Wait until Pod TLS certificate are correct in the prepare-fs init container

[sebgl]

Related to #2823.

bug in Elasticsearch leads to Elasticsearch presenting an outdated certificate with the wrong IP address during and after rolling upgrades.

To mitigate this, we can improve the existing prepare-fs init container to not only wait for certificates to be present on disk, but also to ensure those certificates have the correct IP address, before we move on with the Elasticsearch container.

openssl is not present in the Elasticsearch Docker image so we cannot easily inspect the certificate content. Instead we may need to clearly identify Pods IP addresses in the certs secret content. For example, by adding new files that associate a Pod name to a Pod IP address. In the script, we would wait until the IP address presented in the secret files matches the $POD_IP environment variable.

We must make sure this new way of doing things does not break existing clusters which rely on the existing certificate files, named from the pod name.

#2830 proposes an other alternative where we would rely on Pod DNS names instead of IP addresses, which would make this issue irrelevant.

[pebrc]

The underlying issue in Elasticsearch has been addressed in elastic/elasticsearch#54999 I am closing this as well.