From e1b62bf70543eb4a14da784410c70a2d9ccbe543 Mon Sep 17 00:00:00 2001
From: Yiming Luo <yiming.luo@datadoghq.com>
Date: Wed, 7 Jan 2026 17:14:37 -0500
Subject: [PATCH 1/2] [SVLS-7945] feat: Support custom CA cert file for logs
 and proxy flusher

---
 bottlecap/src/http.rs | 46 +++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 44 insertions(+), 2 deletions(-)

diff --git a/bottlecap/src/http.rs b/bottlecap/src/http.rs
index e7dae2623..e98092c61 100644
--- a/bottlecap/src/http.rs
+++ b/bottlecap/src/http.rs
@@ -8,8 +8,8 @@ use bytes::Bytes;
 use core::time::Duration;
 use datadog_fips::reqwest_adapter::create_reqwest_client_builder;
 use std::sync::Arc;
-use std::{collections::HashMap, error::Error};
-use tracing::error;
+use std::{collections::HashMap, error::Error, fs::File, io::BufReader};
+use tracing::{debug, error};
 
 #[must_use]
 pub fn get_client(config: &Arc<config::Config>) -> reqwest::Client {
@@ -47,6 +47,28 @@ fn build_client(config: &Arc<config::Config>) -> Result<reqwest::Client, Box<dyn
             .http2_keep_alive_timeout(Duration::from_secs(1000));
     }
 
+    // Load custom TLS certificate if configured
+    if let Some(cert_path) = &config.tls_cert_file {
+        match load_custom_cert(cert_path) {
+            Ok(certs) => {
+                let cert_count = certs.len();
+                for cert in certs {
+                    client = client.add_root_certificate(cert);
+                }
+                debug!(
+                    "HTTP | Added {} root certificate(s) from {}",
+                    cert_count, cert_path
+                );
+            }
+            Err(e) => {
+                error!(
+                    "Failed to load TLS certificate from {}: {}, continuing without custom cert",
+                    cert_path, e
+                );
+            }
+        }
+    }
+
     // This covers DD_PROXY_HTTPS and HTTPS_PROXY
     if let Some(https_uri) = &config.proxy_https {
         let proxy = reqwest::Proxy::https(https_uri.clone())?;
@@ -56,6 +78,26 @@ fn build_client(config: &Arc<config::Config>) -> Result<reqwest::Client, Box<dyn
     }
 }
 
+fn load_custom_cert(cert_path: &str) -> Result<Vec<reqwest::Certificate>, Box<dyn Error>> {
+    let file = File::open(cert_path)?;
+    let mut reader = BufReader::new(file);
+
+    // Parse PEM certificates
+    let certs = rustls_pemfile::certs(&mut reader).collect::<Result<Vec<_>, _>>()?;
+
+    if certs.is_empty() {
+        return Err("No certificates found in file".into());
+    }
+
+    // Convert all certificates found in the file
+    let mut reqwest_certs = Vec::new();
+    for cert in certs {
+        reqwest_certs.push(reqwest::Certificate::from_der(&cert)?);
+    }
+
+    Ok(reqwest_certs)
+}
+
 pub async fn handler_not_found() -> Response {
     (StatusCode::NOT_FOUND, "Not Found").into_response()
 }

From 00bfa8499292c520b5d8059b6d0e2666c778369e Mon Sep 17 00:00:00 2001
From: Yiming Luo <yiming.luo@datadoghq.com>
Date: Wed, 7 Jan 2026 17:39:00 -0500
Subject: [PATCH 2/2] Make loop code idiomatic

---
 bottlecap/src/http.rs | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/bottlecap/src/http.rs b/bottlecap/src/http.rs
index e98092c61..c969ed6f7 100644
--- a/bottlecap/src/http.rs
+++ b/bottlecap/src/http.rs
@@ -90,12 +90,10 @@ fn load_custom_cert(cert_path: &str) -> Result<Vec<reqwest::Certificate>, Box<dy
     }
 
     // Convert all certificates found in the file
-    let mut reqwest_certs = Vec::new();
-    for cert in certs {
-        reqwest_certs.push(reqwest::Certificate::from_der(&cert)?);
-    }
-
-    Ok(reqwest_certs)
+    certs
+        .into_iter()
+        .map(|cert| reqwest::Certificate::from_der(&cert).map_err(Into::into))
+        .collect()
 }
 
 pub async fn handler_not_found() -> Response {