Add tls client certs to docker from scratch image

Dockerfile

@@ -49,4 +49,5 @@ COPY --chown=app:app --from=compile-stage /app/static /static
 # copy the data folder with the correct permissions for the volume mount
 COPY --chown=app:app --from=compile-stage /app/data /data
 VOLUME /data
+COPY --chown=app:app --from=compile-stage /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 ENTRYPOINT ["/beacon"]

auth/heimdall/heimdall.go

@@ -3,11 +3,14 @@ package heimdall
 import (
 	"bufio"
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"errors"
 	"io"
 	"log"
 	"net/http"
+	"os"
 	"slices"
 	"time"
 
@@ -43,8 +46,21 @@ var (
 )
 
 func New(dir directory.Directory[resource.Resource[resource.Content]]) *HeimdallAuth {
+	pool := x509.NewCertPool()
+	certFile, err := os.ReadFile(config.CaCertificatesFilePath)
+	if err != nil {
+		panic("Could not open " + config.CaCertificatesFilePath + ": " + err.Error())
+	}
+	ok := pool.AppendCertsFromPEM(certFile)
+	if !ok {
+		panic("Certificates were not parsed correctly from: " + config.CaCertificatesFilePath)
+	}
 	auth := HeimdallAuth{
-		client: http.DefaultClient,
+		client: &http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: &tls.Config{RootCAs: pool},
+			},
+		},
 	}
 	go func() {
 		for {

config/config.go

@@ -39,8 +39,9 @@ var (
 	LegacyDatabasePassword string        = GetString("DB_PASSWORD", "postgres")
 	LegacyDatabaseName     string        = GetString("DB_NAME", "LHP")
 	DatabaseQueryInterval  time.Duration = GetDuration("DB_QUERY_PERIOD", 1*time.Second)
-	// jwt (unfinished test)
-	JWTPrivateKey []byte = []byte(GetString("JWT_PRIVATE_KEY", "")) // generates a new random key if empty
+
+	// TLS certificates (for https client)
+	CaCertificatesFilePath string = GetString("CA_CERTIFICATES_FILE_PATH", "/etc/ssl/certs/ca-certificates.crt")
 
 	// logging
 	VerboseLogging bool = GetBool("VERBOSE_LOGGING", false)