Currently a new revision is created when the ca bundle configmaps (etcd-signer / metrics-signer) have changed. 

As of today, this change is not transactional across invocations of EnsureConfigMapCABundle, meaning that four revisions (at most, one for each function call) could be created. 

For gating the leaf cert generation on a fixed revision number, it's important to ensure that any bundle change will only ever result in exactly one revision change.

We currently ensure this for leaf certificates by a single update to "etcd-all-certs", we can use the exact same trick again.

AC: 

• create a single revisioned configmap that contains all relevant CA bundles
• update all static pod manifests to read from that configmap instead of the two existing ones