Support custom system-provided TLS truststores

[sbernauer]

Reported in Discord:

I am encountering a problem using stackablectl at a customer site. Their firewall uses deep packet inspection, which is interfering with SSL certificate verification. This process results in certificates presented to clients not having the original issuer.

The customer's root CA certificate is installed on their Ubuntu systems and is generally working for other applications. However, stackablectl appears not to be using the system's installed CA certificates. The error message:

An unrecoverable error occured: failed to execute operator (sub)command

Caused by these errors (recent errors listed first):
 1: Helm error
 2: failed to retrieve remote content
 3: error sending request for url (https://repo.stackable.tech/repository/helm-stable/index.yaml)
 4: client error (Connect)
 5: invalid peer certificate: UnknownIssuer

Is there a way to configure stackablectl to recognize and use the system's trusted CA certificates? Any insights or suggestions would be greatly appreciated.

As of 2025-01-28 the call is done using reqwest and rustls.
We probably need something like rustls_platform_verifier for this to work

[Techassi]

This will be fixed / supported in the next stackablectl release. The change was implemented in #351.

[sbernauer]

Awesome, thanks!