Node Observability Agent uses TLS to talk to kubelet. Currently the kubelet CA is copied from the openshift config namespace at the time of the creation of the agent's daemnset.
This prevents the agent from following up with the CA rotations because:

• target (in the operator's namespace) configmap is created and never updated
• coupling of the daemonset lifecycle with the target config map

To address the before mentioned points a dedicated controller has to be added to the operator. This controller would have to copy the configmap from the source namespace into the target one.
Note: the agent's daemonset would have to be able to reload the contents of the configmap into its TLS connection settings (fswatch or annotation with the hash).
Example from another operators: ca-configmap controller

Acceptance criteria:

• Unit tests covering the new controller and changes in the nodeobservability controller
• E2E is working