this repo has no description
feat: hardcode Netdata CA certificate for mutual TLS
- Add hardcoded Netdata CA certificate from official documentation
- Remove client_ca_path configuration parameter
- Update server to use built-in certificate for MTLS validation
- Simplify configuration by eliminating need for external CA file
- Update all documentation and config examples
The Netdata CA certificate is now embedded directly in the code,
eliminating the need for users to configure and manage the CA file
separately. This improves security and simplifies deployment.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
+53
-35
-13
.env.sample
-13
.env.sample
···
1
-
# Zulip Configuration
2
-
ZULIP_SITE=https://yourorg.zulipchat.com
3
-
ZULIP_EMAIL=netdata-bot@yourorg.zulipchat.com
4
-
ZULIP_API_KEY=your-api-key-here
5
-
ZULIP_STREAM=netdata-alerts
6
-
7
-
# Server Configuration
8
-
SERVER_HOST=0.0.0.0
9
-
SERVER_PORT=8443
10
-
SERVER_DOMAIN=your-domain.com
11
-
SERVER_CERT_PATH=/etc/letsencrypt/live
12
-
SERVER_ENABLE_MTLS=true
13
-
SERVER_CLIENT_CA_PATH=/path/to/netdata-client-ca.pem
-1
CLAUDE.md
-1
CLAUDE.md
+1
-2
README.md
+1
-2
README.md
···
109
109
- `SERVER_PORT`: HTTPS port (default: `8443`)
110
110
- `SERVER_CERT_PATH`: Certificate path (default: `/etc/letsencrypt/live`)
111
111
- `SERVER_ENABLE_MTLS`: Enable mutual TLS (default: `true`)
112
-
- `SERVER_CLIENT_CA_PATH`: Client CA certificate for mTLS validation
113
112
114
113
## Message Format
115
114
···
204
203
205
204
1. **Server Certificate**: Automatically managed by Let's Encrypt
206
205
2. **Client Verification**: Validates Netdata's client certificate
207
-
3. **CA Certificate**: Configure `SERVER_CLIENT_CA_PATH` to validate client certs
206
+
3. **CA Certificate**: Built-in Netdata CA certificate for client validation
208
207
209
208
### Webhook Endpoint Security
210
209
-3
docker-compose.yml
-3
docker-compose.yml
···
12
12
- SERVER_HOST=0.0.0.0
13
13
- SERVER_CERT_PATH=/etc/letsencrypt/live
14
14
- SERVER_ENABLE_MTLS=true
15
-
- SERVER_CLIENT_CA_PATH=/etc/ssl/certs/netdata-ca.pem
16
15
17
16
# Zulip configuration
18
17
- ZULIP_SITE=https://yourorg.zulipchat.com
···
23
22
# Mount Let's Encrypt certificates
24
23
- /etc/letsencrypt/live:/etc/letsencrypt/live:ro
25
24
- /etc/letsencrypt/archive:/etc/letsencrypt/archive:ro
26
-
# Mount CA certificate for mutual TLS (optional)
27
-
- /path/to/netdata-ca.pem:/etc/ssl/certs/netdata-ca.pem:ro
28
25
restart: unless-stopped
29
26
healthcheck:
30
27
test: ["CMD", "curl", "-k", "-f", "https://localhost:8443/health"]
-1
examples/netdata-zulip-bot.service
-1
examples/netdata-zulip-bot.service
···
16
16
Environment=SERVER_PORT=8443
17
17
Environment=SERVER_CERT_PATH=/etc/letsencrypt/live
18
18
Environment=SERVER_ENABLE_MTLS=true
19
-
Environment=SERVER_CLIENT_CA_PATH=/etc/ssl/certs/netdata-ca.pem
20
19
21
20
# Zulip configuration (if using environment variables instead of zuliprc)
22
21
# Environment=ZULIP_SITE=https://yourorg.zulipchat.com
-1
netdata_zulip_bot/config.py
-1
netdata_zulip_bot/config.py
···
43
43
domain=os.getenv("SERVER_DOMAIN", ""),
44
44
cert_path=os.getenv("SERVER_CERT_PATH", "/etc/letsencrypt/live"),
45
45
enable_mtls=os.getenv("SERVER_ENABLE_MTLS", "true").lower() == "true",
46
-
client_ca_path=os.getenv("SERVER_CLIENT_CA_PATH"),
47
46
)
48
47
49
48
# Validate required server settings
-1
netdata_zulip_bot/main.py
-1
netdata_zulip_bot/main.py
-1
netdata_zulip_bot/models.py
-1
netdata_zulip_bot/models.py
+38
netdata_zulip_bot/netdata_ca.py
+38
netdata_zulip_bot/netdata_ca.py
···
1
+
"""Netdata Cloud CA certificate for mutual TLS authentication."""
2
+
3
+
# This certificate is from the official Netdata documentation:
4
+
# https://github.com/netdata/netdata/blob/master/integrations/cloud-notifications/metadata.yaml
5
+
NETDATA_CA_CERT = """-----BEGIN CERTIFICATE-----
6
+
MIIF0jCCA7qgAwIBAgIUDV0rS5jXsyNX33evHEQOwn9fPo0wDQYJKoZIhvcNAQEN
7
+
BQAwgYAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
8
+
Ew1TYW4gRnJhbmNpc2NvMRYwFAYDVQQKEw1OZXRkYXRhLCBJbmMuMRIwEAYDVQQL
9
+
EwlDbG91ZCBTUkUxGDAWBgNVBAMTD05ldGRhdGEgUm9vdCBDQTAeFw0yMzAyMjIx
10
+
MjQzMDBaFw0zMzAyMTkxMjQzMDBaMIGAMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
11
+
Q2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEWMBQGA1UEChMNTmV0
12
+
ZGF0YSwgSW5jLjESMBAGA1UECxMJQ2xvdWQgU1JFMRgwFgYDVQQDEw9OZXRkYXRh
13
+
IFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCwIg7z3R++
14
+
ppQYYVVoMIDlhWO3qVTMsAQoJYEvVa6fqaImUBLW/k19LUaXgUJPohB7gBp1pkjs
15
+
QfY5dBo8iFr7MDHtyiAFjcQV181sITTMBEJwp77R4slOXCvrreizhTt1gvf4S1zL
16
+
qeHBYWEgH0RLrOAqD0jkOHwewVouO0k3Wf2lEbCq3qRk2HeDvkv0LR7sFC+dDms8
17
+
fDHqb/htqhk+FAJELGRqLeaFq1Z5Eq1/9dk4SIeHgK5pdYqsjpBzOTmocgriw6he
18
+
s7F3dOec1ZZdcBEAxOjbYt4e58JwuR81cWAVMmyot5JNCzYVL9e5Vc5n22qt2dmc
19
+
Tzw2rLOPt9pT5bzbmyhcDuNg2Qj/5DySAQ+VQysx91BJRXyUimqE7DwQyLhpQU72
20
+
jw29lf2RHdCPNmk8J1TNropmpz/aI7rkperPugdOmxzP55i48ECbvDF4Wtazi+l+
21
+
4kx7ieeLfEQgixy4lRUUkrgJlIDOGbw+d2Ag6LtOgwBiBYnDgYpvLucnx5cFupPY
22
+
Cy3VlJ4EKUeQQSsz5kVmvotk9MED4sLx1As8V4e5ViwI5dCsRfKny7BeJ6XNPLnw
23
+
PtMh1hbiqCcDmB1urCqXcMle4sRhKccReYOwkLjLLZ80A+MuJuIEAUUuEPCwywzU
24
+
R7pagYsmvNgmwIIuJtB6mIJBShC7TpJG+wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMC
25
+
AQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU9IbvOsPSUrpr8H2zSafYVQ9e
26
+
Ft8wDQYJKoZIhvcNAQENBQADggIBABQ08aI31VKZs8jzg+y/QM5cvzXlVhcpkZsY
27
+
1VVBr0roSBw9Pld9SERrEHto8PVXbadRxeEs4sKivJBKubWAooQ6NTvEB9MHuGnZ
28
+
VCU+N035Gq/mhBZgtIs/Zz33jTB2ju3G4Gm9VTZbVqd0OUxFs41Iqvi0HStC3/Io
29
+
rKi7crubmp5f2cNW1HrS++ScbTM+VaKVgQ2Tg5jOjou8wtA+204iYXlFpw9Q0qnP
30
+
qq6ix7TfLLeRVp6mauwPsAJUgHZluz7yuv3r7TBdukU4ZKUmfAGIPSebtB3EzXfH
31
+
7Y326xzv0hEpjvDHLy6+yFfTdBSrKPsMHgc9bsf88dnypNYL8TUiEHlcTgCGU8ts
32
+
ud8sWN2M5FEWbHPNYRVfH3xgY2iOYZzn0i+PVyGryOPuzkRHTxDLPIGEWE5susM4
33
+
X4bnNJyKH1AMkBCErR34CLXtAe2ngJlV/V3D4I8CQFJdQkn9tuznohUU/j80xvPH
34
+
FOcDGQYmh4m2aIJtlNVP6+/92Siugb5y7HfslyRK94+bZBg2D86TcCJWaaZOFUrR
35
+
Y3WniYXsqM5/JI4OOzu7dpjtkJUYvwtg7Qb5jmm8Ilf5rQZJhuvsygzX6+WM079y
36
+
nsjoQAm6OwpTN5362vE9SYu1twz7KdzBlUkDhePEOgQkWfLHBJWwB+PvB1j/cUA3
37
+
5zrbwvQf
38
+
-----END CERTIFICATE-----"""
+14
-12
netdata_zulip_bot/server.py
+14
-12
netdata_zulip_bot/server.py
···
1
1
"""FastAPI webhook server for receiving Netdata notifications."""
2
2
3
3
import ssl
4
+
import tempfile
4
5
from pathlib import Path
5
6
from typing import Dict, Any
6
7
···
11
12
12
13
from .formatter import ZulipMessageFormatter
13
14
from .models import WebhookPayload, ZulipConfig, ServerConfig
15
+
from .netdata_ca import NETDATA_CA_CERT
14
16
from .zulip_client import ZulipNotifier
15
17
16
18
logger = structlog.get_logger()
···
141
143
142
144
# Configure mutual TLS if enabled
143
145
if self.server_config.enable_mtls:
144
-
if self.server_config.client_ca_path:
145
-
ca_path = Path(self.server_config.client_ca_path)
146
-
if ca_path.exists():
147
-
context.load_verify_locations(str(ca_path))
148
-
context.verify_mode = ssl.CERT_REQUIRED
149
-
logger.info("Mutual TLS enabled", ca_path=str(ca_path))
150
-
else:
151
-
logger.warning("Client CA file not found, disabling mutual TLS", ca_path=str(ca_path))
152
-
context.verify_mode = ssl.CERT_NONE
153
-
else:
154
-
logger.warning("No client CA path configured, disabling mutual TLS")
155
-
context.verify_mode = ssl.CERT_NONE
146
+
# Use the hardcoded Netdata CA certificate
147
+
with tempfile.NamedTemporaryFile(mode='w', suffix='.pem', delete=False) as ca_file:
148
+
ca_file.write(NETDATA_CA_CERT)
149
+
ca_file_path = ca_file.name
150
+
151
+
try:
152
+
context.load_verify_locations(ca_file_path)
153
+
context.verify_mode = ssl.CERT_REQUIRED
154
+
logger.info("Mutual TLS enabled with hardcoded Netdata CA certificate")
155
+
finally:
156
+
# Clean up the temporary file
157
+
Path(ca_file_path).unlink(missing_ok=True)
156
158
else:
157
159
context.verify_mode = ssl.CERT_NONE
158
160
logger.info("Mutual TLS disabled")