Ensure CA certificates are updated prior to extraction from Debian

[chadlwilson]

Currently cacerts appear to be extracted from a relevant Debian package but they are not updated, or consolidated using update-ca-certificates prior to their being included/parsed/extracted for use in the various distroless base variants.

There is a TODO noting this, however I couldn't find an open issue that seeks to note the consequences of this.

While it's possible this is just the nature of the beast and I misunderstand the process here, currently there are a number of more recent root CAs not trusted by default when using with dependent tools, e.g changes such as this one that add new CAs, but also remove ones that should no longer be trusted. I am guessing that this is because the base Debian package at time of writing is 20200601~deb10u2, which predates CA root changes over the last year, however it seems there might be a role here to allow for more regular updates.

Ubuntu focal/LTS, for example has 20210119~20.04.1 available to it, since it is based off the bullseye package version.

Putting aside for now whether the root of trust should be baked into an image or not (perhaps init-containered/mounted over the top at runtime), the CA certificates are currently baked in, so I wonder what the position is on keeping them up-to-date.