There might exist services (like rsyslog) on the compute nodes that connect back to OpenShift due to the ever-increasing convergence between OSP and OCP.

These connections must also be TLSe and therefore they need the OpenShift CA cert on the compute node to be able to verify that the issuer is correct.

The current cacerts-bundle that is being generated by dataplane-operator to send to the compute nodes should include the openshift cacert present in the secret openshift-service-ca/signing-key.