Support TLS termination at application/container

What problem would the feature you're requesting solve? Please describe.

The functions host and base images don't do anything to support TLS themselves, instead relying on the platform running the container. This can create issues in certain networking topologies where the Functions container exists across a trust boundary from upstream gateway components, and TLS is still desired between them. The inciting example I was asked about was a Kubernetes cluster (non-Arc) which had an ingress controller, but they didn't want termination to occur at that layer due to other aspects of the cluster configuration. I imagine that using NodePort service types could lead to a similar need, although that might be a much more fringe scenario.

Describe the solution you'd like

The ability to include a cert reference similar to how you can do it in ASP.NET Core: https://docs.microsoft.com/en-us/aspnet/core/security/docker-https?view=aspnetcore-5.0

Describe alternatives you've considered

There are solutions that are a bit more unwieldy. For example, adding a proxy to each podspec in Kubernetes which does just this, or trying to add layers to the Functions image which do the same.

Additional context

To clarify: The ASP.NET environment also does not have its own TLS implementation. They use the underlying web server to handle these calls (the default is the cross-platform Kestrel, which is built specifically to integrate with ASP.NET). What is being asked for here is a similar in-process approach for handling the web server TLS termination for traffic destined for the HTTP-triggered Azure Functions. A feature like this will make Azure Functions a more attractive choice for use in workloads where the hosted model is not permitted.

I'm adding here a link to how ASP.NET configures Kestrel across development and production environments for reference: https://devblogs.microsoft.com/dotnet/configuring-https-in-asp-net-core-across-different-platforms/

Azure / azure-functions-host