Comment 2 for bug 1758061

Reviewed: https://review.openstack.org/555502
Committed: https://git.openstack.org/cgit/openstack/kuryr-kubernetes/commit/?id=3b7e518a940cffbaab1aa52f5a3166175ee3dd6c
Submitter: Zuul
Branch: master

commit 3b7e518a940cffbaab1aa52f5a3166175ee3dd6c
Author: Michał Dulko <email address hidden>
Date: Thu Mar 22 18:28:28 2018 +0100

    Add CA certificates Secret and mount it

    Our containerized gates started failing recently. Turns out some default
    configuation was changed and `tls-proxy` service was added. This option
    makes all OpenStack endpoints use HTTPS. This includes creation of a
    DevStack CA certificates bundle that then will be configured to be
    verified when connecting to OpenStack APIs. This works well with
    non-containerized deployment as the bundle is available locally in
    /opt/stack/data and our `[neutron]` section sets `cafile` option to
    point there.

    Things are different in containerized deployment use case as we need a
    way to pass those certificates into the container. Effectively - we had
    no CA certificates support for containerized deployments either in
    DevStack or production.

    This commit adds that support by including new Kuryr Kubernetes resource
    definition - `kuryr-certificates` Secret. It is supposed to hold CA
    certificate under `kuryr-ca-bundle.crt` key. kuryr-controller DaemonSet
    definition was modified to mount the certificate into /etc/ssl/certs.

    Changes also include implementing support for that in DevStack plugin
    (placing the certificate in the secret and setting the `[neutron]cafile`
    config option to point to that certificate).

    Closes-Bug: 1758061
    Change-Id: I7ac9d05868994cfc2a1aef4a8cd6c2148895e9c8