salt, build: Add certs renewal orchestrate

This orchestrate will be called by the reactor
when it will receive an event for an expired
certificates.
It will run `sls` defined under `certs_renewal`
pillar entry for each expired certificate.

Refs: #1887

buildchain/buildchain/salt_tree.py

@@ -576,6 +576,8 @@ def _get_parts(self) -> Iterator[str]:
     Path('salt/metalk8s/orchestrate/bootstrap/pre-downgrade.sls'),
     Path('salt/metalk8s/orchestrate/bootstrap/pre-upgrade.sls'),
 
+    Path('salt/metalk8s/orchestrate/certs/renew.sls'),
+
     Path('salt/metalk8s/orchestrate/downgrade/init.sls'),
     Path('salt/metalk8s/orchestrate/downgrade/precheck.sls'),
     Path('salt/metalk8s/orchestrate/downgrade/pre.sls'),

salt/metalk8s/orchestrate/certs/renew.sls

@@ -0,0 +1,29 @@
+{%- from "metalk8s/map.jinja" import certificates with context %}
+
+{%- set sls = [] %}
+{%- set post_mods = [] %}
+
+{%- for cert_type in ['client', 'kubeconfig', 'server'] %}
+  {%- for cert in certificates[cert_type].files.values() %}
+    {%- if cert['path'] in pillar.orchestrate.certificates %}
+      {%- set renew = cert.get('renew', {}) %}
+      {%- do sls.extend(renew.get('sls', [])) %}
+      {%- do post_mods.extend(renew.get('post', {}).get('orch', [])) %}
+    {%- endif %}
+  {%- endfor %}
+{%- endfor %}
+
+Renew expired certificates:
+  salt.state:
+    - tgt: {{ pillar.orchestrate.target }}
+    - sls: {{ sls | unique | json }}
+
+{%- if post_mods %}
+Run post certificate renewal actions:
+  salt.runner:
+    - name: state.orchestrate
+    - mods: {{ post_mods | unique | json }}
+    - saltenv: {{ saltenv }}
+    - require:
+      - salt: Renew expired certificates
+{%- endif %}