If an App defines
HostCertificateAccess=True in its meta data, exactly one thing happens: The DockerVolumes include
/etc/univention/ssl/$fqdn:/etc/univention/ssl/$fqdn:ro. So, the certificates are mapped into the container read-only. This includes:
The purpose of this option is to enable Apps to answer with the certificate of the Docker Host when a connection is established. The Docker Container is “hidden” behind the actual host and only App specific ports are exposed. When a client tries to communicate with the App, it does so by connecting to the Docker Host. Therefore the App may need to identify as the host.
Currently, the App gets no notification if any file changes. We are working on an update to that Apps will be able to add hooks when the certificate changes.