Kubernetes CA rotation for gprd zonal clusters

The Kubernetes CA in the gprd-us-east1-* zonal clusters are going to expire on 2025-10-05:

❯ gcloud container clusters describe gprd-us-east1-b --project gitlab-production --region us-east1-b --format "value(masterAuth.clusterCaCertificate)" | base64 --decode | openssl x509 -noout -dates
notBefore=Oct  8 06:23:05 2020 GMT
notAfter=Oct  7 07:23:05 2025 GMT
❯ gcloud container clusters describe gprd-us-east1-c --project gitlab-production --region us-east1-c --format "value(masterAuth.clusterCaCertificate)" | base64 --decode | openssl x509 -noout -dates
notBefore=Oct  6 11:54:26 2020 GMT
notAfter=Oct  5 12:54:26 2025 GMT
❯ gcloud container clusters describe gprd-us-east1-d --project gitlab-production --region us-east1-d --format "value(masterAuth.clusterCaCertificate)" | base64 --decode | openssl x509 -noout -dates
notBefore=Oct  6 11:54:36 2020 GMT
notAfter=Oct  5 12:54:36 2025 GMT

This requires manual intervention to make sure we rotate the CA without impact/outage to the workloads and deployments.

Steps for rotation are available in the official GKE documentation.

Timing is important here, GKE automatically starts a CA rotation 30 days before it expires.

See previous issues for the gprd-gitlab-gke and ops-gitlab-gke clusters:

• Kubernetes CA rotation gstg/gprd (#25111 - closed)
• Kubernetes CA rotation for ops-gitlab-gke (#26080 - closed)

And previous CRs:

• production#17947 (closed)
• production#19018 (closed)