Fixes: PROD-21792 (PROD:21792)

Change-Id: Iff22ba927c74a9cb3bd8726253106ebdbb20fe32

Salt (ca.sls) supports generation a few CA.cert but it works incorrectly.
When we generate a few ca.cert, salt must upload it to mine. But it overwrites previous ones.

Related-Prod: PROD-21740

Change-Id: I60f1089cc58758d3be65371deaaa69348fde86a4

Exposing CA keys in a mine creates a security flaw, thus such
should be avoided.
This change removes code responsible for putting and retrieving
CA key from a mine and changes the ca.sls state to allow configuring
where CA cert and its key would be generated as well as their owners.

Fixes PROD-13439

Change-Id: I6d78b13dcb3754c51606edd7e2d8158e128244a4

In cases  when a service whants to generate and sign a certificate
it requires a CA key along with a CA cert itself.
For example, Octavia needs it for signing a certificate it generates
for a newly spawned amphora.

This change add sending a CA key to the mine from where it can be
extracted in the cert.sls state.
Also allow managing permissions for a CA cert and key retrieved
from the mine.

Related PROD: PROD-11933

Change-Id: I911effb4a63ae048e348ed04b7aca33998e359aa

Change-Id: I6f1292779858c45f9cf6f4caf3657ee000b2cf06

First run is made during salt-master cloud-init and thus it is onchanges
is not suitable here because ca.crt file is already generated.

source:engine metadata created - defaults to pkg
installation, pip installation alternative added