ref(security): Add TLS support for etl-api

[iambriccardo]

This PR introduces a new mechanism for TLS authentication between the etl-api and the source database. It adds a shared certificate cache that is also used during replicator creation.

The cache stores the trusted root certificate and has a TTL of one day, primarily to avoid repeated queries to the Kubernetes control plane for the same certificate.

The TTL also serves as a recovery mechanism. In the event that the certificate changes and a service restart is not immediately possible, the cache will eventually expire and allow the system to pick up the updated certificate automatically.

[coveralls]

Pull Request Test Coverage Report for Build 20431236914

Details

• 131 of 219 (59.82%) changed or added relevant lines in 12 files are covered.
• 97 unchanged lines in 8 files lost coverage.
• Overall coverage decreased (-0.2%) to 81.721%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
etl-api/src/routes/destinations_pipelines.rs	6	7	85.71%
etl-api/src/routes/pipelines.rs	27	31	87.1%
etl-api/src/startup.rs	7	11	63.64%
etl-api/src/routes/sources/tables.rs	0	9	0.0%
etl-api/src/k8s/cache.rs	67	96	69.79%
etl-api/src/routes/sources/publications.rs	0	41	0.0%

Files with Coverage Reduction	New Missed Lines	%
etl-api/src/routes/sources/publications.rs	1	0.0%
etl/src/pipeline.rs	2	81.56%
etl/src/types/event.rs	2	37.84%
etl-postgres/src/tokio/test_utils.rs	6	85.96%
etl/src/test_utils/event.rs	8	80.77%
etl/src/test_utils/notify.rs	8	87.1%
etl/src/test_utils/test_destination_wrapper.rs	14	73.61%
etl/src/replication/client.rs	56	79.7%

Totals
Change from base Build 20425231064:	-0.2%
Covered Lines:	16672
Relevant Lines:	20401

---

💛 - Coveralls

[iambriccardo]

@codex review

[chatgpt-codex-connector]

To use Codex here, create a Codex account and connect to github.