Feature: Easy method to add trusted CA Certificate in containerized installation

[clawoflight]

Describe the problem

Your recommendation for handling private CAs is to trust them system-wide. This is a perfectly normal practice for system-wide installations. However, that would require building custom docker images for many on-prem installations, which brings a lot of maintenance overhead.
IMHO this is something that the weblate docker image should support. We certainly do this for our products :)

Describe the solution you'd like

Proposal: A simple environment variable that we could set with a path to a CA certificate.
The entrypoint of the docker image could then add it to the CA bundle itself.

This makes it easy to mount in a CA cert from a volume, as a Kubernetes secret object, etc.

Describe alternatives you've considered

No response

Screenshots

No response

Additional context

No response

[nijel]

Maybe it could be a fixed location in /app/data/ssl? We already use this for SAML SSL certificates (see https://docs.weblate.org/en/latest/admin/install/docker.html#saml).

[FSeidinger-XI]

The easiest way is to map a certificate bundle (single pem file with all needed certificates) into the container to /etc/ssl/ca-bundle.pem. This part gives Python the right ca bundle for the requests module.

For the certificates used by the system trust store, the ca bundle is exploded into /etc/ssl/certs. At least with helm and kubernetes it is done like that:

extraVolumes:
  - configMap:
      name: ca-bundle
    name: ca-bundle

extraVolumeMounts:
  - mountPath: /etc/ssl/certs
    name: ca-bundle
  - mountPath: /etc/ssl/ca-bundle.pem
    name: ca-bundle
    subPath: ca-certificates.crt

The config map holds a config containing file entries with all needed certificates. Whereas the first mount creates the exploded form, the second mount creates the ca bundle for Python.

Maybe this might work for plain docker or docker compose also or there is a similar way. Either way, this should give you a hint in the right direction.