handle enrollment with identity from SPIRE agent

[qrkourier]

We need to know the best way to inject an identity from SPIRE to a pod. One way is to run spire-agent in the container. There may be a SPIRE Operator we can use.

Once the best way is identified we need to handle that identity during ziti-host pod startup to establish a pattern for charts that represent an endpoint (SDK or tunneler).

This could mean conditionally performing the external CA enrollment with the external CA JWT and the cert and key provided by SPIRE.

[kevinlmadison]

So I came across this issue when googling for ziti + spire, and while I don't have specific ideas about the ziti integration with spire I am aware of some tooling around solving the issue of getting the spire identities into pods.
One option is the spiffe-helper:
https://github.com/spiffe/spiffe-helper
which I would imagine is probably the ideal solution.

There is also a new kubernetes built-in for distributing and housekeeping certs:
https://kubernetes.io/docs/concepts/storage/projected-volumes/#clustertrustbundle

I'm very much in the thick of things and haven't had time to investigate fully into either of these solutions but I think they might be good candidates. Also I think the second option I posted could potentially replace the Cert-Manager-Trust Operator (forgive me if that is not the correct name).