OSASINFRA-3657: Add support for storing OpenStack CA bundles]

[stephenfin]

If a CA bundle is required to talk to your OpenStack then obviously all services that talk to the cloud need to have both credentials and said bundle. Currently, these users can get their credentials via cloud credential operator, but they need to source their CA bundle from elsewhere (typically by extracting it from the cloud controller manager's configuration). This makes configuration of services more complicated than necessary.

Continue the resolution of the issue by storing the CA bundle, if any, in the root secret on OpenStack. When coupled with the changes introduced in openshift/cloud-credential-operator#780, this allows us to dole out the bundle to anyone who asks for it via a CredentialsRequest.

While we're here, we also tweak the configuration for the cloud provider to (a) start generating the configuration file in the new format expected by cluster-cloud-controller-manager-operator and (b) stop generating an old secret that only the old, now-removed in-tree OpenStack cloud provider needed and used.

[openshift-ci-robot]

@stephenfin: This pull request references OSASINFRA-3657 which is a valid jira issue.

In response to [this](https://github.com/openshift/installer/pull/9194): >If a CA bundle is required to talk to your OpenStack then obviously all >services that talk to the cloud need to have both credentials and said bundle. >Currently, these users can get their credentials via cloud credential operator, >but they need to source their CA bundle from elsewhere (typically by extracting >it from the cloud controller manager's configuration). This makes configuration >of services more complicated than necessary. > >Continue the resolution of the issue by storing the CA bundle, if any, in the >root secret on OpenStack. When coupled with the changes introduced in >openshift/cloud-credential-operator#780, this allows us to dole out the bundle >to anyone who asks for it via a `CredentialsRequest`. > >While we're here, we also tweak the configuration for the cloud provider to (a) >start generating the configuration file in the new format expected by >cluster-cloud-controller-manager-operator and (b) stop generating an old secret >that only the old, now-removed in-tree OpenStack cloud provider needed and >used. > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Finstaller). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

[openshift-ci-robot]

@stephenfin: This pull request references OSASINFRA-3657 which is a valid jira issue.

In response to [this](https://github.com/openshift/installer/pull/9194): >If a CA bundle is required to talk to your OpenStack then obviously all services that talk to the cloud need to have both credentials and said bundle. Currently, these users can get their credentials via cloud credential operator, but they need to source their CA bundle from elsewhere (typically by extracting it from the cloud controller manager's configuration). This makes configuration of services more complicated than necessary. > >Continue the resolution of the issue by storing the CA bundle, if any, in the root secret on OpenStack. When coupled with the changes introduced in openshift/cloud-credential-operator#780, this allows us to dole out the bundle to anyone who asks for it via a `CredentialsRequest`. > >While we're here, we also tweak the configuration for the cloud provider to (a) start generating the configuration file in the new format expected by `cluster-cloud-controller-manager-operator` and (b) stop generating an old secret that only the old, now-removed in-tree OpenStack cloud provider needed and used. > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Finstaller). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

[openshift-ci[bot]]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Once this PR has been reviewed and has the lgtm label, please assign r4f4 for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files: - **[OWNERS](https://github.com/openshift/installer/blob/master/OWNERS)** Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[openshift-ci[bot]]

@stephenfin: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-openstack-ovn	5e359c0dbce90c7f7d597a2c81ee46c883bdc74d	link	true	/test e2e-openstack-ovn
ci/prow/e2e-openstack-nfv-intel	5e359c0dbce90c7f7d597a2c81ee46c883bdc74d	link	false	/test e2e-openstack-nfv-intel
ci/prow/e2e-aws-ovn	5e359c0dbce90c7f7d597a2c81ee46c883bdc74d	link	true	/test e2e-aws-ovn
ci/prow/e2e-openstack-proxy	5e359c0dbce90c7f7d597a2c81ee46c883bdc74d	link	false	/test e2e-openstack-proxy

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).

[stephenfin]

/hold

Will wait for 4.19 for this.