I’ve spent a lot of time looking into your issue this morning and I got some more info for you which I will break down into sections since there is a lot of it:
Most DAP/Conjur tools’ use of system store
When you omit both
CONJUR_CERT_FILE, the fallback will be to system store so my original answer to your question about
summon-conjur here was accurate.
conjur-authn-k8s-client (“authn-k8s client”)
This is the client that validates pod information and gives you a token that other Conjur tools can use to fetch secrets. This particular product usually runs as a sidecar in its own container and has no access to app container’s system CA store so it does not natively support use of system CA store. You might be able to run this product from the app container itself and this is a very unusual deployment scenario but it should be supported so I’ve opened an issue for it on GitHub.
Secrets provider uses
conjur-authn-k8s-client (“authn-k8s client”) as the base logic to retrieve the authentication token from Conjur and also runs in it’s own container (or pod depending on the version you are running) so it has the same limitations. Because of this, use of system store of the app is not possible at this time and we recommend using
CONJUR_CERT_FILE for it.
Hopefully this helps clear up things!