Cluster administrators can configure additional trusted CAs in OpenShift. The combined set of trusted CAs (from a cluster perspective) can be obtained by creating an empty ConfigMap with a special label attached to it. An operator will then inject the trusted CAs into a well-defined field of the configmap. This is described here: https://github.com/openshift/openshift-docs/blob/main/modules/certificate-injection-using-operators.adoc

https://github.com/stackrox/stackrox/pull/174#discussion_r795789778:

Ideally, we'd want to use the CA bundle for all TLS certificate validations. For this to work, we'd need to reference the file in image/static-bin/import-additional-cas and copy the file as a .crt file to /etc/pki/ca-trust/source/anchors prior to invoking update-ca-trust.

The challenge with this is the race condition that @SimonBaeumer mentioned above. However, to make this work, I really only see two options:

• have a watcher that watches the mount, and restarts the container whenever a change is detected. This will reliably pick up new content, but can be disruptive to stability, depending on how often CA certificates change.
• have a watcher that watches the mount, and invokes import-additional-cas whenever a change is detected. However, the documentation of x509.SystemCertPool() says that future changes to the system cert pool might not be reflected. So in order for this to work, we'd have to ensure that any cert pool instances retrieved x509.SystemCertPool() do not get persisted, and are only used shortly after calling the function. There aren't too many calls in our code base, but we'd still need to check that an update at runtime works. There's a good chance it might not because of the use of sync.Once under the hood.