Fix custom certificate authorities not working on UBI containers

What does this MR do?

This commit mounts the /etc/pki/ca-trust/extracted/pem directory from the certificates init container.

UBI containers have a symlink from /etc/pki/tls/cert.pem to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:

$ docker run -it registry.access.redhat.com/ubi8/ubi:8.5 ls -al /etc/pki/tls/cert.pem
lrwxrwxrwx 1 root root 49 Jun 16  2021 /etc/pki/tls/cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

On RedHat-based Linux systems, custom certificates are copied into /usr/share/pki/ca-trust-source/anchors/, and the update-ca-trust tool updates the bundle file.

While the bundle-certificates-ubi script in Cloud Native GitLab's certificates container copies the contents of the /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem into /etc/ssl/certs/ca-bundle.crt, the default X509 store used by OpenSSL (and Ruby) points to /etc/pki/tls/cert.pem. However, since the target file is updated inside the certificates init container, the Webservice container will always point to a stale copy shipped with its UBI image.

Note update-ca-trust creates a number of files:

/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
/etc/pki/ca-trust/extracted/java/cacerts
/etc/pki/ca-trust/extracted/edk2/cacerts.bin

Most of these files aren't needed by the Webservice container, but if they ever are we will need to mount these directories as well.

Note that /etc/pki/ca-trust/extracted/pem will be empty unless the UBI-based certificates image is used.

Related issues

Relates to #3032 (closed)

Test plan

1. First, I created a custom CA:

kubectl create secret generic my-custom-ca --from-file=my-custom-ca.pem

2. Then I installed a mix of UBI and standard images:

helm upgrade --install gitlab .
     --set gitlab.sidekiq.image.pullPolicy=Always \
     --set gitlab.webservice.image.pullPolicy=Always \
     --set gitlab.webservice.image.tag=master-fips \
     --set gitlab.webservice.workhorse.pullPolicy=Always \
     --set gitlab.webservice.workhorse.tag=master-fips \
     --set global.certificates.image.tag=20211220-r0-fips \
     --set global.certificates.customCAs[0].secret=my-custom-ca

3. With this change, I can immediately see that /etc/ssl/certs/ca-bundle.crt and /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem now match and contain my custom cert:

[git@gitlab-webservice-default-569bd75847-rtw9f /]$ ls -al /etc/ssl/certs/ca-bundle.crt
-r--r--r-- 1 git git 202327 Jun 27 22:27 /etc/ssl/certs/ca-bundle.crt
[git@gitlab-webservice-default-569bd75847-rtw9f /]$ ls -al /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
-r--r--r-- 1 git git 202327 Jun 27 22:27 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
[git@gitlab-webservice-default-569bd75847-rtw9f /]$ grep mkcert /etc/ssl/certs/ca-bundle.crt
# mkcert stanhu@jet-arm.local (Stan Hu)
[git@gitlab-webservice-default-569bd75847-rtw9f /]$ grep mkcert /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
# mkcert stanhu@jet-arm.local (Stan Hu)

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

• Merge Request Title and Description are up to date, accurate, and descriptive
• MR targeting the appropriate branch
• MR has a green pipeline on GitLab.com

Expected (please provide an explanation if not completing)

• Test plan indicating conditions for success has been posted and passes
• Documentation created/updated
• Tests added
• Integration tests added to GitLab QA
• Equivalent MR/issue for omnibus-gitlab opened