Merge pull request #59966 from liggitt/self-signed-ca

Automatic merge from submit-queue (batch tested with PRs 59463, 59719, 60181, 58283, 59966). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Split self-signed cert and CA

The key usage limitation of TLS Server Auth makes the cert invalid as a CA.

This switches to generate a single-use CA, uses it to sign the serving cert, then appends the CA to the cert bytes.

* allows a client to continue to reference the cert file as a trust bundle, which now contains a valid CA cert
* continues to keep the generated certificate valid only for serving purposes

Fixes kubernetes#311

```release-note
NONE
```

Kubernetes-commit: 5d144152e4d07f3752c05ec24e31d840adcd90a2

Author: k8s-publishing-bot