CA certificates are used to secure TLS connections to backends. Since
a CA chain may be required, they may encompass more than one
certificate. For haproxy they are stored as concatenations of PEM-
encoded X509 certificates.

Currently CA certificates are obtained from the contents of Secrets.
Although they are actually not secret, this appears to be the way
they are commonly provisioned in k8s deployments. The code is
implemented in part to facilitate other k8s types in the future,
if so desired.

For convenience it is also possible to specify the pre-installed
CA certificate bundle provided by the base image, since this is
a common way to include well-known CAs that may be needed in a
chain. But it's a better practice to specifically provide all
CA certificates required for a chain by k8s means (i.e. in Secrets).

The k8s client now watches all Secrets without filtering, since
there is no attribute commonly used to specifically identify
Secrets containing CA certificates.

This adds the package pkg/cacrt, the REST "bndls" endpoint and
handler, and the CLI options caBase and distroCABundle.

XXX: add the option to filter for a label that identifies Secrets
with CA certificates. Such a label will have to be set in the k8s
deployment, but then we can go back to filtering Secrets.

XXX: the REST handler currently does not allow GET or HEAD requests.
These will be added to work the same way GET and HEAD requests work
for the pem endpoint (i.e. for TLS offload certificates).