Skip to content

Configure HTTP client with system certificate pool for HTTPS requests#6

Draft
wzshiming with Copilot wants to merge 3 commits into
mainfrom
copilot/add-trusted-certificate-chain
Draft

Configure HTTP client with system certificate pool for HTTPS requests#6
wzshiming with Copilot wants to merge 3 commits into
mainfrom
copilot/add-trusted-certificate-chain

Conversation

Copilot AI commented Oct 28, 2025

Copy link
Copy Markdown
Contributor

The ChunkRunner uses http.DefaultClient for downloading/uploading chunks from source and destination URLs. This PR explicitly configures the HTTP client to use the system's trusted certificate chain.

Changes

  • pkg/runner/chunk_runner.go: Added newHTTPClientWithSystemCerts() that clones http.DefaultTransport and configures TLS with x509.SystemCertPool(). Falls back to http.DefaultClient if system cert pool unavailable.
  • pkg/runner/chunk_runner_test.go: Added tests verifying TLS configuration uses system certificate pool.

Implementation

func newHTTPClientWithSystemCerts() *http.Client {
    certPool, err := x509.SystemCertPool()
    if err != nil {
        klog.Warningf("Failed to load system certificate pool, using default: %v", err)
        return http.DefaultClient
    }

    transport := http.DefaultTransport.(*http.Transport).Clone()
    transport.TLSClientConfig = &tls.Config{
        RootCAs: certPool,
    }

    return &http.Client{Transport: transport}
}

Cloning http.DefaultTransport preserves connection pooling, timeouts, and proxy configuration while ensuring HTTPS requests validate certificates against the system trust store.

Original prompt

This section details on the original issue you should resolve

<issue_title>Supports the system's trusted certificate chain for client</issue_title>
<issue_description></issue_description>

Comments on the Issue (you are @copilot in this section)


✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 2 commits October 28, 2025 10:03
Co-authored-by: wzshiming <6565744+wzshiming@users.noreply.github.com>
…edundant test

Co-authored-by: wzshiming <6565744+wzshiming@users.noreply.github.com>
Copilot AI changed the title [WIP] Support the system's trusted certificate chain for client Configure HTTP client with system certificate pool for HTTPS requests Oct 28, 2025
Copilot AI requested a review from wzshiming October 28, 2025 10:11
@wzshiming wzshiming force-pushed the main branch 2 times, most recently from 8df29d1 to 1d34e4f Compare November 7, 2025 06:41
@wzshiming wzshiming force-pushed the main branch 3 times, most recently from dbb43f2 to 7fb2eb9 Compare November 18, 2025 11:28
@wzshiming wzshiming force-pushed the main branch 3 times, most recently from 890c265 to 94c6dc6 Compare November 21, 2025 11:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Supports the system's trusted certificate chain for client

2 participants