So far, the best solution I’ve found:
- manually store the ca-bundle in a vault, such as azure vault or hashicorp vault
- configure external secrets addon to use the vault
- configure ca-bundle as volume mount using secret provided by external secrets in each pod that needs it
Now when the ca expires you only have to update the ca-bundle in a single location in the vault, argocd will take care of restarting the pods when the secret updates.
If anyone has a better idea feel free to share.