Details on custom certs with worker pools

[KiraLempereur-Spacelift]

• adds details on how to use custom certs with worker pools using Kubernetes controller
• also makes tabs for some assigning roles processes, and highlights a detail that could impact architecture security with the warning tag instead of important

Description of the change

Checklist

Please make sure that the proposed change checks all the boxes below before requesting a review:

• I have reviewed the guidelines for contributing to this repository.
• The preview looks fine.
• The tests pass.
• The commit history is clean and meaningful.
• The pull request is opened against the main branch.
• The pull request is no longer marked as a draft.
• You agree to license your contribution under the MIT license to Spacelift (not required for Spacelift employees).
• You have updated the navigation files correctly:
  • No new pages have been added, or;
  • Only nav.yaml has been updated because the changes only apply to SaaS, or;
  • Only nav.self-hosted.yaml has been updated because the changes only apply to Self-Hosted, or;
  • Both nav.yaml and nav.self-hosted.yaml have been updated.

If the proposed change is ready to be merged, please request a review from @spacelift-io/solutions-engineering. Someone will review and merge the pull request.

Spacelift employees should request reviews from the relevant engineers and are allowed to merge pull requests after they got at least one approval.

Thank you for your contribution! 🙇

---

Note

Low Risk
Documentation-only changes; the main risk is users misconfiguring certificate mounts/secrets or role-migration steps due to incorrect examples.

Overview
Adds a new section to kubernetes-workers.md describing how to provide custom CA certificates to Kubernetes worker pools, including Helm controller volume mounts and a workflow to extend the runner CA bundle and mount it into the OpenTofu/Terraform container.

Improves the stack role-attachment migration guide by converting Terraform/Web UI instructions into tabbed blocks, upgrading the administrative-flag precedence callout to a warning, and correcting the policy input examples to reference input.stack.roles.

Fixes the Kubernetes workers doc’s VCS Agents link to point at the correct VCS agent pools page/anchor.

^{Written by Cursor Bugbot for commit 4fd7479. This will update automatically on new commits. Configure here.}

resolved all change requests and re-requested review but it's still showing a requested change here