[RFC] Handling of private CA in other templates

[lasley]

After we create the private CA, we need to do some other setup to the containers to allow it to actually be useful:

• Add option to proxy for X.509 authentication
  • It would be nice if we could select the CA (or CAs) to trust, then have Clouder deploy & update the proxy config ssl_client_certificate directive (or just put all certs in one file & trigger nginx reload to refresh)
• Deploy CA cert to ca-certificates of relevant containers and run update-ca-certificates (or whatever the Alpine equivalent is)
• What are the relevant containers?

Another thing we should really think about is securing our communication between proxy and applications using certs from the internal CA. All network communication should be encrypted by default IMO, but at least having the option is a blocker for me.

Depends:

• [ADD] clouder_certificate_authority: Implement CA using CFSSL #180