x509: certificate signed by unknown authority. To fix this, make the appliance’s CA bundle available to the reporter.
The chart offers two ways to do this. Use whichever fits your deployment flow.
Option 1 — customCA convenience wrapper (recommended for the common case)
The chart mounts the certificate as a single file at
/etc/ssl/certs/kosli-custom-ca.crt using subPath. Go’s standard library on Linux loads CA roots in two independent passes — it reads the system bundle file (e.g. /etc/ssl/certs/ca-certificates.crt) and also scans /etc/ssl/certs/ for additional certificate files. The mounted file is picked up by the directory scan and added to the trust store alongside the system roots, so no SSL_CERT_FILE env var is needed.
The wrapper deliberately does not set SSL_CERT_FILE. Setting it would replace the system bundle entirely with the customer’s file, breaking trust for any public CAs the bundle does not include.
Option 2 — generic extraVolumes / extraVolumeMounts / extraEnvVars
Use these when you need a non-default mount path, a ConfigMap instead of a Secret, multiple volumes, or any other shape the wrapper does not cover:Pod Security Standards
Both options usesecret-backed volumes, which are permitted under the Pod Security Standards restricted profile. hostPath mounts are not permitted under that profile and should not be used here.
Cluster-wide alternative
If you already run cert-manager’s trust-manager to distribute a corporate CA bundle into a well-known ConfigMap in every namespace, pointextraVolumes / extraVolumeMounts at that ConfigMap instead of creating a per-namespace Secret.