Skip to content

feat(cli): support inline CA certificates in gRPC connections and config #2721

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
javirln wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat(cli): support inline CA certificates in gRPC connections and config #2721

javirln wants to merge 5 commits into from
+257 −9

Conversation

@javirln
Copy link
Member

@javirln javirln commented Feb 10, 2026

Store CA certificate content (base64-encoded) in config instead of file paths, enabling portable configurations across environments. The gRPC connection layer now accepts CA content directly via WithCAContent option.

PFM-4423

@javirln
feat(cli): support inline CA certificates in gRPC connections
88b337c 
Store CA certificate content (base64-encoded) in config instead of file
paths, enabling portable configurations across environments. The gRPC
connection layer now accepts CA content directly via WithCAContent option.

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln javirln requested review from jiparis and migmartri February 10, 2026 09:11
@javirln javirln self-assigned this Feb 10, 2026
@javirln javirln changed the title feat(cli): support inline CA certificates in gRPC connections feat(cli): support inline CA certificates in gRPC connections and config Feb 10, 2026
migmartri
migmartri reviewed Feb 10, 2026
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@javirln we need to make sure new clients work with old configuration and the other way around.

In other words, new clients should be compatible with the deprecated path loading

@javirln
test(grpcconn): add comprehensive CA loading tests
0291a3f 
Add unit tests for CA certificate loading functionality including file
path detection, PEM content loading, base64-encoded content, and option
functions. Tests verify backward compatibility with file paths and new
inline content support.

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln
fix linter
a1286ae 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln
Copy link
Member Author

javirln commented Feb 10, 2026

@javirln we need to make sure new clients work with old configuration and the other way around.

In other words, new clients should be compatible with the deprecated path loading

Yes, it is. I've added tests for that. It will attempt to load the path, and if successful, store it as base64. Otherwise, It will try to load the base64 directly.

@migmartri
Copy link
Member

migmartri commented Feb 10, 2026

@javirln we need to make sure new clients work with old configuration and the other way around.
In other words, new clients should be compatible with the deprecated path loading

Yes, it is. I've added tests for that. It will attempt to load the path, and if successful, store it as base64. Otherwise, It will try to load the base64 directly.

I don't mean the storing, but the consumption of an already stored path, just to confirm, is that covered?

@javirln
test(grpcconn): add backward compatibility tests
6422b1c 
Add tests verifying that new clients can consume old configurations with
stored file paths, and that the file path detection correctly routes to
the legacy loading method. Addresses PR feedback on backward compatibility.

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln
Copy link
Member Author

javirln commented Feb 10, 2026

@javirln we need to make sure new clients work with old configuration and the other way around.
In other words, new clients should be compatible with the deprecated path loading

Yes, it is. I've added tests for that. It will attempt to load the path, and if successful, store it as base64. Otherwise, It will try to load the base64 directly.

I don't mean the storing, but the consumption of an already stored path, just to confirm, is that covered?

Yes, it's backwards compatible with CAs as paths stored in the configuration from all the tests I could ran.

@javirln javirln marked this pull request as ready for review February 10, 2026 10:03
migmartri
migmartri reviewed Feb 10, 2026
View reviewed changes
migmartri
migmartri reviewed Feb 10, 2026
View reviewed changes
@javirln
simplfy logic
739cf62 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@migmartri migmartri migmartri left review comments

@jiparis jiparis Awaiting requested review from jiparis

At least 1 approving review is required to merge this pull request.

Assignees

@javirln javirln

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@javirln @migmartri