Get cacert into workload cluster

[jschoone]

/kind feature

Describe the solution you'd like
[A clear and concise description of what you want to happen.]

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Environment:

• Kubernetes version: (use kubectl version)
• OS (e.g. from /etc/os-release):

[garloff]

Half the solution is to add --set cacert="$(cat /path/to/single-ca-cert.pem)" on the helm call.
This gets capo to work with the custom CA.

Unfortunately not OCCM. OCCM not coming up still leaves you with a pretty disfunctional cluster.

[garloff]

To get OCCM to work, we probably need to tweak ca-file AND ensure we somehow get the secret mounted into OCCM's file system so we can reference it. That probably means tweaking the OCCM pod deployment file ...
(A working workaround is to change cloud.conf and add in tls-insecure=true in the helm _helpers.tpl -- not recommended of course!)

[garloff]

https://github.com/SovereignCloudStack/k8s-cluster-api-provider/blob/main/doc/usage/custom-ca.md might help here.