Feature/28 provision additional certificates #29
Conversation
Adds a routine that picks up custom certificates from a pre-defined directory and provisions them in a bundled form as a ConfigMap. Only certificates in PEM format are taken into account (requires .pem file extension). However, other than the file extension no other check is in place to enforce it. That leaves it to the admin to provide certificates in the correct format. Due to k8s constraints of ConfigMaps the total size of all certificates must not be larger than 1MB. Also, this is not enforced by any checks, yet.
Picks up provisioned custom certificates and makes them available to the message broker component. The component will in return add these certificates to its trust store which is taken into account when running outbound requests.
|
@brucetony , @mjugl I'll take a look at the |
Thanks for the effort! The result service sends requests using the The way I handled this so far was to create a new Dockerfile which is based on the image of the application that I want to add the certificate to. For Alpine, I extended the Dockerfile like so: RUN chmod 0644 /usr/local/share/ca-certificates/*.crt && \
update-ca-certificates && \
rm /etc/ssl/cert.pem && \
ln -s /etc/ssl/certs/ca-certificates.crt /etc/ssl/cert.pemIf we can't build new images in the deployment process, then I'll have to think of a workaround (e.g. making the above command part of the container's entrypoint script). |
If it's not a major task (haven't had a look at the project) we could also try using the |
Yes, that's entirely possible and amounts to just a couple new lines of code. The FLAME Hub Python Client library permits custom I could also add this behavior on the library level but I would honestly leave it up to the application using the library. |
That sounds good 👌🏻 |
Picks up provisioned custom certificates and makes them available to the UI component. The component will in return add these certificates to its trust store which is taken into account when running outbound requests.
|
@brucetony Since the UI is using a |
|
Just published ghcr.io/privateaim/node-result-service:dev-20250314T080932Z which uses the system CA bundle to verify outbound requests. All that's left is to call
Any better ideas? Edit: Just wrote up a PoC for the suggested approach. It works, but it requires the container to be run as root. The entrypoint script would drop privileges for the server process if it is run as root, but that would still cause exec'ing into the container to happen as root. This is the entrypoint script: #!/bin/sh
_print_info() {
printf "\033[1m[$0] [-]\033[0m %s\n" "$1"
}
_print_error() {
printf "\033[31;1m[$0] [!]\033[0m %s\n" "$1"
}
if [ -n "${FORCE_UPDATE_CA_CERTIFICATES}" ];
then
if [ "$(id -u)" -ne "0" ];
then
_print_error "update-ca-certificates requires to be run as root"
exit 1
fi
_print_info "Provisioning additional certificates"
update-ca-certificates
rm /etc/ssl/cert.pem
ln -s /etc/ssl/certs/ca-certificates.crt /etc/ssl/cert.pem
fi
if [ "$(id -u)" -eq "0" ];
then
_print_info "Dropping privileges"
su - nonroot
fi
_print_info "$(printf "%s " "Running server with arguments:" "${@}")"
exec /usr/local/bin/python -m uvicorn project.main:app "${@}" |
We need to think of a solution that doesn't require running any sort of Would offer to check if adding the certificate as is will be sufficient already. Could do that throughout the day tomorrow. |
Adds a routine to provision custom certificates in PEM format. This is necessary when deploying the
nodeto an environment where requests are being intercepted for inspection causing SSL termination by leveraging custom certificates (e.g. self-signed certificates). The routine bundles all provisioned certificates into a single.pemfile and makes that available via aConfigMap.Forwards these custom certificates to the
message brokercomponent. Without this change the component is not able to connect to thehubwhen deployed in an environment resembling the one described above.