I've seen another similar question here: https://stackoverflow.com/questions/52636213/docker-distroless-image-how-to-add-customize-certificate-to-trust-store but the answer relied on having the certificate available at image build time, which I do not have.

I am looking for a way to copy a CA certificate into a distroless based container image at Kubernetes pod deployment time and have the CA store get updated so that the certificate is considered valid by openssl.

I have seen that using kubernetes volumes I can share the certificate.crt into the container when it is deployed (it will be present at /usr/local/share/ca-certificates/cert.crt inside the container) but there is no update-ca-certificates or update-ca-trust command available inside of distroless - so how can I ensure that the CA store/bundle is properly updated to make the cert be considered valid? Note that editing/appending to the cert bundle manually is not recommended. We are looking for the proper way to execute update-ca-certificates inside of distroless.

I have seen examples with alpine base images where people have used apk to add the missing packages such as ca-certificates so that the update-ca-certificates command will be available. Is there a similar way to achieve this when building distroless images?