Add the possibility to import CA Certificate

[guillaumejparis]

Context

For customers with on-premise installations using their own CA-signed certificates, such as in lab development environments or smaller organizations that may not have a root CA.

Use case

The customer have a Tanium lab that use their own CA signed certificates.

Current Workaround

Add cert manually into the running container

Proposed Solution

At startup, our container will mount the certificates folder (if provided) and update the CA certificates accordingly.

Additional Information

For inspiration : (to test)

Copy SSL certificates to the container

COPY your_certificate.crt /usr/local/share/ca-certificates/

Update SSL certificates in the container

RUN update-ca-certificates

[antoinemzs]

To note, the proposed solution is debian (and derivatives) specific. We use the eclipse-temurin:21.0.6_7-jre base image for OpenBAS, which itself is based on a variant of ubuntu:24.04. There's close to 0 chance the proposed commands will break in the future (this has been a core feature of debian for many years), but this should be kept in mind if we ever consider changing the base image for the OpenBAS container.

ca-certificates (providing the filesystem location and the update command) is a package explicitly installed during the build for the eclipse-temurin base image (but not installed by default in the base ubuntu:24.04 image), so we also depend on the build process of eclipse-temurin. Again, it's unlikely this will change as this is probably a core feature of the image, but again, if we switch for another base image provider (even ubuntu-based), we should keep this in mind.