From eab9db8d32d9cea43ffea66c86885457a3b87c08 Mon Sep 17 00:00:00 2001
From: Alexander Twrdik <6052859+DiCanio@users.noreply.github.com>
Date: Thu, 13 Mar 2025 13:49:58 +0100
Subject: [PATCH 1/3] Provision Custom Certificates

Adds a routine that picks up custom certificates from
a pre-defined directory and provisions them in a bundled
form as a ConfigMap.

Only certificates in PEM format are taken into account
(requires .pem file extension). However, other than the
file extension no other check is in place to enforce it.
That leaves it to the admin to provide certificates in
the correct format.

Due to k8s constraints of ConfigMaps the total size of
all certificates must not be larger than 1MB. Also, this
is not enforced by any checks, yet.
---
 README.md                                       | 13 ++++++++++++-
 flame/certs/.gitkeep                            |  0
 flame/templates/additional-certs-configmap.yaml |  9 +++++++++
 3 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 flame/certs/.gitkeep
 create mode 100644 flame/templates/additional-certs-configmap.yaml

diff --git a/README.md b/README.md
index 84f7567..026e5dd 100644
--- a/README.md
+++ b/README.md
@@ -76,7 +76,18 @@ If you have a hostname that you'd like to use for your instance, change all inst
 file to your hostname. Be sure to leave the text (e.g. "https://") before and after "localhost" the same. Be sure this 
 hostname is properly configured in your DNS settings and your reverse proxy to point to your kubernetes cluster.
 
-### 3. Deploy the Flame Node
+### 3. Add Custom Certificates (optional)
+
+If the `node` is going to be deployed to an environment where outbound requests are intercepted for inspection by
+leveraging custom certificates then these certificates have to be provisioned for `node` components to pick them up for
+use.
+
+To do so, add any related certificate in `PEM` format to `flame/certs/` using `.pem` as the file extension.
+
+> [!IMPORTANT]  
+> Make sure that all certificates together are not larger than 1MB (due to k8s constraints)!
+
+### 4. Deploy the Flame Node
 Initial deployment will take some time (minutes) to pull of the images, execute the jobs, and to populate the containers. Please be patient during the installation process.
 
 Once you have your configured values YAML file, you can perform installation using helm:
diff --git a/flame/certs/.gitkeep b/flame/certs/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/flame/templates/additional-certs-configmap.yaml b/flame/templates/additional-certs-configmap.yaml
new file mode 100644
index 0000000..18d3e38
--- /dev/null
+++ b/flame/templates/additional-certs-configmap.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: flame-additional-certs
+data:
+  certs.pem: |
+{{- range $path, $_ :=  .Files.Glob  "certs/**.pem" }}
+{{ $.Files.Get $path | toString | trim | indent 4 -}}
+{{- end }}

From 2929e954dcd288505c639a250c01898dfb3476c8 Mon Sep 17 00:00:00 2001
From: Alexander Twrdik <6052859+DiCanio@users.noreply.github.com>
Date: Thu, 13 Mar 2025 13:54:53 +0100
Subject: [PATCH 2/3] Forward Custom Certs to Message Broker

Picks up provisioned custom certificates and makes
them available to the message broker component.
The component will in return add these certificates
to its trust store which is taken into account when
running outbound requests.
---
 .../templates/node-message-broker-deployment.yml   | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/node-message-broker/helm/templates/node-message-broker-deployment.yml b/node-message-broker/helm/templates/node-message-broker-deployment.yml
index c2629ff..68d6965 100644
--- a/node-message-broker/helm/templates/node-message-broker-deployment.yml
+++ b/node-message-broker/helm/templates/node-message-broker-deployment.yml
@@ -26,7 +26,7 @@ spec:
       restartPolicy: "Always"
       containers:
         - name: {{ .Release.Name }}-node-message-broker
-          image: ghcr.io/privateaim/node-message-broker:{{ .Chart.AppVersion }}
+          image: "ghcr.io/privateaim/node-message-broker:{{ .Chart.AppVersion }}"
           imagePullPolicy: "Always"
           securityContext:
             runAsNonRoot: true
@@ -50,7 +50,7 @@ spec:
             - name: HUB_AUTH_BASE_URL
               value: {{ required "A valid HUB Auth base URL is required." (include "broker.hub.authApi" .) | default "https://auth.privateaim.net/" | quote }}
             - name: HUB_MESSENGER_BASE_URL
-              value: {{ required "A valid HUB Messenger base URL is required." (include "broker.hub.messengerApi" .) | default "https://messenger.privateaim.net/" | quote }}              
+              value: {{ required "A valid HUB Messenger base URL is required." (include "broker.hub.messengerApi" .) | default "https://messenger.privateaim.net/" | quote }}
             - name: HUB_AUTH_ROBOT_ID
               value: {{ required "A robot ID for the Hub is required." (include "broker.hub.robotUser" .) | quote }}
             - name: HUB_AUTH_ROBOT_SECRET
@@ -58,9 +58,15 @@ spec:
                 secretKeyRef:
                   name: {{ .Release.Name }}-node-message-broker-hub-auth
                   key: robot-secret
+            - name: NODE_EXTRA_CA_CERTS
+              value: "/mnt/certs/certs.pem"
             # DO NOT USE THIS IN PRODUCTION!!! This is just for internal testing purposes.
             - name: NODE_TLS_REJECT_UNAUTHORIZED
               value: "0"
+          volumeMounts:
+            - mountPath: "/mnt/certs/certs.pem"
+              name: additional-certs
+              subPath: "certs.pem"
           resources:
             requests:
               memory: "256Mi"
@@ -81,3 +87,7 @@ spec:
             initialDelaySeconds: 90
             periodSeconds: 10
             timeoutSeconds: 10
+      volumes:
+        - name: additional-certs
+          configMap:
+            name: flame-additional-certs

From f8760abc0b29bcaeb638da6466a3e547b9351124 Mon Sep 17 00:00:00 2001
From: Alexander Twrdik <6052859+DiCanio@users.noreply.github.com>
Date: Fri, 14 Mar 2025 07:40:05 +0100
Subject: [PATCH 3/3] Forward Custom Certs to UI

Picks up provisioned custom certificates and makes
them available to the UI component.
The component will in return add these certificates
to its trust store which is taken into account when
running outbound requests.
---
 node-ui/templates/node-ui-deployment.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/node-ui/templates/node-ui-deployment.yaml b/node-ui/templates/node-ui-deployment.yaml
index d3ed5a4..435a593 100644
--- a/node-ui/templates/node-ui-deployment.yaml
+++ b/node-ui/templates/node-ui-deployment.yaml
@@ -47,3 +47,13 @@ spec:
                   key: {{ include "ui.keycloak.secretKey" . }}
             - name: NUXT_AUTH_SECRET
               value: {{ randAlphaNum 32 | b64enc }}
+            - name: NODE_EXTRA_CA_CERTS
+              value: "/mnt/certs/certs.pem"
+          volumeMounts:
+            - mountPath: "/mnt/certs/certs.pem"
+              name: additional-certs
+              subPath: "certs.pem"
+      volumes:
+        - name: additional-certs
+          configMap:
+            name: flame-additional-certs