-
Notifications
You must be signed in to change notification settings - Fork 79
Expand file tree
/
Copy pathcert.ts
More file actions
41 lines (35 loc) · 1.42 KB
/
cert.ts
File metadata and controls
41 lines (35 loc) · 1.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
import { appendFileSync, existsSync, readFileSync } from 'node:fs';
import { createLogger } from '@repo/shared';
const logger = createLogger({ component: 'container' });
const SYSTEM_CA_BUNDLE = '/etc/ssl/certs/ca-certificates.crt';
const CERT_WAIT_TIMEOUT_MS = 5000;
const CERT_WAIT_POLL_MS = 100;
async function waitForCertFile(certPath: string): Promise<boolean> {
const deadline = Date.now() + CERT_WAIT_TIMEOUT_MS;
while (Date.now() < deadline) {
if (existsSync(certPath)) return true;
await Bun.sleep(CERT_WAIT_POLL_MS);
}
return false;
}
export async function trustRuntimeCert(): Promise<void> {
// Default to the Cloudflare containers injected CA certificate
const certPath =
process.env.SANDBOX_CA_CERT ||
'/etc/cloudflare/certs/cloudflare-containers-ca.crt';
if (!(await waitForCertFile(certPath))) {
logger.warn(
'Certificate not found, could not enable HTTPS intercept support'
);
return;
}
const certContent = readFileSync(certPath, 'utf8');
appendFileSync(SYSTEM_CA_BUNDLE, `\n${certContent}`);
// NODE_EXTRA_CA_CERTS is additive in Node/Bun; the rest replace the default
// store entirely, so they must point to the full bundle.
process.env.NODE_EXTRA_CA_CERTS = certPath;
process.env.SSL_CERT_FILE = SYSTEM_CA_BUNDLE;
process.env.CURL_CA_BUNDLE = SYSTEM_CA_BUNDLE;
process.env.REQUESTS_CA_BUNDLE = SYSTEM_CA_BUNDLE;
process.env.GIT_SSL_CAINFO = SYSTEM_CA_BUNDLE;
}