Add documentation to the cloud-credential-repo for how to rotate the cluster bound-service-account-signing-key to include adding the new key to the Microsoft Azure Workload Identity issuer file. The process should meet the following requirements:

• The next-bound-service-account-signing-key is (re)generated by the cluster.
• The (next-)bound-service-account-signing-key private key never leavers the cluster.
• There is minimal downtime (preferably zero) for pods using Microsoft Azure WI credentials while authenticating to the Azure API.