# Add corporate CA certificates to the CA trust chain

Some components like Zuul and Nodepool may need to communicate with corporate services via HTTPS.
When such corporate services expose a certificate signed by a corporate Certificate Authority, the CA certificate must be part of the CA trust chain of the component's container.

sf-operator eases the installation of additional CA certificates into Zuul and Nodepool containers via a dedicated ConfigMap resource.

The dedicated ConfigMap resource must be named `corporate-ca-certs`.
The ConfigMap's content will be mounted into `/usr/share/pki/ca-trust-source/` and processed by the `update-ca-trust` command at container startup.

When the ConfigMap is changed, the controller automatically recognizes it and restarts the corresponding pods.