From 846c0349013e950237bce5c77b2f2c693e99f966 Mon Sep 17 00:00:00 2001 From: Pablo Rodriguez Nava Date: Fri, 16 Jan 2026 18:00:14 +0100 Subject: [PATCH] Add DockerAdditionalTrustedBundle for custom CAs Introduces a new SystemContext field DockerAdditionalTrustedBundle to allow callers to provide additional PEM-encoded certificates that should be trusted when connecting to Docker registries. This is useful for environments with custom or internal certificate authorities, particularly when host-specific certificates are provided but a common CA is required across all hosts. Signed-off-by: Pablo Rodriguez Nava --- image/docker/docker_client.go | 5 +++++ image/types/types.go | 2 ++ 2 files changed, 7 insertions(+) diff --git a/image/docker/docker_client.go b/image/docker/docker_client.go index 2f257076f5..e953bd68b2 100644 --- a/image/docker/docker_client.go +++ b/image/docker/docker_client.go @@ -262,6 +262,11 @@ func newDockerClient(sys *types.SystemContext, registry, reference string) (*doc return nil, err } + // If the non-host-specific trust bundle is given add it to the RootCAs pool + if sys.DockerAdditionalTrustedBundle != "" { + tlsClientConfig.RootCAs.AppendCertsFromPEM([]byte(sys.DockerAdditionalTrustedBundle)) + } + // Check if TLS verification shall be skipped (default=false) which can // be specified in the sysregistriesv2 configuration. skipVerify := false diff --git a/image/types/types.go b/image/types/types.go index de25dabcdc..5d7168f4e0 100644 --- a/image/types/types.go +++ b/image/types/types.go @@ -640,6 +640,8 @@ type SystemContext struct { // If not "", overrides the system’s default path for a directory containing host[:port] subdirectories with the same structure as DockerCertPath above. // Ignored if DockerCertPath is non-empty. DockerPerHostCertDirPath string + // If not "", a string containing PEM-encoded certificates to add to the trusted root CAs. + DockerAdditionalTrustedBundle string // Allow contacting container registries over HTTP, or HTTPS with failed TLS verification. Note that this does not affect other TLS connections. DockerInsecureSkipTLSVerify OptionalBool // if nil, the library tries to parse ~/.docker/config.json to retrieve credentials