Current state of certificate usage in Golang 3scale API client in Operator:
1) User uses certificate in 3scale API which can be verify by root certificates stored in RHEL base image of 3scale Operator.
2) User disables TLS certificate verification in all CRDs, see https://issues.redhat.com/browse/THREESCALE-7836 This is not recommended for production deployments.
3) User adds own certificate by modifying 3scale-operator ClusterServiceVersion which is bad practice from multiple reasons, e.g. 3scale updates, supportability

I think users should have another option to use.
1) use ENV variable with name of secret with certificate which is injected to the operator pod
2) or even better and clean solution is to use Openshift service-ca operator to provide certificates which are injected into 3scale operator pod - https://github.com/openshift/service-ca-operator , https://docs.openshift.com/container-platform/4.13/security/certificates/service-serving-certificate.html
So Golang 3scale API client in the operator can use injected certificates for secure communication with 3scale API.