As a security engineer, I want all cert-manager Certificate manifests in the cinder, glance, manila, and swift operators to explicitly specify a privateKey algorithm, so that cert-manager does not silently default to RSA-2048 (which is VULNERABLE to Shor's algorithm on a quantum computer).

• Add the following to the spec of both config/certmanager/certificate-metrics.yaml and config/certmanager/certificate-webhook.yaml in cinder-operator, glance-operator, manila-operator, and swift-operator:

     issuerRef:
       kind: Issuer
       name: selfsigned-issuer
  +  privateKey:
  +    algorithm: ECDSA
  +    size: 384
     secretName: webhook-server-cert
  

  ECDSA P-384 is the recommended interim algorithm: it stops the silent RSA-2048 default and reduces the ML-DSA migration to a one-line change when cert-manager adds PQC support.

• Long-term: migrate to algorithm: ML-DSA when Go stdlib adds crypto/mldsa and cert-manager implements ML-DSA key generation. This is a future item with upstream dependencies and is out of scope of this Jira.
• After applying the fix, add # noopengrep to the kind: Certificate line in each manifest to suppress the automated scanner finding once verified.
• Reference: cert-manager defaults to RSA-2048 per pkg/util/pki/generate.go line 60:

  case v1.PrivateKeyAlgorithm(""), v1.RSAKeyAlgorithm:
  

  https://github.com/cert-manager/cert-manager/blob/master/pkg/util/pki/generate.go#L60-L67

Acceptance Criteria:

• certificate-metrics.yaml and certificate-webhook.yaml in cinder-operator, glance-operator, manila-operator, and swift-operator contain privateKey: {algorithm: ECDSA, size: 384}
• cert-manager issues ECDSA P-384 certificates for operator webhook and metrics secrets (verified via: kubectl get secret webhook-server-cert -o yaml)
• OpenGrep rule [1] certmanager-certificate-no-private-key-spec is suppressed with # noopengrep after fix is verified

[1] https://gitlab.cee.redhat.com/OSP-DFG-security/pqc-automated-analysis