Dissalow custom CA file path for providers with CA path

This commit would ensure ldap auth provider won't rewrite any files
in the static pod and gets placed in /etc/origin/master/

Previously, before static pod deployment,
openshift_master_identity_providers
param for LDAP auth could specify the file, which was copied on the
host and was used by API server, running on the host.

In 3.10+ this file needs to be mounted in the API server container
(along with the rest of configuration), so a custom path in `ca` section
could be left on the node. This file was copied unconditionally and
could rewrite any CA / config file.

This commit would always place contents from `openshift_master_ldap_ca`
(or file from `openshift_master_ldap_ca_file`) in
/etc/origin/master/ldap_ca.crt, which would be mounted in a static pod.

This also affects OpenID auth and request header auth

roles/lib_utils/filter_plugins/openshift_master.py

@@ -158,6 +158,8 @@ class LDAPPasswordIdentityProvider(IdentityProviderBase):
             pref_user = self._idp['attributes'].pop('preferred_username')
             self._idp['attributes']['preferredUsername'] = pref_user
 
+        self._idp['ca'] = '/etc/origin/master/ldap_ca.crt'
+
     def validate(self):
         ''' validate this idp instance '''
         if not isinstance(self.provider['attributes'], dict):
@@ -218,6 +220,7 @@ class RequestHeaderIdentityProvider(IdentityProviderBase):
                            ['emailHeaders', 'email_headers'],
                            ['nameHeaders', 'name_headers'],
                            ['preferredUsernameHeaders', 'preferred_username_headers']]
+        self._idp['clientCA'] = '/etc/origin/master/request_header_ca.crt'
 
     def validate(self):
         ''' validate this idp instance '''
@@ -358,6 +361,8 @@ class OpenIDIdentityProvider(IdentityProviderOauthBase):
         if 'extra_authorize_parameters' in self._idp:
             self._idp['extraAuthorizeParameters'] = self._idp.pop('extra_authorize_parameters')
 
+        self._idp['ca'] = '/etc/origin/master/openid_ca.crt'
+
     def validate(self):
         ''' validate this idp instance '''
         if not isinstance(self.provider['claims'], dict):

roles/openshift_control_plane/tasks/main.yml

@@ -78,7 +78,7 @@
 
 - name: Create the ldap ca file if needed
   copy:
-    dest: "{{ item.ca if 'ca' in item and '/' in item.ca else '/etc/origin/master/' ~ item.ca | default('ldap_ca.crt') }}"
+    dest: "/etc/origin/master/ldap_ca.crt"
     content: "{{ openshift.master.ldap_ca }}"
     mode: 0600
     backup: yes
@@ -89,26 +89,24 @@
 
 - name: Create the openid ca file if needed
   copy:
-    dest: "{{ item.ca if 'ca' in item and '/' in item.ca else '/etc/origin/master/' ~ item.ca | default('openid_ca.crt') }}"
+    dest: "/etc/origin/master/openid_ca.crt"
     content: "{{ openshift.master.openid_ca }}"
     mode: 0600
     backup: yes
   when:
   - openshift.master.openid_ca is defined
   - item.kind == 'OpenIDIdentityProvider'
-  - item.ca | default('') != ''
   with_items: "{{ openshift_master_identity_providers }}"
 
 - name: Create the request header ca file if needed
   copy:
-    dest: "{{ item.clientCA if 'clientCA' in item and '/' in item.clientCA else '/etc/origin/master/' ~ item.clientCA | default('request_header_ca.crt') }}"
+    dest: "/etc/origin/master/request_header_ca.crt"
     content: "{{ openshift_master_request_header_ca }}"
     mode: 0600
     backup: yes
   when:
   - openshift_master_request_header_ca != l_osm_request_header_none
   - item.kind == 'RequestHeaderIdentityProvider'
-  - item.clientCA | default('') != ''
   with_items: "{{ openshift_master_identity_providers }}"
 
 - name: Set fact of all etcd host IPs