the primary concern that I have with that model is that while traffic to the proxy is encrypted, ~everything behind the scenes is not (or, at least not in a trusted way).
this isn't so much an issue when it's in front of a docker network, but it is when it's connecting to actual devices/servers on the physical network, as a compromise of a user account on one machine could allow for mitm and lateral movement/PE/domain takeover.
yeah, I had not really played much with racadm and so I didn't even consider the possibility of being able to update certs using it.. as soon as I made that discovery, my life has changed. lol