Support configuring custom CA certificates#687
Merged
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #687 +/- ##
============================================
+ Coverage 86.70% 87.62% +0.92%
- Complexity 943 962 +19
============================================
Files 43 43
Lines 2910 2974 +64
Branches 364 371 +7
============================================
+ Hits 2523 2606 +83
+ Misses 229 210 -19
Partials 158 158 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Collaborator
|
Thanks for your PR. Looks very good so far. I've added copilot review so see if it spots anything |
There was a problem hiding this comment.
Pull request overview
Adds support for configuring custom CA certificates for TLS connections to OCI registries, and introduces test infrastructure + integration tests to validate TLS behaviors against a Zot registry.
Changes:
- Add
withCaFile()/withCaContent()toHttpClient.BuilderandRegistry.Builder, and refactor TLS configuration to be applied consistently at build time. - Introduce shared Zot Testcontainers utilities (
ZotBaseContainer,TestImages) and a TLS-enabled Zot container (ZotTlsContainer). - Add unit tests for TLS configuration validation and integration tests covering CA file/content and skip-verify behavior.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/main/java/land/oras/auth/HttpClient.java | Implements CA file/content handling and refactors TLS configuration logic in the client builder. |
| src/main/java/land/oras/Registry.java | Plumbs CA configuration through Registry.Builder into the internal HttpClient. |
| src/test/java/land/oras/auth/HttpClientTest.java | Adds unit tests for CA file/content validation and option incompatibilities. |
| src/test/java/land/oras/RegistryTlsTest.java | Adds integration coverage for connecting to a TLS-enabled Zot registry using CA file/content and skip-verify. |
| src/test/java/land/oras/utils/ZotBaseContainer.java | New shared base for Zot containers (image/port/config copy helpers, logging, registry address). |
| src/test/java/land/oras/utils/ZotContainer.java | Refactors existing auth-enabled Zot container to use ZotBaseContainer. |
| src/test/java/land/oras/utils/ZotUnsecureContainer.java | Refactors unsecure Zot container to use ZotBaseContainer and shared config-writing. |
| src/test/java/land/oras/utils/ZotTlsContainer.java | New TLS-enabled Zot container that generates/copies certs and exposes CA to tests. |
| src/test/java/land/oras/utils/TlsUtils.java | New test utility for generating certificates/keys (BouncyCastle-backed). |
| src/test/java/land/oras/utils/TestImages.java | Centralizes container image references used in tests. |
| pom.xml | Adds test dependency on bcpkix-jdk18on (and manages its version). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ThomasVitale
force-pushed
the
gh-670
branch
2 times, most recently
from
b88f914 to
e6bd886
Compare
Contributor
Author
|
I've just noticed the |
- Introduce .withCaFile() and .withCaContent() method to Registry and HttpClient to provide custom CA certificates to be used for establishing a TLS connection with an OCI registry. - Refactor HttpClient.Builder to ensure correct and consistent state when using multiple TLS-related methods like .withSkipTlsVerify, .withCaFile(), and .withCaContent(). - Add integration tests for TLS-related operations with a Zot OCI registry. Introduce a ZotBaseContainer class to consolidate common logic rather than duplicating code in the newly added ZotTlsContainer for TLS-related tests. Fixes oras-projectgh-670 Signed-off-by: Thomas Vitale <ThomasVitale@users.noreply.github.com>
Contributor
Author
|
Updated |
jonesbusy
approved these changes
Apr 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
.withCaFile()and.withCaContent()method toRegistryandHttpClientto provide custom CA certificates to be used for establishing a TLS connection with an OCI registry.HttpClient.Builderto ensure correct and consistent state when using multiple TLS-related methods like.withSkipTlsVerify(),.withCaFile(), and.withCaContent().ZotBaseContainerclass to consolidate common logic rather than duplicating code in the newly addedZotTlsContainerfor TLS-related tests.Fixes gh-670
Testing done
Submitter checklist
mvn license:update-file-header,mvn spotless:apply,pre-commit run -a,mvn clean installbefore opening the PR