Skip to content

Add DockerAdditionalTrustedBundle for custom CAs #595

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pablintino wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add DockerAdditionalTrustedBundle for custom CAs #595

pablintino wants to merge 1 commit into from

Conversation

@pablintino
Copy link
Contributor

@pablintino pablintino commented Jan 16, 2026

Summary

Adds DockerAdditionalTrustedBundle field to SystemContext for providing additional PEM-encoded CA certificates when connecting to Docker registries.

Use case

Useful when host-specific certificates are configured but a common CA is needed across all registry connections.

Changes

  • Added DockerAdditionalTrustedBundle field to SystemContext
  • Appends provided certificates to TLS RootCAs pool in newDockerClient()

@pablintino
Add DockerAdditionalTrustedBundle for custom CAs
846c034 
Introduces a new SystemContext field DockerAdditionalTrustedBundle to allow
callers to provide additional PEM-encoded certificates that should be trusted
when connecting to Docker registries. This is useful for environments with
custom or internal certificate authorities, particularly when host-specific
certificates are provided but a common CA is required across all hosts.

Signed-off-by: Pablo Rodriguez Nava <git@amail.pablintino.com>
@github-actions github-actions bot added the image Related to "image" package label Jan 16, 2026
podmanbot pushed a commit to podmanbot/buildah that referenced this pull request Jan 16, 2026
@github-actions
dnm: Vendor changes from containers/container-libs#595
931c823
@podmanbot
Copy link

podmanbot commented Jan 16, 2026

✅ A new PR has been created in buildah to vendor these changes: containers/buildah#6642

@podmanbot podmanbot mentioned this pull request Jan 16, 2026
Draft
mtrmac
mtrmac reviewed Jan 21, 2026
View reviewed changes
Copy link
Contributor

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

There is a parallel TLS setting discussion motivated by OpenShift needs, so this needs to be coordinated with that — probably land afterwards or at the very least it needs to not prevent the other work.

image/docker/docker_client.go
}

// If the non-host-specific trust bundle is given add it to the RootCAs pool
if sys.DockerAdditionalTrustedBundle != "" {
Copy link
Contributor

@mtrmac mtrmac Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sys can be nil.

image/docker/docker_client.go

// If the non-host-specific trust bundle is given add it to the RootCAs pool
if sys.DockerAdditionalTrustedBundle != "" {
tlsClientConfig.RootCAs.AppendCertsFromPEM([]byte(sys.DockerAdditionalTrustedBundle))
Copy link
Contributor

@mtrmac mtrmac Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder whether the input wouldn’t be better as native Go Certificate, not forcing the client to serialize to text if the input is not originally text.

I don’t have a strong opinion at this point.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtrmac mtrmac mtrmac left review comments

Assignees

No one assigned

Labels

image Related to "image" package

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pablintino @podmanbot @mtrmac