Support AccessToken auth for Venafi TPP

[james-w]

Is your feature request related to a problem? Please describe.
Currently for TPP cert-manager only supports username/password auth. This will
be deprecated in TPP 21.1 and we should switch to AccessToken auth.

Describe the solution you'd like
Extend support to prefer reading AccessToken from the TPP issuer secret if
it is present, fall back to username/password if it is not present.

The docs should be updated to first explain how to set up the AccessToken
method.

Describe alternatives you've considered
I guess it's possible the TPP issuer config should change to be able to
point to a different secret for AccessToken, but I don't see why that would
be needed.

/kind feature

[james-w]

For cert-manager I think it makes sense to expect it to be provided the AccessToken and RefreshToken (it would use the latter to get a new AccessToken when the original one expires).

[meyskens]

Looking into the oauth mechanics a bit more the refresh token is an internal thing and should never be exposed to the user, in that case cert-manager should be able to have a mechanism to get new access tokens from vCert and update the token secret

[meyskens]

/area venafi
/priority important-soon

[meyskens]

for the person picking this up contact @james-w

[james-w]

Talking with @meyskens we think the best approach is to use the pkcs12 cert support to do this. We can take a cert as
the input, and then use that to get the tokens.

We still need to account for the tokens expiring, and triggering token refresh, either with the refresh token or with the
pkcs12 cert.

[meyskens]

Advantage on pkcs12 is that we can store the tokens in memory so we do not have to update the secret

[meyskens]

/assign @wallrj