(feature) ability to specify a ca-bundle to be added to each node

[lknite]

Describe the solution you'd like
In the same way a 'vlan' can be specified, the ability to specify a ca-bundle e.g.:

  ca-bundle: |
    -----BEGIN CERTIFICATE-----
    MIIDMjCCAhqgAwIBAgIUSP49TU8ftntqg6TydaMjHclmp8QwDQYJKoZIhvcNAQEL
    ...
   GD8cgbW4
   -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIDMjCCAhqgAwIBAgIUSP49TU8ftntqg6TydaMjHclmp8QwDQYJKoZIhvcNAQEL
    ...
   GD8cgbW4
   -----END CERTIFICATE-----

Anything else you would like to add:
It should be possible to specify multiple certs, and later update-ca-trust would be used (or whatever technique is used by the distribution being used) to import the certs.

Use case:
I deployed harbor and generated certs via cert-manager using vault. Via pipelines I've built images and pushed images to harbor. Now I'd like to deploy images via harbor, but by default the harbor certs are not trusted, and worker nodes are unable to pull images.

[wikkyk]

Related: #192

[lknite]

I got the idea for this feature from vmware Tanzu, where a single tanzuserviceconfig has the ca-bundle and it is applied to all nodes of all clusters.

Being able to set the ca-bundle makes this common configuration part of deploying the cluster / gitops.

Even better would be if updating the setting and reapplying would roll the cluster nodes one at a time updating the ca-bundle on each.

Current non-gitops alternatives:

• add to template image after its built, not currently part of image-builder
• everyone reinvents a script to remote over to each node and set the bundle / restart the needed services

Alternatively, maybe the namespace where the cluster.yaml is deployed and seen by capi could have the ca-bundle, and if it exists it gets applied to workernodes.