Fix default CA to be based on system certs instead of none

[jackyalbo]

Describe the Problem

When, for some reason, OCP failed to inject the CA list to our pods, noobaa-core/endpoint would start with an empty list of CAs instead of the system defaults - this fix is supposed to fix this.

Explain the Changes

1. base ca list on the system default instead of empty list

Issues: Fixed #xxx / Gap #xxx

Testing Instructions:

• Doc added/updated
• Tests added

Summary by CodeRabbit

• Bug Fixes
  • Enhanced HTTPS certificate validation and SSL/TLS connection reliability. The system now combines Node's built-in root certificates with custom CA bundles to ensure comprehensive certificate trust verification across different deployment environments and certificate authorities. Additionally, unreadable or missing CA files are handled gracefully.

[coderabbitai]

Warning

Rate limit exceeded

@jackyalbo has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minutes and 2 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 1 minutes and 2 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3a64c359-8929-4723-bb36-eed9bf5c3e7e

📥 Commits

Reviewing files that changed from the base of the PR and between cc0ef49 and 5495f48.

📒 Files selected for processing (2)

• src/test/unit_tests/util_functions_tests/test_http_utils.cert.test.js
• src/util/http_utils.js

📝 Walkthrough

Walkthrough

Updated HTTPS agent CA certificate configuration to prepend Node's built-in root certificates (tls.rootCertificates) before loading custom CA bundles from disk, with the new tls module dependency enabling access to root certificates while preserving the filter for missing files.

Changes

Cohort / File(s)	Summary
HTTPS Agent Configuration src/util/http_utils.js	Added tls module import and modified CA array construction to prepend Node's built-in root certificates before loading custom internal/external CA bundles, maintaining the filter for unreadable files.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Fixing CA certs to use defaults in case they exist #9395 — Also modifies CA handling and HTTPS agent construction in src/util/http_utils.js for certificate management.

Suggested labels

size/L

Suggested reviewers

• nimrod-becker
• liranmauda

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: switching from an empty/no CA list to using system certificates as defaults.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/util/http_utils.js`:
- Line 10: The code currently uses tls.rootCertificates which only contains
Node's bundled Mozilla CAs and will override system/OpenSSL stores when passed
as the 'ca' option; change usage in src/util/http_utils.js to call
tls.getCACertificates('default') to obtain the effective default CA set
(including system certs) and only set the request/agent 'ca' option when custom
CA files are provided—if no custom CA files exist, leave 'ca' undefined so
Node's implicit default trust handling is preserved; update any references to
tls.rootCertificates in functions that build TLS options (e.g., the agent or
request TLS option construction) to use tls.getCACertificates('default') and
conditional assignment.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1cd951d7-8993-453d-8e5b-896b428c6d51

📥 Commits

Reviewing files that changed from the base of the PR and between cfce853 and cc0ef49.

📒 Files selected for processing (1)

• src/util/http_utils.js

[liranmauda]

As far as I can tell, it was added in Node.js v22.15.0
Here is the list of nodes we are using (based on the .nvmrc)

5.16 -> 20.11.0
5.17 -> 20.17.0
5.18 -> 22.11.0
5.19 -> 22.11.0
5.20 -> 22.11.0
5.21 -> 24.4.1

For the older versions, we will have to bump nodeJS