fix: Add update-ca-trust workaround for unprivileged containers

In UBI9, update-ca-trust fails when running as an unprivileged user
(nobody:nobody) because it attempts to write to system-wide paths.
Use the -o flag to specify a user-writable output directory.

Also switch restore-all-dir-contents to use --no-clobber to avoid
overwriting CA trust files that were already updated at runtime.

See: https://bugzilla.redhat.com/show_bug.cgi?id=2241240

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: davdhacs

image/scanner/scripts/import-additional-cas

@@ -19,4 +19,6 @@ copy_existing /usr/local/share/ca-certificates
 # Copy the custom trusted CA bundles injected by the Openshift Network Operator.
 copy_existing /etc/pki/injected-ca-trust
 
-update-ca-trust extract
+# The -o flag is required for running as an unprivileged user in containers.
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=2241240
+update-ca-trust extract -o /etc/pki/ca-trust/extracted

image/scanner/scripts/restore-all-dir-contents

@@ -4,4 +4,4 @@ set -euo pipefail
 
 [ -d /.init-dirs ] || exit 0
 
-cp -rfP /.init-dirs/* /
+cp --recursive --no-dereference --no-clobber /.init-dirs/* /

image/scanner/scripts/trust-root-ca

@@ -6,4 +6,7 @@ CA_PATH="/run/secrets/stackrox.io/certs/ca.pem"
 
 # For RHEL
 cp "${CA_PATH}" /etc/pki/ca-trust/source/anchors/root-ca.pem
-update-ca-trust
+
+# The -o flag is required for running as an unprivileged user in containers.
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=2241240
+update-ca-trust extract -o /etc/pki/ca-trust/extracted