Split root_ca in CSR API

[howardjohn]

Opening this for discussion.

Good background reading: https://github.com/istio/istio/issues/55793. Note we do NOT need this API to fix the bug. This PR is about making the API more clear and less error-prone.

This API still is not ideal. A better approach would be to have a separate stream of root CAs and perhaps some way to tell the client they should send a new CSR. This is a much bigger change than is present here, though.

[istio-policy-bot]

🤔 🐛 You appear to be fixing a bug in Go code, yet your PR doesn't include updates to any test files. Did you forget to add a test?

Courtesy of your friendly test nag.

[istio-testing]

@howardjohn: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
release-notes_api	5fc618fa7d0af75e38e84ec2880c85525895c0f6	link	false	/test release-notes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[howardjohn]

how can you make sure during upgrade, it is capatible for both client and server iwith different versions

that's a good call, I only really consider older control plane than data plane, not newer control plane... but that's an important issue