertRef has changed
+	if (oldStorage.CACertRef == nil && newStorage.CACertRef != nil) ||
+		(oldStorage.CACertRef != nil && newStorage.CACertRef == nil) ||
+		(oldStorage.CACertRef != nil && newStorage.CACertRef != nil &&
+			(oldStorage.CACertRef.Name != newStorage.CACertRef.Name ||
+				oldStorage.CACertRef.Key != newStorage.CACertRef.Key)) {
+		logger.Info("BSL's CACertRef has changed, invalid backup repositories")
+		return true
+	}
+
 	if !reflect.DeepEqual(oldConfig, newConfig) {
 		logger.Info("BSL's storage config has changed, invalid backup repositories")