https traffic to tempo is silently broken if traefik is not related to a certificates provider

[PietroPasotti]

Bug Description

if tempo is related to a certificates provider and an ingress, but the ingress doesn't have a certificate relation, tempo should set blocked so the user knows something is wrong. This helps address issues such as this one.

To Reproduce

see canonical/tempo-k8s-operator#153

Environment

any

Relevant log output

n/a

Additional context

possible ways to address this issue:
try to ping traefik with https and, on failure, we know the ingress isn't ready tot talk https and therefore all tracing relations are bork

[michaeldmitry]

Add a pebble service to fire a notice to check if the endpoint is up (can be part of the lib)

[mmkay]

One more edge case: everything works if you juju relate traefik:receive-ca-cert self-signed-certificates.

1. we need to document better that if tempo is related to certificates provider but traefik isn't, traefik needs to be related to ca with receive-ca-cert endpoint
2. should we be adding a pebble check?
   1. one scenario would still give us false negatives:
      1. we'll be failing to check ingressed url if it's connected to certificates, we're not, but it's terminating TLS correctly so other components can still send traces to tempo (just tempo cannot send them to itself as it's not related to certs)
      2. perhaps this check should be done only if we have an ingress, the ingressed URL is over http and tempo has a certificate
   2. maybe this should be a probe not in the charm? suggestion from @michaeldmitry