feat(etcd-backup): add custom CA support

[vmaillot]

Title says it all.

[hairmare]

why can't we just mount the ca to /etc/pki/ca-trust/source/anchors/ca.crt from a ConfigMap?

[vmaillot]

this will imply having a dedicated configMap for just the CA, I wanted to avoid that, what do you think?

[hairmare]

afair that's what the previous update-ca-trust call is for

[hairmare]

something like trust-manager could manage the cm (or the ca management thing on openshift?)

[vmaillot]

afair that's what the previous update-ca-trust call is for

yeah right... let's do it that way then! we can just referencing an item, let's see

something like trust-manager could manage the cm (or the ca management thing on openshift?)

i can totally agree, but this would bring way more overhead that we have already, i wanted to replicate how we are achieving this with velero

[vmaillot]

what about this @hairmare?

[hairmare]

afaict we can configure the cluster to know about the CA and create an empty configmap with the config.openshift.io/inject-trusted-cabundle="true" annotation using the openshift-etcd-backup chart and then magick should happen:

https://github.com/openshift/openshift-docs/blob/main/modules/certificate-injection-using-operators.adoc

[hairmare]

Specifically, the cluster should already know about the right CA. We use the same trust root that for basics like accessing internal registries. it is usually configured during installation, moreso in air-gapped cases than others.

The certificate injection feature seemingly aims to cover the same need that trust-manager wants to cover as a CNCF (sub-)project. The openshift/service-ca-operator looks like RedHat's upstream for their implementation that most likely predates trust-manager.

[vmaillot]

i am closing this PR as we should be able to that in the helm chart only.