Temporarily vendor ngrok intermediate CA for bindings (#487)

<!-- Thank you for contributing! Please make sure that your code changes
are covered with tests. In case of new features or big changes remember
to adjust the documentation.

In case of an existing issue, reference it using one of the following:

closes: #ISSUE
related: #ISSUE

How to write a good git commit message:
http://chris.beams.io/posts/git-commit/
-->

## What
*Describe what the change is solving*

Vendor the ngrok intermediate CA for `prod` into the Helm chart for bindings pod forwarders.

## How
*Describe the solution*

## Breaking Changes
*Are there any breaking changes in this PR?*
No.

Author: hjkatz

helm/ngrok-operator/README.md

@@ -0,0 +1,13 @@
+{{- if .Values.bindings.enabled }}
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  labels:
+    {{- include "ngrok-operator.labels" . | nindent 4 }}
+  name: ngrok-intermediate-ca
+  namespace: {{ .Release.Namespace }}
+data:
+  root.crt: |
+    {{- .Values.bindings.ngrokCA | nindent 4 }}
+{{- end }}

helm/ngrok-operator/templates/bindings-forwarder/configmap.ngrok-prod-ca.yaml

@@ -86,13 +86,23 @@ spec:
               fieldPath: metadata.namespace
         - name: HELM_RELEASE_NAME
           value: {{ .Release.Name | quote }}
+        - name: SSL_CERT_DIR
+          value: /etc/ssl/certs/ngrok
         {{- range $key, $value := .Values.extraEnv }}
         - name: {{ $key }}
           value: {{- toYaml $value | nindent 12 }}
         {{- end }}
         {{- if .Values.extraVolumeMounts  }}
         volumeMounts:
         {{ toYaml .Values.extraVolumeMounts | nindent 10 }}
+        - name: ngrok-ca
+          mountPath: /etc/ssl/certs/ngrok
+          readOnly: true
+        {{- else }}
+        volumeMounts:
+        - name: ngrok-ca
+          mountPath: /etc/ssl/certs/ngrok
+          readOnly: true
         {{- end }}
         {{- if .Values.lifecycle }}
         lifecycle:
@@ -115,5 +125,13 @@ spec:
       {{- if .Values.extraVolumes }}
       volumes:
         {{ toYaml .Values.extraVolumes | nindent 6 }}
+        - name: ngrok-ca
+          configMap:
+            name: ngrok-intermediate-ca
+      {{- else }}
+      volumes:
+        - name: ngrok-ca
+          configMap:
+            name: ngrok-intermediate-ca
       {{- end }}
 {{- end }}

helm/ngrok-operator/templates/bindings-forwarder/deployment.yaml

@@ -300,3 +300,30 @@ bindings:
       create: true
       name: ""
       annotations: {}
+
+  ## @param bindings.ngrokCA The ngrok intermediate CA certificate to use for verifyng self-signed TLS certs from ngrok
+  ## Note: This is temporarily vendored and will be removed in a future release.
+  ngrokCA: | # ngrok intermediate CA
+    -----BEGIN CERTIFICATE-----
+    MIIDwjCCAqqgAwIBAgIUZqF2AkB17pISojTndgc2U5BDt7wwDQYJKoZIhvcNAQEL
+    BQAwbzEQMA4GA1UEAwwHUm9vdCBDQTENMAsGA1UECwwEcHJvZDESMBAGA1UECgwJ
+    bmdyb2sgSW5jMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIDApDYWxp
+    Zm9ybmlhMQswCQYDVQQGEwJVUzAeFw0yMjA4MzExNDU5NDhaFw0zMjA4MjgxNDU5
+    NDhaMF8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQK
+    DAluZ3JvayBJbmMxDTALBgNVBAsMBHByb2QxGDAWBgNVBAMMD0ludGVybWVkaWF0
+    ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+t8q9Ost9BxCWX
+    fyGG0mVQOpIiyrzzZWyqT6CZpMY2fpOadLuZeBP7ti2Iw4FgCpfLntL0RldvMMNY
+    4qq61dVrCwhL/v2ldsaHUdzjtFj1i+ZNGUtV4E9korHxm2YdsD91w6WIjF/J0lvo
+    X2koLwFlGc/CkhT8z2VWebY8a6mYNyz5S7yPTQh2/mQ14lx/QPJgZSFEE/EEkMDC
+    bs4BoMuqKMhCpqEP8m4+CxPQ5/V6POSqUIxT4A7eWWj2MRpnmirmVbXOc24Aznqk
+    bdQUP4qagiR/i7qPsRx+f4mFfDninPsXp/djjByo0xzdh+i1HFyOR/7nyNDKlJ+e
+    rymRgnUCAwEAAaNmMGQwHQYDVR0OBBYEFJ47nRzHaOT+vY44N3TCMYtGlBjIMB8G
+    A1UdIwQYMBaAFNxeUxPIM8G7cX0DhFc81pLD4W+HMBIGA1UdEwEB/wQIMAYBAf8C
+    AQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQBRmnMoOtQbYL7P
+    Co1B5Chslb86HP2WI1jGRXhbfwAF2ySDFnX2ZbRPVtoQ+IuqXWxyXAeicYjXR6kz
+    xX8hLWfD14kWUIz6ZgT3uZrDSIzmQ+tz8ztbT6mTI1ECWdjLV/i58f6vKzgLD8Vp
+    3VdVns8NA9ee6a65QNjZEnwBVeccysoWkOwM/KzuazhSGcGu44y/S4ny9pAg7Pol
+    2kV4NicDKD6tSAdXmPmjFalYUfnMmyhurZIPrS2dgYgpOrGVMwronTOZ3BUf4DL4
+    zkkmcLXss1KztQnLd23nuNiIscwMcGM58a3O5zUp7aorfrm7cdRgkFmcYVNO/6uG
+    Q5iJ+Ppk
+    -----END CERTIFICATE-----