I don't how an init container would help?

Unless you inject them into your own images I think the most straightforward is to just mount the CA cert or bundle as a read-only volume.