feat: move secrete generation to install-<service>.sh scripts

[rackerchris]

This PR transitions the Genestack installation process from a series of imperative, standalone scripts to a unified, library-driven Orchestration Framework. The primary goal is to achieve "Zero-Touch" deployments where the scripts manage the entire lifecycle of credentials, dependencies, and parallel execution.

Key Structural Changes

1. Centralized Logic (common-functions.sh)

   Secret Lifecycle: Introduced get_or_create_secret which lazily retrieves existing credentials or generates cryptographically secure values if missing.

   Parallel Engine: Implemented run_parallel and wait_parallel to manage background processes with standardized timeout logic and error reporting.

   Dependency Mapping: Centralized pre-flight checks for tools like yq, helm, and kubectl.

2. Orchestration Strategy (setup-openstack.sh)

   Phase-Based Deployment:

    Phase 1: Keystone installation (Serialized).
   
    Phase 2: Shared Secret Pre-seeding (Prevents race conditions for MariaDB/RabbitMQ/Memcached secrets).
   
    Phase 3: Concurrent Burst (Parallel installation of all enabled services).
   
    Phase 4: Finalization (Skyline Dashboard).
   

   Configuration: Deployment plan is now declaratively defined in /etc/genestack/openstack-components.yaml.

3. Service Modernization

   Zaqar, Nova, Neutron: Refactored to use the new template.

   Nova SSH: Specialized logic added to handle RSA key-pair generation.

   Metadata Consistency: Nova and Neutron now share the same metadata-shared-secret automatically.

*** BREAKING CHANGES & RELEASE NOTES

Library Dependency: All install-*.sh scripts now require common-functions.sh to be present in (opt)/genestack/scripts/.

Automated Generation: Missing secrets are now auto-generated. If you use external secret management, ensure naming conventions align with Genestack defaults to avoid duplication.

Atomic Upgrades: All Helm operations now use --atomic. Failed deployments will automatically roll back rather than leaving the namespace in a corrupted state.

Environment Paths: Standardized base paths to (opt)/genestack and overrides to (etc)/genestack.

Checklist for Reviewers

[x] Verify common-functions.sh is sourced correctly in all modified scripts.

[x] Ensure --rotate-secret flag correctly triggers re-generation in get_or_create_secret.

[x] Confirm that parallel execution in setup-openstack.sh properly traps exit codes (non-zero exits should stop the master script).

[x] Validate that OVN connection strings are dynamically resolved in install-neutron.sh.

[cloudnull]

@rackerchris this is massive, is this still needed?

[rackerchris]

@rackerchris this is massive, is this still needed?

Its the next step into a single unified installation script for genestack. Right now create_secrets.sh is a possible regression vector as it does not take into account existing secrets. it will create /etc/genestack/kubesecrets.yaml (and only throw an error if the file exists). However secret validation/generation should be handled in the specific service install script. Currently when we add a new service we have to manually create a "subset" secret creation script. If secrets were managed by the install script we can eliminate manual secret generation as well as protect ourselves from secrets being changed outside of the install script.
This change also allows for secret rotation with the --rotate-secrets cli argument.