Make Makefiles reusable and automate release process

[inteon]

ref: cert-manager/makefile-modules#3

Note

The trust-bundle adds some extra complexity

1. The trust-bundle image uses a file in the "/debian-package" folder as copy-source, adding this file is not possible through ko and has to be done in an extra step. Luckily, we can reuse the layer-append logic that we have for the licenses module.
2. trust-bundles are versioned separately from trust-manager. However, when we do a trust-manager release, the Helm chart must refer to an existing trust-bundle. For that reason, the trust-manager release process starts with a oci-maybe-push-package_debian action to make sure the referenced trust package exists.
3. To simplify the release process, both trust-manager and the debian trust-bundle are published using GH actions now. This reduces the number of different systems (removes gcb) we have & pipeline secrets we have. It does however add extra changes to this PR.

ℹ️ I tested these changes on my personal branch and fixed all remaining issues in the release process.

[jetstack-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from inteon. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[SgtCoDFish]

One thing I spotted!

I think it'd be nice and not too difficult to roll this change out in a way that doesn't require breaking the tests at any point, but I guess we can always roll the tests back so I don't think that's a requirement.

EDIT: That said, since the tests are failing right now maybe that would be a good idea so we can have some confidence before we merge

[inteon]

@SgtCoDFish I re-added the old make targets for backwards compatibility, now we don't have to break the tests.

[SgtCoDFish]

/lgtm
/approve
/hold

I think this is good to go and kudos to @inteon for the effort it took to get this done.

I'm adding a hold because Tim isn't working today as far as I can tell (despite the updates he made this morning!). This can wait until Monday to merge, and then Tim should be available to help with the followup PRs to cleanup the testing repo / remove the deprecated make targets afterwards.

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: SgtCoDFish

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [SgtCoDFish]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[inteon]

/unhold

[SgtCoDFish]

note: IMPORTANT

I missed this during the review. I shouldn't have missed it and it'll need to fixed.

This uses the system's trust-bundle, not the one from the container.

It breaks development on all platforms which aren't Debian-based linux (e.g. macOS, RHEL, etc)

It shouldn't lead to an incorrect bundle being pushed upstream, but it needs fixing as a matter of urgency in case that changes in the future.

See #355

[inteon]

Thanks for noticing & fixing @SgtCoDFish!
I made a typo indeed.