Move control plane certs renewal "spread out" into the systemd timer (#10596)

* Use RandomizedDelaySec to spread out control certificates renewal plane

If the number of control plane node is superior to 6, using (index * 10
minutes) will fail (03:60:00 is not a valid timestamp).

Compared to just fixing the jinja expression (to use a modulo for
example), this should avoid having two control planes certificates
update node being triggered at the same time.

* Make k8s-certs-renew.timer Persistent

If the control plane happens to be offline during the scheduled
certificates renewal (node failure or anything like that), we still want
the renewal to happen.

roles/kubernetes/control-plane/templates/k8s-certs-renew.timer.j2

@@ -3,6 +3,9 @@ Description=Timer to renew K8S control plane certificates
 
 [Timer]
 OnCalendar={{ auto_renew_certificates_systemd_calendar }}
+RandomizedDelaySec={{ 10 * (groups['kube_control_plane'] | length) }}min
+FixedRandomDelay=yes
+Persistent=yes
 
 [Install]
 WantedBy=multi-user.target