Debian

Wipe your existing

curl https://ccadb.my.salesforce-sites.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Websites -o /etc/ssl/certs/ca-certificates.crt

Kubernetes Container & Helm

Get Trusted Store pem

mkdir -p myhost-files
curl https://ccadb.my.salesforce-sites.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Websites -o myhost-files/ca-certificates.crt
kubectl create configmap myhost-files --from-file=myhost-files --save-config --dry-run=client -o yaml | kubectl apply -f -

Update helm values.yaml

    extraVolumeMounts:
      - mountPath: /etc/ssl/certs/ca-certificates.crt
        subPath: ca-certificates.crt
        name: myhost-files
    # extraVolumes: []
    extraVolumes:
      - name: myhost-files
        configMap:
          name: host-files

Notes

curl https://ccadb.my.salesforce-sites.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Websites -o /etc/ssl/certs/ca-certificates.crt

Then mount the volume to

/etc/ssl/certs/ca-certificates.crt

extraVolumeMounts: [] extraVolumes: []

/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Windows

cd c:\certs\
certutil.exe -generateSSTFromWU roots.sst
$sst = ( Get-ChildItem -Path C:\certs\roots.sst )
$sst = ( Get-ChildItem roots.sst )
$sst| Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root

$rootCa = Get-ChildItem -Path cert:\LocalMachine\My | Where-Object {$_.Subject -eq "CN=My Awesome Root CA"}

more

You could update entire entire trusted CA by doing something like

internalRootCAs="-----BEGIN CERTIFICATE-----
MIIEYzCCA0ugA ...
-----END CERTIFICATE-----
all my root certs ...

mkdir -p myhost-files
curl https://ccadb.my.salesforce-sites.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Websites -o myhost-files/ca-certificates.crt
echo "$internalRootCAs" >> myhost-files/ca-certificates.crt
kubectl create configmap myhost-files --from-file=myhost-files --save-config --dry-run=client -o yaml | kubectl apply -f -

Update helm chart values.yaml

    extraVolumeMounts:
      - mountPath: /etc/ssl/certs/ca-certificates.crt
        subPath: ca-certificates.crt
        name: myhost-files
    # extraVolumes: []
    extraVolumes:
      - name: myhost-files
        configMap:
          name: host-files

or

extraConfigmapMounts:

Note that fedora based is in this folder /etc/pki/ca-trust

Or update entire trust

https://stackoverflow.com/questions/38968414/kubernetes-add-ca-certificate-to-pods-trust-root

rootCA1="-----BEGIN CERTIFICATE-----
MIIEYzCCA0ugA ...
-----END CERTIFICATE-----
all my root certs ...
"

mkdir -p myhost-files
curl https://ccadb.my.salesforce-sites.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Websites -o myhost-files/ca-certificates.crt
echo "$rootCA1" >> myhost-files/ca-certificates.crt
kubectl create configmap myhost-files --from-file=myhost-files --save-config --dry-run=client -o yaml | kubectl apply -f -
Update helm chart values.yaml

    extraVolumeMounts:
      - mountPath: /etc/ssl/certs/ca-certificates.crt
        subPath: ca-certificates.crt
        name: myhost-files
    # extraVolumes: []
    extraVolumes:
      - name: myhost-files
        configMap:
          name: host-files
See other answers for simple deploy mount.

Note that Fedora/RHEL based is in this folder /etc/pki/ca-trust

Some Functions you can expand as well for Debian/Fedora is you want to update it with additional files. I can't remember if root ca trust gets blown away on apt upgrade, probably on updates but not sure.

add_ca_crt_debian(){
  sudo apt-get install -y ca-certificates  # This pkg is usually installed
  echo "debian"
  echo "${old_root_ca_crt}" | sudo tee  /usr/local/share/ca-certificates/${old_cert_file_name}
  echo "${root_ca_crt}" | sudo tee  /usr/local/share/ca-certificates/${cert_file_name}
  sudo update-ca-certificates
}

add_ca_crt_fedora(){
  echo "fedora"
  echo "${old_root_ca_crt}" | sudo tee  /etc/pki/ca-trust/source/anchors/${old_cert_file_name}
  echo "${root_ca_crt}" | sudo tee  /etc/pki/ca-trust/source/anchors/${cert_file_name}
  sudo update-ca-trust
}