WaitForSidecarTLSSecret: per-task deadline + diagnostic surfacing

[bdchatham]

Problem

#247 adds a terminal-failure path on Certificate.Ready=False/Reason=Failed, which catches the most common stuck case (bad IssuerName). Two gaps remain:

1. No wall-clock deadline. Other terminal cert-manager states (e.g., issuer CA crashed mid-issuance, network partition to a remote ACME server) leave Certificate.Ready=False with reasons other than Failed. The task polls forever.
2. Transient diagnostic invisibility. While Certificate.Ready=False/Reason=Issuing is in progress, operators see only condition=NodeUpdateInProgress, reason=TLSToggleStarted — no insight into why issuance is slow. cert-manager's message field on the Ready condition would help.

Proposed scope

• Add a per-task deadline (configurable; default ~10min for cert-manager issuance) — return Terminal if Secret.tls.crt is still empty past the deadline
• Surface Certificate.Ready.message into the task error (non-Terminal) on each poll so it lands in status.plan.tasks[i].error and operators can grep for it via kubectl describe seinode

Why deferred from #247

The Terminal-on-Failed fix lands the primary blocker. The deadline + diagnostic surfacing is defense-in-depth and a UX improvement, not a correctness gap on the rollout path.

References

• Sidecar TLS toggle on Running SeiNodes — extend drift detection + reprovision plan #247
• internal/task/wait_for_sidecar_tls_secret.go

[bdchatham]

Scope reduced under the revised design (docs/design-seinode-sidecar-tls-toggle-lld.md, tracked in #255).

The cert-manager-stuck-forever path no longer applies — the controller doesn't create the Certificate and doesn't read its Ready condition. The remaining concern is narrower: under the new design, preflight cert SAN validation could hang if the referenced Secret never becomes valid (operator never provisions it, or always provisions a cert with wrong SANs). Today this surfaces as SidecarTLSSecretReady=False with a clear reason — operator-visible, but no auto-fail.

Revised scope: add a configurable per-SeiNode preflight-gate deadline. If SidecarTLSSecretReady (or any other init-blocking condition) stays False past the deadline, transition the SeiNode to a terminal Failed phase with the reason copied from the condition.

Could generalize to all preflight conditions (SigningKeyReady, NodeKeyReady, OperatorKeyringReady, SidecarTLSSecretReady) — same pattern. Worth considering as the broader concern.

Not blocking #255.