Add support for adding an additional trusted CA

This file is copied from the control host. May be multiple certs in one
file if you want to add a bundle.

inventory/hosts.example

@@ -783,6 +783,10 @@ debug_level=2
 #
 # Detected names may be overridden by specifying the "names" key
 #openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key", "names": ["public-master-host.com"], "cafile": "/path/to/custom-ca1.crt"}]
+#
+# Add a trusted CA to all pods, copies from the control host, may be multiple
+# certs in one file
+#openshift_additional_ca=/path/to/additional-ca.crt
 
 # Session options
 #openshift_master_session_name=ssn

roles/openshift_ca/tasks/main.yml

@@ -83,6 +83,14 @@
   delegate_to: "{{ openshift_ca_host }}"
   run_once: true
 
+# Upload additional CA if necessary
+- name: Deploy additional ca
+  copy:
+    src: "{{ openshift_additional_ca }}"
+    dest: "{{ openshift.common.config_base }}/master/additional_ca.crt"
+    mode: 0644
+  when: openshift_additional_ca is defined
+
 - name: Create ca serial
   copy:
     content: "00"
@@ -121,6 +129,9 @@
     {% for legacy_ca_certificate in g_master_legacy_ca_result.files | default([]) | lib_utils_oo_collect('path') %}
     --certificate-authority {{ legacy_ca_certificate }}
     {% endfor %}
+    {% if openshift_additional_ca is defined %}
+    --certificate-authority {{ openshift.common.config_base }}/master/additional_ca.crt
+    {% endif %}
     --hostnames={{ hostvars[openshift_ca_host].openshift.common.all_hostnames | join(',') }}
     --master={{ openshift.master.api_url }}
     --public-master={{ openshift.master.public_api_url }}