fix(profiling): skip TLS init for non-HTTPS endpoints

r1viollet · claude · r1viollet · commit 0677e7cb33e8 · 2026-03-25T17:45:19.000+01:00
Since 9a61cae (perf(profiling): cache TLS in ProfileExporter::new, 2026-02-27), TLS configuration is initialized unconditionally in ProfileExporter::new(), even when the endpoint uses plain HTTP (e.g. agent mode at http://<host>:8126), unix sockets, or named pipes. On Linux this eagerly loads the system CA certificate store via rustls-platform-verifier. In minimal container images (e.g. a bare ubuntu:20.04 without the ca-certificates package), there are no certs to load, so the call fails with: failed to initialize TLS configuration: unexpected error: No CA certificates were loaded from the system This surfaced in ddprof after the libdatadog v29 upgrade: the profiler targets the Datadog agent over HTTP and has no reason to touch the cert store at all. Fix: only call cached_tls_config() and apply tls_backend_preconfigured() when the endpoint scheme is "https". All other schemes (http, unix, windows, file) bypass TLS initialization entirely. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/libdd-profiling/src/exporter/profile_exporter.rs b/libdd-profiling/src/exporter/profile_exporter.rs
@@ -78,7 +78,14 @@ impl ProfileExporter {
         mut tags: Vec<Tag>,
         endpoint: Endpoint,
     ) -> anyhow::Result<Self> {
-        let tls_config = super::tls::cached_tls_config()?;
+        // Only initialize TLS for HTTPS endpoints. HTTP, unix, windows, and file
+        // endpoints don't use TLS, and eagerly loading the system cert store can
+        // fail in minimal container environments with no CA certificates installed.
+        let tls_config = if endpoint.url.scheme_str() == Some("https") {
+            Some(super::tls::cached_tls_config()?)
+        } else {
+            None
+        };
         // Pre-build all static headers
         let mut headers = reqwest::header::HeaderMap::new();
 
@@ -123,7 +130,10 @@ impl ProfileExporter {
         let base_tags_string: String = tags.iter().flat_map(|tag| [tag.as_ref(), ","]).collect();
 
         let (builder, request_url) = endpoint.to_reqwest_client_builder()?;
-        let builder = builder.tls_backend_preconfigured(tls_config.0);
+        let builder = match tls_config {
+            Some(tls) => builder.tls_backend_preconfigured(tls.0),
+            None => builder,
+        };
 
         Ok(Self {
             client: builder.build()?,
