Remove /config/v2tlsbaseroot-certificates.pem - use root CAs from rootfs

[eriknordmark]

Description

Have EVE-OS directly load the CA certificates from /hostfs/etc/ssl/certs/ca-certificates.crt
This ensures that newly installed devices get the current set of TLS root CAs from the current version of Linux in the current version of EVE-OS.

For eden testing we need to be able to add trusted TLS certificates. For that reason we introduce and use an optional /config/extratls-certificates.pem. lf-edge/eden#1128 adds the code in eden to create that file.

PR Dependencies

lf-edge/eden#1128

Changelog notes

Updated the set of root CA certificates used by TLS from the current version of Alpine, and automated the update of these each time EVE-OS is updated.

PR Backports

Here is the list of current LTS branches (it should be always up to date):

• 16.0-stable - No
• 14.5-stable - No
• 13.4-stable - No

Checklist

• I've provided a proper description
• I've added the proper documentation
• I've tested my PR on amd64 device
• I've tested my PR on arm64 device
• I've written the test verification instructions
• I've set the proper labels to this PR

And the last but not least:

• I've checked the boxes above, or I've provided a good reason why I didn't
  check them.

Please, check the boxes above after submitting the PR in interactive mode.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 28.34%. Comparing base (2281599) to head (edc9f65).
⚠️ Report is 436 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5561      +/-   ##
==========================================
+ Coverage   19.52%   28.34%   +8.81%     
==========================================
  Files          19       18       -1     
  Lines        3021     2417     -604     
==========================================
+ Hits          590      685      +95     
+ Misses       2310     1588     -722     
- Partials      121      144      +23     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[rene]

@eriknordmark from which Alpine version did you get the certificates? 3.16.9 (ours)?

[eriknordmark]

@eriknordmark from which Alpine version did you get the certificates? 3.16.9 (ours)?

Yes.
But see the discussion in #5553 - maybe we can simply this to get rid of this file in the conf directory.

[shjala]

@eriknordmark now that #5553 is merged and we decided we need to keep the cert in confing for Eden to work, are you going to mark this "Ready for review"?

[eriknordmark]

@eriknordmark now that #5553 is merged and we decided we need to keep the cert in confing for Eden to work, are you going to mark this "Ready for review"?

I think we also need to update the root certs for deployed systems and this PR currently only does that for fresh installs.
So I think it makes sense to introduce a new /config/extra-root-certificates.pem which Eden can populate and take the base from the integrity protected file in the rootfs.
So I'll rework this from scratch - I don't know if we need to make eden use both the "extra" file and append to the current file to make the transition easier though.

[eriknordmark]

@rene @shjala I've simplified this to always use the system root CAs plus an extra file which Eden will use. Please review. But we need to merge the Eden addition before this.