refactor: Consolidate CA trust setup into import-additional-cas

Merge trust-root-ca into import-additional-cas to align with how
stackrox/stackrox handles CA trust (single script, single
update-ca-trust call). This eliminates a redundant update-ca-trust
invocation and simplifies the entrypoint.

Changes:
- Add copy_single() to import-additional-cas for the StackRox root CA
  at /run/secrets/stackrox.io/certs/ca.pem
- Remove trust-root-ca script and its references in entrypoint.sh
  and create-bundle.sh
- update-ca-trust extract --output is now called once instead of twice

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: davdhacs

image/scanner/rhel/create-bundle.sh

@@ -41,7 +41,6 @@ cp "${INPUT_ROOT}/scripts/entrypoint.sh"               "${OUTPUT_DIR}/scripts"
 cp "${INPUT_ROOT}/scripts/import-additional-cas"       "${OUTPUT_DIR}/scripts"
 cp "${INPUT_ROOT}/scripts/restore-all-dir-contents"    "${OUTPUT_DIR}/scripts"
 cp "${INPUT_ROOT}/scripts/save-dir-contents"           "${OUTPUT_DIR}/scripts"
-cp "${INPUT_ROOT}/scripts/trust-root-ca"               "${OUTPUT_DIR}/scripts"
 
 # =============================================================================
 # Add binaries and data files to be included in the Dockerfile here. This

image/scanner/scripts/entrypoint.sh

@@ -4,6 +4,5 @@ set -euo pipefail
 
 /restore-all-dir-contents
 /import-additional-cas
-/trust-root-ca
 
 exec /scanner

image/scanner/scripts/import-additional-cas

@@ -22,6 +22,9 @@ copy_existing /usr/local/share/ca-certificates
 # Copy the custom trusted CA bundles injected by the Openshift Network Operator.
 copy_existing /etc/pki/injected-ca-trust
 
+# Copy the StackRox root CA if available (mounted by the operator).
+copy_existing /run/secrets/stackrox.io/certs
+
 echo "Updating CA trust"
 # Though /etc/pki/ca-trust/extracted is the default output, update-ca-trust
 # will create the necessary directories with the required permissions if the `--output` flag is used.