[kots]: add configuration for using a custom CA certificate

[mrsimonemms]

Description

Add support for custom CA certs to the KOTS interface. There are three ways of configuring a cert with KOTS

1. Use cert-manager
2. Use a self-signed cert
3. Upload your own certificate - may be made with public or private CA

For 1, no option is provided for a custom CA. It is assumed that this will be made against a public CA - we can keep tabs on whether there's a requirement for this in future. 🛹🛹🛹

For 2, this self-signed cert is generated with the same CA used to generate the internal certs (ca-issuer-ca). This PR adds a note to explain how to extract the CA cert to import into the browser. It's expected that this will be used for limited numbers of users.

For 3, this adds an optional parameter to add the CA when uploading your certs.

Related Issue(s)

Fixes #8559

How to test

Deploy with KOTS. Use version sje-kots-self-signed-certs.4 in dev-sje channel (currently the most recent version in there).

Release Notes

[kots]: add configuration for using a custom CA certificate

Documentation

[mrsimonemms]

/werft run no-preview publish-to-kots

👍 started the job as gitpod-build-sje-kots-self-signed-certs.2
(with .werft/ from main)

[mrsimonemms]

/werft run no-preview publish-to-kots

👍 started the job as gitpod-build-sje-kots-self-signed-certs.4
(with .werft/ from main)

[corneliusludmann]

Changes in this PR look good.

Tested both self-signed option as well as own self-signed generated certs with CA. All pods are running, and access to dashboard works. For k3s I needed to configure private registry. However, registry-facade has a TLS error during image build. Need to investage this further but I think it is not an issue of this PR.