Creating a ConfigMap with the specific name user-ca-bundle in the openshift-config project results in its CA certificates being automatically added to the node's trust store.

This update occurs even when the Proxy.spec.trustedCA.name field is empty, indicating the system relies on a hard-coded name rather than an explicit configuration reference.

This can lead to unexpected and untracked modifications to cluster-wide trust settings, potentially posing a security or operational risk.
    

    ALL versions I guess

    100%

1. Create a ConfigMap named user-ca-bundle in the openshift-config project containing a CA certificate.

 $ oc -n openshift-config create cm user-ca-bundle --from-file=ca-bundle.crt=cert.pem
configmap/user-ca-bundle created


2. Verify that the cluster proxy configuration does not reference any trusted CA ConfigMap.

$ oc get proxy cluster -o yaml
apiVersion: config.openshift.io/v1
kind: Proxy
metadata:
  # ... details ...
spec:
  trustedCA:
    name: ""


3. Debug a node and inspect the CA trust source directory. Observe that the certificate has been added.

$ oc debug node/<node-name>
sh-5.1# chroot /host
sh-5.1# cat /etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt
-----BEGIN CERTIFICATE-----
MIIF7zCCA9egAwIBAgIUA0iXZSI5rdKTgCRA4QGWyBeA3L8wDQYJKoZIhvcNAQEL
...
-----END CERTIFICATE-----

    

The CA certificate from the user-ca-bundle ConfigMap is automatically added to the node's trust store at /etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt.
    

    The node's CA trust store should only be modified if a ConfigMap is explicitly defined in the Proxy.spec.trustedCA.name field. 

The system should not rely on a hard-coded ConfigMap name, as this creates an implicit and non-obvious configuration dependency.