fix: add client certs for image registry

[redscholar]

What type of PR is this?

/kind bug

What this PR does / why we need it:

Previously, the image registry client reused the server certificates (image_registry.crt and image_registry.key) for mTLS authentication with the registry, which is not best practice and may cause certificate verification issues in certain scenarios.
This PR makes the following changes:

1. Generate a dedicated image registry client certificate: Adds a new certificate generation task (image-registry-client.crt and image-registry-client.key) during the cert initialization phase, with CN set to image-registry-client.
2. Update image registry default configuration: Changes the default paths of image_registry.auth.cert_file and key_file from server certificates to the newly generated client certificates.
3. Update the network precheck logic: Updates the image registry network connectivity check to use the new client certificate paths for validation.
4. Synchronize documentation updates: Updates the certificate paths and related comments in both English and Chinese configuration reference docs (docs/en/reference/config.md and docs/zh/config/reference/config.md).

Which issue(s) this PR fixes:

Fixes #

Special notes for reviewers:

- This change affects certificate generation, default configuration, precheck tasks, and documentation. Please ensure all references to `image_registry.crt/key` have been replaced.
- The expiration and generation policy for the dedicated client certificate follow the existing `image_registry` certificate configuration.

Does this PR introduced a user-facing change?

Fix the issue where image registry client authentication reused the server certificate. Now a dedicated client certificate (`image-registry-client.crt` and `image-registry-client.key`) is generated and used instead.

Additional documentation, usage docs, etc.:

- [Usage]: When configuring a private image registry that requires mTLS authentication, KubeKey will now automatically generate and use a dedicated client certificate for communication.

[kubesphere-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: redscholar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [redscholar]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gemini-code-assist]

Code Review

This pull request introduces the generation and usage of dedicated client certificates (image-registry-client.crt and image-registry-client.key) for the image registry, replacing the previous use of the server-side certificates for client authentication. This includes updating the certificate generation tasks, default configuration paths, precheck tasks, and documentation. There are no review comments, so no feedback is provided.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud