At the moment, the automatic certificate management is done in a blocking manner:  https://github.com/bf2fc6cc711aee1a0c2a/kas-fleet-manager/blob/49ca377b2bc7368316653412721bd17e859355d5/internal/kafka/internal/services/kafkatlscertmgmt/kafka_tls_certificate_management_service.go#L80 
which can potentially block the reconciler depending on the time the calls to backing external service takes: in Stage we've observed certificate reconciling times of up to `20s` for some Kafkas: see reconciler times 

The certmagic library has an asynchrnous "ManageAsync" method which we could use.

For each Kafka in preparing state, we need to wait for the certificate to become available before we can move it to the provisioning state.
If the certificate are not available, we should not return an error so that we continue reconciling since the certificate will eventually become available in the certificate storage.