Update the default CA bundle more frequently

[bodgit]

We are using trust-manager with the useDefaultCAs option however I found that I was missing a fairly new CA, (O = Sectigo Limited), that wasn't present.

Peeking around in the quay.io repository the 20230311.0 tag was published ~6 months ago. I found there was a 20230311-deb12u1.0 tag that was newer and switching to using that tag fixed the missing cert for me.

Would it be possible to get this image updated more frequently?Ideally you would only publish a new tag if the CA certs are different to the previous tag. We could then use something like Renovate to update the tag value in the Helm chart if/when a newer tag is available.

[erikgb]

@bodgit Thanks for reaching out. We are actually in the process of updating the default bundle image. As you have discovered, we have pushed the new default CA bundle image to our image registry, but the default in our Helm chart has not yet been updated, nor released. We should probably add even more automation in this area, but at least finish the job we started on. WDYT @hawksight @SgtCoDFish?

[hawksight]

Hey @bodgit, thank you for the prompt. I got the latest bundle built but hadn't got around to updating our chart yet #667 should hopefully address that part.

In terms of using renovate, I basically went on the path of "least resistance" with the image tag used. The image tag is mirroring the Debian trust package naming but translating the incompatible character. It should hopefully be possible to look for the last image added under the trust-pkg-debian-bookworm image.

If there are more frequent updates to debian's CAs we might do a more standard image tag in the future, but I didn't want to open that can of worms just yet.