change implementation of trusted certs so that cert file location isn't changed

[lukebond]

the trustedCaCerts feature currently writes the combined bundle to /combined-certs/ca-certificates.crt and points the main container at it via SSL_CERT_FILE. that works for OpenSSL/rustls but not for librdkafka, which doesn't honour SSL_CERT_FILE and reads its compiled-in default path instead. customers using kafka therefore have to set ssl.ca.location explicitly to the operator's internal /combined-certs/... path, leaking an implementation detail into customer config (see #126).

switch the implementation to overlay the combined bundle onto /etc/ssl/certs/ca-certificates.crt via a subPath mount: the init container writes the combined file to a shared emptyDir at /work/ca-certificates.crt, and the main container mounts that file via subPath onto /etc/ssl/certs/ca-certificates.crt. the rest of the /etc/ssl/certs/ dir stays intact (the hashed symlinks and individual .pem files from the base image are preserved), every CA-reading library finds the combined bundle at the standard path with no further config, and SSL_CERT_FILE no longer needs to be changed. for migration safety we should keep writing the bundle to /combined-certs/ for one release so customers with explicit ssl.ca.location settings keep working, then drop /combined-certs/ in a follow-up.

FYI @sevak-mnatsakanyan

[joebowbeer]

The following may be irrelevant, but I wanted to mention image volume support, and compatibility with Strimzi operator and cert-manager trust-manager, for completeness.

Plug for image volumes: With image volume support being enabled by default in k8s 1.36, this use of init container can be jettisoned in the future, provided the trust bundle can be loaded from an image registry.

Also thinking of the future, Strimzi Operator operator automatically manages Kafka broker certificates. Is your approach compatible?

Searching for this returns recommendations for cert-manager trust-manager.