fix(pki): Replace CA root cert job with sync deployment

kustomize/pki/resources/private-issuer/ca/cert-init.yaml

@@ -0,0 +1,67 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: cert-init
+  namespace: system-pki
+  annotations:
+    fluxcd.io/reconcile: "false"
+  labels:
+    app: cert-init
+spec:
+  backoffLimit: 10
+  template:
+    metadata:
+      labels:
+        app: cert-init
+    spec:
+      serviceAccountName: copy-root-cert
+      containers:
+      - name: cert-init
+        # renovate: datasource=docker depName=kubectl package=bitnami/kubectl
+        image: bitnami/kubectl:1.33.4
+        command:
+          - /bin/sh
+          - -c
+          - |
+            set -e
+
+            echo "Initializing certificate sync for trust-manager..."
+
+            # Wait for secret to be available
+            i=1
+            while [ $i -le 30 ]; do
+              if kubectl get secret private-ca-cert -n system-pki >/dev/null 2>&1; then
+                echo "Secret found, proceeding with sync..."
+                break
+              else
+                echo "Waiting for secret (attempt $i/30)..."
+                sleep 10
+              fi
+              i=$((i + 1))
+            done
+
+            if [ $i -gt 30 ]; then
+              echo "Failed to find secret after 30 attempts" >&2
+              exit 1
+            fi
+
+            # Execute the shared sync script
+            cp /scripts/sync.sh /tmp/sync.sh
+            /tmp/sync.sh
+
+            echo "Certificate sync completed successfully - trust-manager can now distribute the CA cert"
+        volumeMounts:
+        - name: script-volume
+          mountPath: /scripts
+          readOnly: true
+        - name: temp-volume
+          mountPath: /tmp
+      restartPolicy: OnFailure
+      volumes:
+      - name: script-volume
+        configMap:
+          name: cert-sync-script
+          defaultMode: 0755
+      - name: temp-volume
+        emptyDir: {} 

kustomize/pki/resources/private-issuer/ca/cert-sync-script.yaml

@@ -0,0 +1,49 @@
+---
+# Shared certificate sync script
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cert-sync-script
+  namespace: system-pki
+  labels:
+    app: cert-sync
+data:
+  sync.sh: |
+    #!/bin/sh
+    set -e
+
+    echo "Starting certificate sync..."
+
+    # Check if secret exists
+    if kubectl get secret private-ca-cert -n system-pki >/dev/null 2>&1; then
+      # Get current CA cert
+      kubectl get secret private-ca-cert -n system-pki -o jsonpath='{.data.ca\.crt}' | base64 --decode > /tmp/current_ca.crt
+
+      # Check if configmap exists and compare
+      if kubectl get configmap private-ca-cert -n system-pki-trust >/dev/null 2>&1; then
+        kubectl get configmap private-ca-cert -n system-pki-trust -o jsonpath='{.data.ca\.crt}' > /tmp/existing_ca.crt
+
+        if cmp -s /tmp/current_ca.crt /tmp/existing_ca.crt; then
+          echo "Certificates match, no update needed"
+          exit 0
+        else
+          echo "Certificates differ, updating configmap..."
+          kubectl create configmap private-ca-cert \
+            --from-file=ca.crt=/tmp/current_ca.crt \
+            -n system-pki-trust \
+            --dry-run=client -o yaml | kubectl apply -f -
+          echo "ConfigMap updated successfully"
+          exit 0
+        fi
+      else
+        echo "ConfigMap does not exist, creating..."
+        kubectl create configmap private-ca-cert \
+          --from-file=ca.crt=/tmp/current_ca.crt \
+          -n system-pki-trust
+        echo "ConfigMap created successfully"
+        exit 0
+      fi
+    else
+      echo "Secret not found"
+      exit 1
+    fi 

kustomize/pki/resources/private-issuer/ca/cert-sync.yaml

@@ -0,0 +1,49 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: cert-sync
+  namespace: system-pki
+  annotations:
+    fluxcd.io/automated: "true"
+  labels:
+    app: cert-sync
+spec:
+  # Run daily at 2 AM
+  schedule: "0 2 * * *"
+  concurrencyPolicy: Replace
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 3
+      template:
+        metadata:
+          labels:
+            app: cert-sync
+        spec:
+          serviceAccountName: copy-root-cert
+          containers:
+          - name: cert-sync
+            # renovate: datasource=docker depName=kubectl package=bitnami/kubectl
+            image: bitnami/kubectl:1.33.4
+            command:
+              - /bin/sh
+              - -c
+              - |
+                echo "Checking for certificate changes..."
+                /scripts/sync.sh
+            volumeMounts:
+            - name: script-volume
+              mountPath: /scripts
+              readOnly: true
+            - name: temp-volume
+              mountPath: /tmp
+          restartPolicy: OnFailure
+          volumes:
+          - name: script-volume
+            configMap:
+              name: cert-sync-script
+              defaultMode: 0755
+          - name: temp-volume
+            emptyDir: {} 

kustomize/pki/resources/private-issuer/ca/kustomization.yaml

@@ -4,7 +4,9 @@ resources:
   - ca-certificate.yaml
   - ca-issuer.yaml
   - inject-private-ca-policy.yaml
-  - copy-root-cert-job.yaml
+  - cert-sync-script.yaml
+  - cert-init.yaml
+  - cert-sync.yaml
   - rbac.yaml
   - serviceaccount.yaml
   - trust-bundle.yaml