(REPLATS-228) Support generating certificates without containers embedding ssl.sh

[Iristyle]

This is the last important part of the puzzle necessary to removing ssl.sh from PE containers. It should be vetted in a test PR to pe-puppet-server-extensions prior to merging here (puppetserver tests only have a single node / compiler, so don't actually generate certs yet useful for testing this PR)

• [x] pe-puppet-server-extensions - https://github.com/puppetlabs/pe-puppet-server-extensions/pull/1293

• To be able to remove ssl.sh from all PE containers, the testing suites should still have the option of generating certificates to exerise the CA, rather than preloading well-known certs. This is important for at least the puppetserver suites.

  Attach a transient alpine/openssl container and load the 00-ssl.sh script into it, attaching it to container volumes in exactly the same way that cert preloading works. Instead of copying files, run the script with the correct values to generate certs against the CA - namely SSLDIR, CERTNAME, DNS_ALT_NAMES and PUPPETSERVER_HOSTNAME.

  Services defined in docker-compose that are missing the CERTNAME value are skipped as they don't need certs generated. This allows for easily skipping puppetserver itself or other test fixtures that may be defined.

  • Makes a minor fix to the ssl.sh script to make symlinks to canonical cert files relative rather than absolute. When the files are generated in a different container with a different path within the volume, absolute paths may result in dangling symlinks when files are accessed in the destination container. This can lead to problems performing chmod / chown and other file access operations.

[MikaelSmith]

The pe-puppet-server-extensions issue link is circular.