catalogd should use certpoolwatcher

[tmshort]

operator-controller uses certpoolwatcher to watch for changes to the CAs on disk, and subsequently update a certificate pool for TLS connections.

The catalogd code does not currently use the certpoolwatcher for it's CAs, and it should be incorporated.

It might be desirable to pull the certpoolwatcher into its own package.

[azych]

/assign

[azych]

/unassign

This is interconnected with other work and needs additional prep to be ready for pickup

[tmshort]

Cert pool watcher is only useful for connections via net.HTTPS, and not those via containers/images.

[grokspawn]

@tmshort said:

catalogd does not use TLS connections except via containers/image, which use the x509.SystemCertPool() API. While the contents of that API can be manipulated indirectly via SSL_CERT_DIR and SSL_CERT_FILE environment variables, there's no way to force x509.SystemCertPool() to refresh its certs. So, having a watcher makes little sense.