Add clarification

Signed-off-by: Ben <[email protected]>

Author: Neon-White

pkg/system/reconciler.go

@@ -409,10 +409,30 @@ func (r *Reconciler) Reconcile() (reconcile.Result, error) {
 		}
 	}
 
+	/*
+	This code is problematic due to the way other parts of the product work.
+	On the core side, get_unsecured_agent() relies on the presence of the NODE_EXTRA_CA_CERTS
+	environment variable to determine whether an HTTP or HTTPS client should be used.
+
+	At the time of writing this comment, if the environment variable is not set, an HTTP agent
+	will be used for *all* S3-compatible domains that aren't under amazonaws.com - including
+	domains that are already present by default in the system's certificate store.
+
+	Forcing the environment variable to always be set leads to a different problem where
+	some things might fail - e.g. the admission tests that rely on creating a namespacestore
+	that points towards NooBaa's (self-signed) S3 service. In that case, the HTTPS agent fails
+	due to the self-signed certificate.	
+
+	Also, note that the code that combines certificates only applies to the operator.
+	Based on whether the certificate bundling was successful, the operator will set the value of
+	NODE_EXTRA_CA_CERTS in endpoints and core pods to point to *the system generated service-serving certs*.
+
+	At the time of writing, user certs are not included at any point.
+	*/
+	
 	err = util.CombineCaBundle(util.ServiceServingCertCAFile)
 	if err == nil {
-		// r.ApplyCAsToPods = util.InjectedBundleCertCAFile
-		r.ApplyCAsToPods = util.ServiceServingCertCAFile // back as it was
+		r.ApplyCAsToPods = util.ServiceServingCertCAFile
 	} else if !os.IsNotExist(err) {
 		log.Errorf("❌ NooBaa %q failed to add root CAs to system default", r.NooBaa.Name)
 		res.RequeueAfter = 3 * time.Second