fix(profiling): skip system cert loading for non-HTTPS endpoints

Since 9a61cae (perf(profiling): cache TLS in ProfileExporter::new,
2026-02-27), TLS configuration is initialized unconditionally in
ProfileExporter::new(), even when the endpoint uses plain HTTP (e.g.
agent mode at http://<host>:8126), unix sockets, or named pipes.

There are two layers to the problem:
1. Our cached_tls_config() calls rustls-platform-verifier which eagerly
   loads the system CA store on Linux.
2. Even without our call, reqwest::ClientBuilder::build() also attempts
   to initialize its own TLS backend (loading system certs) unless a
   preconfigured TLS config is provided.

Both fail with the same error in minimal container images (e.g. bare
ubuntu:20.04 without the ca-certificates package):

  failed to initialize TLS configuration: unexpected error:
  No CA certificates were loaded from the system

This surfaced in ddprof after the libdatadog v29 upgrade: the profiler
targets the Datadog agent over HTTP and has no reason to touch the cert
store at all.

Fix:
- For HTTPS endpoints, use the existing cached platform TLS config
  (loads system CA certs via rustls-platform-verifier).
- For all other schemes (http, unix, windows, file), provide reqwest
  with a minimal TLS config that has an empty root store. This prevents
  reqwest from loading system certs itself, while still giving it a
  valid TLS backend. TLS is never negotiated on these transports anyway.

Verified with a Docker repro: ubuntu:22.04 after
`dpkg --force-depends --purge ca-certificates`, all 5 exporter_e2e
tests pass with the fix and fail without it.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: r1viollet

libdd-profiling/src/exporter/profile_exporter.rs

@@ -78,7 +78,16 @@ impl ProfileExporter {
         mut tags: Vec<Tag>,
         endpoint: Endpoint,
     ) -> anyhow::Result<Self> {
-        let tls_config = super::tls::cached_tls_config()?;
+        // For HTTPS, use the cached platform TLS config (loads system CA certs).
+        // For all other schemes (http, unix, windows, file), provide a minimal
+        // config with an empty root store so reqwest doesn't attempt to load
+        // system CA certificates itself — which fails in minimal container
+        // environments. TLS will never be negotiated on those transports anyway.
+        let tls_config = if endpoint.url.scheme_str() == Some("https") {
+            super::tls::cached_tls_config()?
+        } else {
+            super::tls::empty_tls_config()?
+        };
         // Pre-build all static headers
         let mut headers = reqwest::header::HeaderMap::new();
 

libdd-profiling/src/exporter/tls.rs

@@ -69,6 +69,26 @@ impl TlsConfig {
     }
 }
 
+impl TlsConfig {
+    /// Create a minimal TLS configuration with an empty root store.
+    ///
+    /// Used for non-HTTPS endpoints (HTTP, unix sockets, named pipes) where TLS
+    /// will never actually be negotiated. Providing this to reqwest prevents it
+    /// from attempting to load system CA certificates on its own, which fails in
+    /// minimal container environments that have no CA certificates installed.
+    pub fn new_empty() -> Result<Self, rustls::Error> {
+        let provider = rustls::crypto::CryptoProvider::get_default()
+            .cloned()
+            .unwrap_or_else(|| std::sync::Arc::new(Self::default_crypto_provider()));
+
+        let config = rustls::ClientConfig::builder_with_provider(provider)
+            .with_safe_default_protocol_versions()?
+            .with_root_certificates(rustls::RootCertStore::empty())
+            .with_no_client_auth();
+        Ok(Self(config))
+    }
+}
+
 static TLS_CONFIG: std::sync::LazyLock<Result<TlsConfig, String>> =
     std::sync::LazyLock::new(|| {
         TlsConfig::new().map_err(|err| format!("failed to initialize TLS configuration: {err}"))
@@ -80,3 +100,9 @@ pub(crate) fn cached_tls_config() -> anyhow::Result<TlsConfig> {
         .map(Clone::clone)
         .map_err(|err| anyhow::anyhow!("{err}"))
 }
+
+/// Returns a TLS config with an empty root store, for use with non-HTTPS endpoints.
+/// Never fails — no system cert loading is attempted.
+pub(crate) fn empty_tls_config() -> anyhow::Result<TlsConfig> {
+    TlsConfig::new_empty().map_err(|err| anyhow::anyhow!("failed to build TLS config: {err}"))
+}