PKI role permissions change may cause deployment failures

The following change in the PKI role has adjusted the default user/group which CA keys are created with from the current user to 'root'.

https://github.com/openstack/ansible-role-pki/commit/7b261e2119b8922128d17f0da4daece90501f07d

In cases where OSA playbooks are run as root this isn't a problem, but in our case we use a non-root user. As a result, the CA key we already have is owned by that user/group and not root. When the certificate-authority.yml or os-octavia-install.yml playbooks run during an upgrade, the attempted change results in a failure:

TASK [pki : Generate CA private key for OctaviaServerRoot] ************************************************************************************************************************************************
fatal: [infra1_octavia_server_container-414c69e4 -> localhost]: FAILED! => {"changed": false, "gid": 3015, "group": "<our group>", "mode": "0600", "msg": "chown failed: [Errno 1] Operation not permitted:
b'/etc/openstack_deploy/pki/roots/OctaviaServerRoot/private/OctaviaServerRoot.key.pem'", "owner": "<out user>", "path": "/etc/openstack_deploy/pki/roots/OctaviaServerRoot/private/OctaviaServerRoot.key.pe
m", "size": 3326, "state": "file", "uid": 3014}

Unfortunately the variables which allow us to override this user/group also require us to override the entire octavia_cert_authorities list.

Ideally the default would be reverted to the current user, but it would also perhaps be useful to have a more global user/group (and mode) in ansible-role-pki for files which are created on the deploy host so that they can be set consistently rather than on an individual basis.