fix: embed CA certificates for environments without system certs by TimPietruskyRunPod · Pull Request #238 · runpod/runpodctl

TimPietruskyRunPod · 2026-02-25T16:23:33Z

Summary

Import golang.org/x/crypto/x509roots/fallback to embed Mozilla's CA certificate bundle in the binary
This allows runpodctl to make HTTPS calls in environments without ca-certificates installed (e.g. minimal Docker images like ubuntu:22.04)
When system certs are available, they are used as normal — the embedded bundle is only a fallback
Binary size increase: ~200KB

Running runpodctl from inside a container based on a minimal image (without ca-certificates) fails:

Error: Post "https://api.runpod.io/graphql": tls: failed to verify certificate: x509: certificate signed by unknown authority

Tested on a live Runpod pod:

Removed ca-certificates from a running pod to simulate bare ubuntu:22.04
Old binary → x509: certificate signed by unknown authority
New binary (with embedded certs) → TLS succeeds, gets 401 (expected with fake API key)

Fixes #149

fix: embed CA certificates for environments without system certs

ca08053

justinwlin self-requested a review February 26, 2026 16:05

justinwlin approved these changes Feb 26, 2026

View reviewed changes

TimPietruskyRunPod merged commit eb63246 into main Mar 3, 2026
1 check passed

TimPietruskyRunPod deleted the fix/embed-ca-certs branch March 3, 2026 10:14