We have a internal domain name, let's say "mycompany.net" with a private CA which delivers all our internal application HTTPS certificates for this domain like "myapp.mycompany.net".
Now, I'm writing an application that need to connect to an internal HTTPS service. This app runs inside a container which by default doesn't know our private CA and refuse to connect to the HTTPS service.
I can add the CA certificate in my app image but having to do it for every app will be both not DRY and error prone.
I can provide a base image with the certificate so that all apps use this base image.But then:
- either I also provide a base image for every language we use (Java, Python...) relying on the 1st base image, feels like reinventing the wheel (though it means we would know for sure content of the images which is good from a security perspective)
- or, we reuse standard language base images but add our certificate in each of them, less dry but easier to maintain?
- or... ?
I'm wondering what's the recommended approach here? I feel like I'm missing something.
And I'm not even mentioning that Python seems to need a specific environment variable to use the CA certificate