feat: ca extra certs

cmd/dkl-local-server/cluster-render-context.go

@@ -117,7 +117,12 @@ func templateFuncs(sslCfg *cfsslconfig.Config) map[string]any {
 				return
 			}
 
-			s = string(ca.Cert)
+			extra, err := caExtraCerts(cluster, name)
+			if err != nil {
+				return
+			}
+
+			s = string(ca.Cert) + extra
 			return
 		},
 
@@ -127,13 +132,18 @@ func templateFuncs(sslCfg *cfsslconfig.Config) map[string]any {
 				return
 			}
 
+			extra, err := caExtraCerts(cluster, name)
+			if err != nil {
+				return
+			}
+
 			dir := "/etc/tls-ca/" + name
 
 			return asYaml([]config.FileDef{
 				{
 					Path:    path.Join(dir, "ca.crt"),
 					Mode:    0644,
-					Content: string(ca.Cert),
+					Content: string(ca.Cert) + extra,
 				},
 				{
 					Path:    path.Join(dir, "ca.key"),

cmd/dkl-local-server/ws-cluster-cas.go

@@ -79,6 +79,17 @@ func getUsableClusterCA(cluster, name string) (ca CA, err error) {
 	return
 }
 
+func caExtraCerts(cluster, name string) (extra string, err error) {
+	cfg, err := readConfig()
+	if err != nil {
+		return
+	}
+	if cfg.ExtraCaCerts != nil {
+		extra = cfg.ExtraCaCerts[cluster+"/"+name]
+	}
+	return
+}
+
 var clusterCASignedKeys = newClusterSecretKV[KeyCert]("CA-signed-keys")
 
 func wsClusterCASignedKeys(req *restful.Request, resp *restful.Response) {