Skip to content

feat(build): add system CA root mode#2051

Draft
maxamillion wants to merge 1 commit into
NVIDIA:mainfrom
maxamillion:openshell-unbundle-certs
Draft

feat(build): add system CA root mode#2051
maxamillion wants to merge 1 commit into
NVIDIA:mainfrom
maxamillion:openshell-unbundle-certs

Conversation

@maxamillion

Copy link
Copy Markdown
Collaborator

Summary

Add feature-controlled TLS root selection so upstream builds keep bundled Mozilla roots while Linux distro builds can use system/native trust stores only.

Related Issue

N/A

Changes

  • Add mutually exclusive bundled-ca-roots and system-ca-roots Cargo features.
  • Wire root selection through rustls clients and TLS-dependent dependencies.
  • Gate supervisor upstream root-store construction on the selected CA source.
  • Patch z3-sys locally to avoid pulling webpki-roots in system-root builds.
  • Document the build modes in architecture/build.md.

Testing

  • mise run pre-commit passes
  • cargo check --workspace --all-targets passes
  • cargo check --workspace --all-targets --no-default-features --features system-ca-roots passes
  • cargo test --workspace passes
  • cargo test --workspace --no-default-features --features system-ca-roots passes
  • cargo tree -i webpki-roots --no-default-features --features system-ca-roots shows no package
  • cargo tree -i webpki-root-certs --no-default-features --features system-ca-roots shows no package
  • E2E tests added/updated (if applicable)

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (if applicable)

@maxamillion maxamillion requested review from a team, derekwaynecarr and mrunalp as code owners June 29, 2026 19:55
@copy-pr-bot

copy-pr-bot Bot commented Jun 29, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@maxamillion maxamillion marked this pull request as draft June 29, 2026 20:08
@maxamillion maxamillion force-pushed the openshell-unbundle-certs branch from 97dd40d to 94bb1af Compare June 30, 2026 18:56
Allow distro builds to use native trust stores for supervisor upstream TLS while keeping bundled Mozilla roots as the default. Avoid bundled root crates in system-ca-roots builds by using native-root TLS features and z3 0.20.

Signed-off-by: Adam Miller <admiller@redhat.com>
@maxamillion maxamillion force-pushed the openshell-unbundle-certs branch from 94bb1af to 60d7644 Compare June 30, 2026 22:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant