Merge pull request #420 from janlauber/trusted-certificates

feat: trusted certificates

.pre-commit-config.yaml

@@ -6,4 +6,4 @@ repos:
         entry: ./scripts/frontend-check.sh
         language: script
         pass_filenames: false
-        stages: [commit]
+        stages: [pre-commit]

Dockerfile

@@ -9,7 +9,7 @@ RUN apk --no-cache add upx make git gcc libtool musl-dev ca-certificates dumb-in
   && upx one-click
 
 # Stage 2: Build frontend
-FROM node:lts-slim as ui-builder
+FROM node:lts-slim AS ui-builder
 WORKDIR /build
 COPY ./frontend/package*.json ./
 RUN rm -rf ./node_modules ./build
@@ -20,10 +20,32 @@ RUN npm install --legacy-peer-deps
 RUN npm run build
 
 # Stage 3: Runtime
-FROM alpine as runtime
+FROM alpine AS runtime
 WORKDIR /app/one-click
+
+# Install ca-certificates package and create directory for custom certificates
+RUN apk --no-cache add ca-certificates \
+    && mkdir -p /usr/local/share/ca-certificates
+
+# Copy application files
 COPY --from=backend-builder /build/one-click /app/one-click/one-click
 COPY ./pocketbase/pb_migrations ./pb_migrations
 COPY --from=ui-builder /build/build /app/one-click/pb_public
+
+# Create entrypoint script to handle certificates
+COPY <<EOF /entrypoint.sh
+#!/bin/sh
+# If CUSTOM_CA_CERT environment variable is set, add the certificate
+if [ -n "\${CUSTOM_CA_CERT}" ]; then
+    echo "\${CUSTOM_CA_CERT}" > /usr/local/share/ca-certificates/custom-ca.crt
+    update-ca-certificates
+fi
+
+# Execute the main application
+exec /app/one-click/one-click serve --http "0.0.0.0:8090"
+EOF
+
+RUN chmod +x /entrypoint.sh
+
 EXPOSE 8090
-CMD ["/app/one-click/one-click", "serve", "--http", "0.0.0.0:8090"]
+ENTRYPOINT ["/entrypoint.sh"]

README.md

@@ -88,3 +88,53 @@ Contributions are what make the open-source community such an amazing place to b
 2. Create your feature branch (`git checkout -b feature/AmazingFeature`)
 3. Commit your changes (`git commit -m 'Add some AmazingFeature'`)
 4. Submit your PR
+
+### Custom CA Certificates
+
+If you need to connect to services with custom/self-signed SSL certificates (like private S3 storage for Pocketbase backups), you can add your CA certificates in two ways:
+
+1. **Using Environment Variable:**
+   ```bash
+   # Add your CA certificate through environment variable
+   docker run -e CUSTOM_CA_CERT="$(cat your-ca-cert.pem)" -p 8090:8090 one-click
+   ```
+
+   For Kubernetes deployment, add this to your deployment manifest:
+   ```yaml
+   spec:
+     template:
+       spec:
+         containers:
+         - name: one-click
+           env:
+           - name: CUSTOM_CA_CERT
+             valueFrom:
+               secretKeyRef:
+                 name: ca-cert-secret
+                 key: ca.crt
+   ```
+
+2. **Using Volume Mount:**
+   ```bash
+   # Mount your certificates directory
+   docker run -v /path/to/your/certs:/usr/local/share/ca-certificates:ro -p 8090:8090 one-click
+   ```
+
+   For Kubernetes deployment, use a volume mount:
+   ```yaml
+   spec:
+     template:
+       spec:
+         volumes:
+         - name: ca-certs
+           secret:
+             secretName: ca-cert-secret
+         containers:
+         - name: one-click
+           volumeMounts:
+           - name: ca-certs
+             mountPath: /usr/local/share/ca-certificates
+             readOnly: true
+   ```
+
+This is particularly useful when setting up Pocketbase backups to an S3 storage with self-signed or private CA certificates. The certificates will be automatically added to the system's certificate store when the container starts.

docker-compose.yaml

@@ -5,11 +5,11 @@ services:
       - "8090:8090"
     environment:
       - LOCAL=true
-      - LOCAL_KUBECONFIG_FILE=/home/natroot/one-click/config-unbr.yaml
+      - LOCAL_KUBECONFIG_FILE=~/.kube/config
       # Note: Replace the values from the actual configMap `one-click-config` or provide the env variables directly here
     volumes:
-      - one-click-unbr-data:/app/one-click/pb_data
+      - one-click-data:/app/one-click/pb_data
     restart: always
 
 volumes:
-  one-click-unbr-data:
+  one-click-data: