When an agent gets upgrade, it overwrites the CA bundle. This is problematic as it's not uncommon for Puppet users to have specific CA content they need included.
It's understandable that Puppet may need to clear out old data by overwriting the old file.
Is it possible to add a feature where perhaps there's a certificates.d situation where customers can add CA information they care about and our installer adds it to the final file?
That would save a lot of time and effort if customers are upgrading their puppet infrastructure regularly and their agents to match.