The cabundle generated by the ctlplane, which could also include any custom 3rd party ca file( e.g. for a satellite), gets deployed on the edpm node for the deployed/running services. But it gets not installed as the ca bundle on the edpm node itself.

As a result any additional 3rd party CA cert added to the ctlplane e.g. to access a satellite needs to be added manually to the dataplane node using e.g. edpm_bootstrap_command.

To Reproduce Steps to reproduce the behavior:

1. deploy a pre-provisioned edpm node using the openstackdataplanedeployment
2. check /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem matches e.g. the cacert for the repo-setup:

diff -u /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /var/lib/openstack/cacerts/repo-setup/tls-ca-bundle.pem
--- /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem   2025-02-10 04:22:11.741000000 +0000
+++ /var/lib/openstack/cacerts/repo-setup/tls-ca-bundle.pem     2025-02-20 07:45:25.463859458 +0000
@@ -1,3 +1,103 @@
+# rootca-public
+-----BEGIN CERTIFICATE-----
+MIID/DCCAmSgAwIBAgIQN56wWrP5gqsC461//cLtTjANBgkqhkiG9w0BAQsFADAY
+MRYwFAYDVQQDEw1yb290Y2EtcHVibGljMB4XDTI1MDIxOTEzNTE1MloXDTM1MDIx

Expected behavior

• the ca bundle gets installed as the system wide cacert bundle in an early stage so that it gets used e.g. to validate any rpm repo/registry tls cert.

Bug impact

• in addition to adding the 3rd party ca certs to the ctlplane a user is also required to add them in an additional step via the nodeset.

Known workaround

• use the edpm_bootstrap_command in the nodeset to add custom CA certs