Goal

Add support for syncing CA bundle to the credentials generated by Cloud Credential Operator.

Why is this important?

It it generally necessary to provide a CA file to OpenStack clients in order to communicate with a cloud that uses self-signed certificates. The cloud-credential-operator syncs clouds.yaml files to various namespaces so that services running in those namespaces are able to communicate with the cloud, but it does not sync the CA file. Instead, this must be managed using another mechanism. This has led to some odd situations, such as the Cinder CSI driver operator inspecting cloud-provider configuration to pull out this file.

We should start syncing not only the clouds.yaml file but also the CA file to anyone that requests it via a CredentialsRequest. Once we've done this, we can modify other components such as the Installer, CSI Driver Operator, Hypershift, and CCM Operator to pull the CA file from the same secrets that they pull the clouds.yaml from, rather than the litany of places they currently use.

Scenarios

• As a deployer, I should be able to update all cloud credential-related information - including certificates - in one central place and see these rolled out to all components that require them.

Acceptance Criteria

• The cloud-credential-operator is capable of consuming a CA cert from kube-system / openstack-credentials and rolling this out to the secrets in other namespaces
• The installer includes the CA cert in the root kube-system / openstack-credentials secret
• The UPI playbooks are modified to includes the CA cert in the root kube-system / openstack-credentials secret
• No regressions. Since we use self-signed certificates in many of our CI systems, we should see regressions early.
• Release notes and credential rotation documentation is updated to document this change

Dependencies (internal and external)

None.

Previous Work (Optional):

None.

Open questions::

None.