[SVLS-7945] feat: Support TLS certificate for logs/proxy flusher (#979)

lym953 · web-flow · commit 8439fdaa4a04 · 2026-01-08T14:50:27.000-05:00
## Problem A customer reported that their Lambda is behind a proxy, and the Rust-based extension encounters an error when sending logs and metrics to Datadog via the proxy. A previous PR #961 fixed this for traces and stats, but not for other things because the customer and I didn't see any error with them at that time. ## This PR Applies the env var `DD_TLS_CERT_FILE` to logs flusher and proxy flusher as well. Example: `DD_TLS_CERT_FILE=/opt/ca-cert.pem`, so the when the extension flushes logs or proxied data to Datadog, the HTTP client created can load and use this cert, and connect the proxy properly. ## Testing 1. Create a Lambda in a VPC with a proxy EC2 instance. 2. Connect to the proxy instance. With the help of ChatGPT, set up a custom-build nginx with `ngx_http_proxy_connect_module` 3. Save the CA certificate from the proxy server to local machine 4. In the CDK stack, add a layer to the Lambda, which includes the CA certificate `ca-cert.pem` 5. Set env vars: - `DD_TLS_CERT_FILE=/opt/ca-cert.pem` - `DD_PROXY_HTTPS=http://10.0.0.30:3128`, where `10.0.0.30` is the private IP of the proxy EC2 instance - `DD_LOG_LEVEL=debug` 6. Invoke the Lambda ## Result **Before:** Log flushing failed: > DD_EXTENSION | ERROR | LOGS | Failed to send request after 97 ms and 3 attempts: reqwest::Error { kind: Request, url: "https://http-intake.logs.datadoghq.com/api/v2/logs", source: hyper_util::client::legacy::Error(Connect, ConnectFailed(Custom { kind: Other, error: Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) } })) } **After:** No such error ## Next steps Do the same thing for dogstatsd metric flusher. Metric flusher is in a separate repo https://github.com/DataDog/serverless-components, so let's create separate PRs for that change. ## Notes Customer report issue: #919
diff --git a/bottlecap/src/http.rs b/bottlecap/src/http.rs
@@ -8,8 +8,8 @@ use bytes::Bytes;
 use core::time::Duration;
 use datadog_fips::reqwest_adapter::create_reqwest_client_builder;
 use std::sync::Arc;
-use std::{collections::HashMap, error::Error};
-use tracing::error;
+use std::{collections::HashMap, error::Error, fs::File, io::BufReader};
+use tracing::{debug, error};
 
 #[must_use]
 pub fn get_client(config: &Arc<config::Config>) -> reqwest::Client {
@@ -47,6 +47,28 @@ fn build_client(config: &Arc<config::Config>) -> Result<reqwest::Client, Box<dyn
             .http2_keep_alive_timeout(Duration::from_secs(1000));
     }
 
+    // Load custom TLS certificate if configured
+    if let Some(cert_path) = &config.tls_cert_file {
+        match load_custom_cert(cert_path) {
+            Ok(certs) => {
+                let cert_count = certs.len();
+                for cert in certs {
+                    client = client.add_root_certificate(cert);
+                }
+                debug!(
+                    "HTTP | Added {} root certificate(s) from {}",
+                    cert_count, cert_path
+                );
+            }
+            Err(e) => {
+                error!(
+                    "Failed to load TLS certificate from {}: {}, continuing without custom cert",
+                    cert_path, e
+                );
+            }
+        }
+    }
+
     // This covers DD_PROXY_HTTPS and HTTPS_PROXY
     if let Some(https_uri) = &config.proxy_https {
         let proxy = reqwest::Proxy::https(https_uri.clone())?;
@@ -56,6 +78,24 @@ fn build_client(config: &Arc<config::Config>) -> Result<reqwest::Client, Box<dyn
     }
 }
 
+fn load_custom_cert(cert_path: &str) -> Result<Vec<reqwest::Certificate>, Box<dyn Error>> {
+    let file = File::open(cert_path)?;
+    let mut reader = BufReader::new(file);
+
+    // Parse PEM certificates
+    let certs = rustls_pemfile::certs(&mut reader).collect::<Result<Vec<_>, _>>()?;
+
+    if certs.is_empty() {
+        return Err("No certificates found in file".into());
+    }
+
+    // Convert all certificates found in the file
+    certs
+        .into_iter()
+        .map(|cert| reqwest::Certificate::from_der(&cert).map_err(Into::into))
+        .collect()
+}
+
 pub async fn handler_not_found() -> Response {
     (StatusCode::NOT_FOUND, "Not Found").into_response()
 }
