Allow certs to be include in an image

[dmikusa]

Summary

Prior to this PR, a helper is added at build time. This helper will execute in the runtime environment and load any ca-certs that are presented through a binding. This is the most flexible, but requires the individual executing the image to specify the binding with the CA certificates. If the CA certificates binding is skipped/forgotten, then the run will likely fail.

Since CA certificates are public certificates and not secret, we can build the CA certificates into the image if the user would prefer. This provides the CA certificates by default, so there is no ca-certificates binding required at runtime. You can add additional CA certs at runtime with a binding, but you cannot remove CA certs baked into the image without rebuilding.

To include in the image, set BP_EMBED_CERTS=true and rebuild your image.

CA certificates are copied into the layer. Then the normal symlinking procedure is applied referencing the copies.

This resolves #94.

In addition, this PR deprecates BP_ENABLE_RUNTIME_CERT_BINDING because this has a default true value and we are moving all config to be default false. This env variable is replaced by BP_RUNTIME_CERT_BINDING_DISABLED which defaults to false. The meaning is basically the same. Going forward, set BP_RUNTIME_CERT_BINDING_DISABLED=true to remove the runtime helper from the produced image.

Use Cases

#94

Checklist

• I have viewed, signed, and submitted the Contributor License Agreement.
• I have linked issue(s) that this PR should close using keywords or the Github UI (See docs)
• I have added an integration test, if necessary.
• I have reviewed the styleguide for guidance on my code quality.
• I'm happy with the commit history on this PR (I have rebased/squashed as needed).