feat(registry): Add custom ca certificate override

sebimarkgraf · sebimarkgraf · commit 6cf78b3a76b0 · 2025-11-14T11:01:09.000+01:00
diff --git a/Package.resolved b/Package.resolved
diff --git a/Package.swift b/Package.swift
@@ -46,6 +46,7 @@ let package = Package(
         .package(url: "https://github.com/swift-server/async-http-client.git", from: "1.20.1"),
         .package(url: "https://github.com/apple/swift-system.git", from: "1.4.0"),
         .package(url: "https://github.com/swiftlang/swift-docc-plugin", from: "1.1.0"),
+        .package(url: "https://github.com/apple/swift-nio-ssl.git", from: "2.36.0"),
     ],
     targets: [
         .target(
@@ -228,6 +229,8 @@ let package = Package(
                 "ContainerizationError",
                 .product(name: "Collections", package: "swift-collections"),
                 .product(name: "Logging", package: "swift-log"),
+                 .product(name: "NIOSSL", package: "swift-nio-ssl"),
+
             ]
         ),
         .testTarget(
diff --git a/Sources/Containerization/Image/ImageStore/ImageStore.swift b/Sources/Containerization/Image/ImageStore/ImageStore.swift
@@ -196,7 +196,7 @@ extension ImageStore {
     ) async throws -> Image {
 
         let matcher = createPlatformMatcher(for: platform)
-        let client = try RegistryClient(reference: reference, insecure: insecure, auth: auth)
+        let client = try RegistryClient(reference: reference, insecure: insecure, auth: auth, tlsConfiguration: TLSUtils.makeEnvironmentAwareTLSConfiguration())
 
         let ref = try Reference.parse(reference)
         let name = ref.path
@@ -248,7 +248,7 @@ extension ImageStore {
         guard let tag = ref.tag ?? ref.digest else {
             throw ContainerizationError(.invalidArgument, message: "Invalid tag/digest for image reference \(reference)")
         }
-        let client = try RegistryClient(reference: reference, insecure: insecure, auth: auth)
+        let client = try RegistryClient(reference: reference, insecure: insecure, auth: auth, tlsConfiguration: TLSUtils.makeEnvironmentAwareTLSConfiguration())
         let operation = ExportOperation(name: name, tag: tag, contentStore: self.contentStore, client: client, progress: progress)
         try await operation.export(index: img.descriptor, platforms: matcher)
     }
diff --git a/Sources/ContainerizationExtras/TLSUtils.swift b/Sources/ContainerizationExtras/TLSUtils.swift
@@ -0,0 +1,25 @@
+
+import NIO
+import NIOSSL
+import Foundation
+
+
+public enum TLSUtils {
+
+public static func makeEnvironmentAwareTLSConfiguration() -> TLSConfiguration {
+    var tlsConfig = TLSConfiguration.makeClientConfiguration()
+
+    // Check standard SSL environment variables in priority order
+    let customCAPath =
+        ProcessInfo.processInfo.environment["SSL_CERT_FILE"]
+        ?? ProcessInfo.processInfo.environment["CURL_CA_BUNDLE"]
+        ?? ProcessInfo.processInfo.environment["REQUESTS_CA_BUNDLE"]
+
+    if let caPath = customCAPath {
+        tlsConfig.trustRoots = .file(caPath)
+    }
+    // else: use .default
+
+    return tlsConfig
+}
+}
diff --git a/Sources/ContainerizationOCI/Client/RegistryClient.swift b/Sources/ContainerizationOCI/Client/RegistryClient.swift
@@ -22,6 +22,7 @@ import Foundation
 import Logging
 import NIO
 import NIOHTTP1
+import NIOSSL
 
 #if os(macOS)
 import Network
@@ -66,7 +67,8 @@ public final class RegistryClient: ContentClient {
         reference: String,
         insecure: Bool = false,
         auth: Authentication? = nil,
-        logger: Logger? = nil
+        logger: Logger? = nil,
+        tlsConfiguration: TLSConfiguration? = nil,
     ) throws {
         let ref = try Reference.parse(reference)
         guard let domain = ref.resolvedDomain else {
@@ -86,7 +88,8 @@ public final class RegistryClient: ContentClient {
             scheme: scheme,
             port: port,
             authentication: auth,
-            retryOptions: Self.defaultRetryOptions
+            retryOptions: Self.defaultRetryOptions,
+            tlsConfiguration: tlsConfiguration,
         )
     }
 
@@ -98,7 +101,8 @@ public final class RegistryClient: ContentClient {
         clientID: String? = nil,
         retryOptions: RetryOptions? = nil,
         bufferSize: Int = Int(4.mib()),
-        logger: Logger? = nil
+        logger: Logger? = nil,
+        tlsConfiguration: TLSConfiguration? = nil,
     ) {
         var components = URLComponents()
         components.scheme = scheme
@@ -118,6 +122,9 @@ public final class RegistryClient: ContentClient {
             let proxyPort = proxyURL.port ?? (proxyURL.scheme == "https" ? 443 : 80)
             httpConfiguration.proxy = HTTPClient.Configuration.Proxy.server(host: proxyHost, port: proxyPort)
         }
+        if tlsConfiguration != nil {
+            httpConfiguration.tlsConfiguration = tlsConfiguration
+        }
 
         if let logger {
             self.client = HTTPClient(eventLoopGroupProvider: .singleton, configuration: httpConfiguration, backgroundActivityLogger: logger)
diff --git a/Sources/cctl/LoginCommand.swift b/Sources/cctl/LoginCommand.swift
@@ -18,6 +18,7 @@ import ArgumentParser
 import Containerization
 import ContainerizationError
 import ContainerizationOCI
+import ContainerizationExtras
 import Foundation
 
 extension Application {
@@ -74,7 +75,8 @@ extension Application {
                     shouldRetry: ({ response in
                         response.status.code >= 500
                     })
-                )
+                ),
+                tlsConfiguration: TLSUtils.makeEnvironmentAwareTLSConfiguration(),
             )
             try await client.ping()
             try keychain.save(domain: server, username: username, password: password)
diff --git a/vminitd/Package.resolved b/vminitd/Package.resolved
