My system is OKD 3.11, Jenkins latest running in its own project.

My company uses an internal CA authority. And everything is signed by it. Which is a pain in itself, but I am trying to get my OKD cluster to build projects with Jenkins. I have it creating pods and such, but when the JNPL container starts, it fails with the oh so frustrating

java.io.IOException: Failed to connect to https://jenkins.apps.lab.mycompany.com/tcpSlaveAgentListener/:  sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver.resolve(JnlpAgentEndpointResolver.java:197)
    at hudson.remoting.Engine.innerRun(Engine.java:523)
    at hudson.remoting.Engine.run(Engine.java:474)

My question is, how do I inject the root CA into the jvm keystore that the pod is using? I really hope you don't tell me that I have to build a custom docker image. I really hope there's a way to just import the stupid thing into the existing one to keep maintenance down.

My Jenkinsfile

pipeline {
  agent {
    kubernetes {
      label 'sample-app'
      yamlFile 'KubernetesBuildPod.yaml'
    }
  }
  options {
    skipDefaultCheckout(true)   // to avoid force checkouts on every node in a first stage
    disableConcurrentBuilds()   // to avoid concurrent builds on same nodes
  }
  stages {
    stage('Build') {
      steps {
        checkout scm
        sh 'ls -alh'
      }
    }
  }
}

and the pod yaml

apiVersion: v1
kind: Pod
metadata:
labels:
  component: ci
spec:
  # Use service account that can deploy to all namespaces
  serviceAccountName: jenkins
  containers:
    - name: gcc-cmake
      image: rikorose/gcc-cmake:latest
      command:
        - cat
      tty: true

and the pod template in the jenkins config.