update certificates docs , service file and fix several issues

[RedTanny]

PR Description: Fix SSL Certificate Configuration for Cluster Deployment

Problem

The exploit-iq pod was entering a CrashLoopBackOff state with a misleading Pydantic validation error claiming it couldn't find function types like cve_agent and cve_clone_and_deps.

Root Cause

The actual issue was an SSL certificate verification failure during Python module import. When the NAT framework starts, it loads the vuln_analysis plugin via entry points. During this import, token_utils.py calls tiktoken.get_encoding("cl100k_base") at module load time, which attempts to download BPE encoding data from a public endpoint (openaipublic.blob.core.windows.net).

The existing git-ca-bundle ConfigMap only contained Red Hat internal CA certificates, which are needed for services like OSIDB and internal Git repositories, but did not include the public CA certificates required for external HTTPS connections. This caused the tiktoken download to fail with an SSL verification error, which prevented the vuln_analysis module from importing, which in turn meant the custom function types were never registered with the NAT framework.

Solution

Updated the CA bundle configuration to include both system CA certificates (for public endpoints) and Red Hat internal CA certificates (for internal services). Added explicit REQUESTS_CA_BUNDLE and SSL_CERT_FILE environment variables to the exploit-iq deployment pointing to the merged CA bundle.

Changes

• kustomize/base/exploit_iq_service.yaml: Added REQUESTS_CA_BUNDLE and SSL_CERT_FILE environment variables pointing to /app/git-ca-bundle/ca-bundle.crt
• kustomize/base/ca-certs/ca-bundle.crt: Merged system CA certificates with Red Hat internal CA certificates (now contains 151 certificates)
• kustomize/README.md: Updated "Configure a Custom Git Server CA" section to document that the CA bundle must include system CAs for public endpoint connectivity
• kustomize/base/ca-certs/README.md: Added documentation explaining the dual requirement for system and custom CA certificates, including the correct bundle creation command

[vbelouso]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[RedTanny]

/test vulnerability-analysis-on-pr

[RedTanny]

/test vulnerability-analysis-on-pr

[vbelouso]

@zvigrinberg @RedTanny please don't merge. We discuss it privately.

[zvigrinberg]

@RedTanny @vbelouso Found another deployment error that better get fixed also here, the :

Configure a Custom Git Server CA Section

---

Should be relocated before we're deploying to cluster, because the base deployment got the auto generated configmap git-ca-bundle , and it should be executed in all cases:

  - name: git-ca-bundle
    files:
      - ca-certs/ca-bundle.crt
    options:
      disableNameSuffixHash: true

We need to do it anyway because without that the deployment is failing because cannot find the configmap.
We can consider if we want to do it mandatory ( like it's now) or optional by offloading it to a new reusable component that is incorporated into deployments variants in case of a need using a kustomize edit add component subcommand, in any case the documentation should be updated accordingly.

[RedTanny]

/test vulnerability-analysis-on-pr