feat(podman): add system CA certificate support and pre-install nftables

[wherka-ama]

Add system CA certificate detection and copying to build context for enterprise proxy support.
Pre-install nftables in workspace image to avoid runtime installation failures in deny-mode networking.

Changes:

• Detect and copy system CA certificates from common Linux paths
• Conditionally add COPY instructions to Containerfile when certs exist
• Pre-install nftables in workspace image during build
• Use workspace image for network-guard container instead of base image

Fixes: #555

Please note: this is just a first draft/proposal to plug this gap. Feel free to replace it with an entirely different implementation if the conventions or standards used in this PR are not aligned with the project.

Since I've not found any contribution guidelines, I made some assumptions. There is a good chance they were wrong :-)

BTW: Openkaiden rocks 🚀 I hope you guys will make it to the level folks like us will be able to use it to run our agentic workloads safely in the enterprise setup one day!

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR detects and stages system CA certificates into the Podman build context, threads a certsCopied flag into Containerfile generation to conditionally install those certs, ensures nftables is included in workspace images, and wires the workspace image into pod templates for network-guard usage.

Changes

Enterprise Proxy CA Support and Workspace Image Integration

Layer / File(s)	Summary
System CA Certificate Detection and Staging pkg/runtime/podman/create.go, pkg/runtime/podman/create_test.go, .gitignore	New helpers locate system CA bundles and copy the first readable bundle into instanceDir/certs/system-ca.crt; tests validate discovery and copying; .gitignore adds .kaiden/ entry.
Containerfile Generation with CA Certificate Installation pkg/runtime/podman/containerfile.go, pkg/runtime/podman/containerfile_test.go	generateContainerfile accepts certsCopied bool and conditionally emits COPY certs/system-ca.crt ... and RUN update-ca-trust; merged package list always includes nftables. Tests updated and include subtests for certsCopied true/false.
Create Function Wiring of CA Certificates pkg/runtime/podman/create.go, pkg/runtime/podman/create_test.go	Create() calls copySystemCACertificates before generating the Containerfile, captures certsCopied, and passes it to createContainerfile/generateContainerfile; function signatures and test call sites updated accordingly.
Pod Template Data Model and Workspace Image Wiring pkg/runtime/podman/create.go, pkg/runtime/podman/pods/onecli-pod.yaml, pkg/runtime/podman/create_test.go, pkg/runtime/podman/podman_test.go, pkg/runtime/podman/dashboard_test.go, pkg/runtime/podman/start_test.go, pkg/runtime/podman/steplogger_test.go	podTemplateData gains WorkspaceImage; Create() sets it to the built image name; pod template uses {{.WorkspaceImage}} for network-guard; test fixtures updated to set workspace-specific WorkspaceImage values and one assertion updated to check the rendered image.
Network Guard Script Improvement pkg/runtime/podman/network.go	buildNftScript now checks for nft, attempts dnf install -y nftables if missing, and verifies success before proceeding.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• openkaiden/kdn#323: Modifies generateContainerfile signature and Containerfile generation logic to add devcontainer feature support, overlapping containerfile-generation code paths.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 31.25% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: adding system CA certificate support and pre-installing nftables for Podman.
Description check	✅ Passed	The description is directly related to the changeset, explaining the rationale for CA certificate support and nftables pre-installation in enterprise proxy environments.
Linked Issues check	✅ Passed	The PR fully addresses all coding objectives from issue #555: detects and copies CA certificates, conditionally adds Containerfile instructions, pre-installs nftables, and uses workspace image for network-guard.
Out of Scope Changes check	✅ Passed	All changes are scoped to issue #555 requirements: CA certificate support, nftables pre-installation, and workspace image updates for network-guard container.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

pkg/runtime/podman/network.go (2)

334-335: 💤 Low value

Consider improving the error message to aid debugging.

The error message "nftables installation failed" is generic and doesn't provide context about potential causes. Given that this PR specifically addresses SSL/certificate issues in enterprise proxy environments, mentioning this potential cause could save debugging time if the fallback installation fails.

💡 Suggested error message improvement

-	// Verify nft is available after installation attempt
-	parts = append(parts, "command -v nft >/dev/null 2>&1 || { echo 'nftables installation failed'; exit 1; }")
+	// Verify nft is available after installation attempt
+	parts = append(parts, "command -v nft >/dev/null 2>&1 || { echo 'nftables installation failed (this should not happen if workspace image was built correctly; check for SSL/certificate issues if dnf install failed)'; exit 1; }")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/runtime/podman/network.go` around lines 334 - 335, Update the appended
shell check string (the one added to the parts slice that currently reads
"command -v nft >/dev/null 2>&1 || { echo 'nftables installation failed'; exit
1; }") to print a more descriptive error that mentions possible enterprise
proxy/SSL/certificate issues and diagnostic hints (for example suggest checking
proxy settings, certificate trust, or include the command's stderr/exit code).
Locate the code that appends to the parts variable in the function handling
network setup (the parts = append(parts, "...nft...") line) and replace the
simple echo with a message that includes context about proxy/cert causes and a
note to include the captured error/exit status for debugging.

---

330-332: ⚡ Quick win

Clarify that nftables is pre-installed and this is a defensive fallback.

The comment suggests that the caller should ensure CA certificates are available, but this doesn't accurately reflect the PR's design:

1. According to the PR's architecture, nftables is pre-installed in the workspace image during build (Containerfile always includes nftables in the package list).
2. The network-guard container uses the workspace image, so nftables should already be present.
3. CA certificates are also installed in the workspace image during build.
4. This dnf install command should never execute under normal operation—it's a defensive fallback.

The current comment implies this is a primary installation mechanism that might fail, when it's actually a safety net for edge cases (e.g., if someone manually removes nftables or uses a non-standard image).

📝 Suggested comment revision

-	// Ensure nftables is installed before applying rules.
-	// Note: This may fail due to SSL certificate issues with enterprise proxies.
-	// The caller should ensure CA certificates are available in the container.
+	// Verify nftables is available (should already be pre-installed in workspace image).
+	// This fallback installation exists for robustness but should rarely execute.
 	parts = append(parts, "command -v nft >/dev/null 2>&1 || dnf install -y nftables")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/runtime/podman/network.go` around lines 330 - 332, Update the inline
comment above the code that appends the fallback install command (the parts
variable entry: "command -v nft >/dev/null 2>&1 || dnf install -y nftables") to
state that nftables and CA certificates are pre-installed in the workspace image
during build and that the network-guard container uses that image, so this dnf
install is a defensive fallback for edge cases (e.g., manual removal or
non-standard images) and should never run during normal operation; reference the
parts variable and the exact command string in the comment so reviewers can see
this is a safety-net rather than the primary installation mechanism.

pkg/runtime/podman/create_test.go (1)

181-240: ⚡ Quick win

CA copy test is non-deterministic and can miss regressions.

This test depends on host machine cert state, so it may pass without validating the intended behavior. Please make copySystemCACertificates testable with injected cert path candidates (or an fs abstraction) so both “copied” and “not copied” branches are asserted deterministically.

As per coding guidelines, “Tests use the standard testing package and should cover command initialization, execution, and error cases.”

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/runtime/podman/create_test.go` around lines 181 - 240, The test for
copySystemCACertificates is non-deterministic because it reads real host system
paths; refactor podmanRuntime.copySystemCACertificates to accept either an
injected list of candidate cert paths or a filesystem abstraction (e.g., an
io/fs or interface) so tests can control presence/absence of cert files, then
update create_test.go to create temporary fake cert files and assert
certsCopied==true and file contents, and a separate case with no files asserting
certsCopied==false; keep the existing function name copySystemCACertificates and
the podmanRuntime receiver so callers are easy to update.

pkg/runtime/podman/podman_test.go (1)

331-333: ⚡ Quick win

Tighten the workspace image assertion to avoid false positives.

Checking only for "kdn-" is too broad. Assert the exact expected image from the fixture (e.g. image: kdn-my-project) so template regressions are caught.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/runtime/podman/podman_test.go` around lines 331 - 333, The assertion in
the test that checks yamlStr for "kdn-" is too permissive; update the test to
assert the exact expected workspace image string from the fixture (e.g. check
yamlStr contains "image: kdn-my-project" or assert a full line match) instead of
just "kdn-". Locate the failing check that references yamlStr in the
podman_test.go test block and replace the contains("kdn-") assertion with a
contains("image: kdn-my-project") (or equivalent exact match) to prevent false
positives and catch template regressions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/runtime/podman/create.go`:
- Around line 159-166: The loop that builds certContent iterates certPaths and
calls os.ReadFile(path), which fails for directory entries (e.g.,
"/etc/pki/ca-trust/source/anchors") and silently skips their contents; update
the logic that populates certContent (the certPaths loop in create.go) to detect
whether path is a directory (using os.Stat or os.ReadDir) and if so iterate the
directory entries (filtering for certificate file extensions like .crt/.pem or
all regular files), read each file's bytes and append them to certContent,
otherwise read the single file as before; keep the same certPaths and
certContent variables and replace the direct os.ReadFile(path) call with this
directory-aware reading flow.

---

Nitpick comments:
In `@pkg/runtime/podman/create_test.go`:
- Around line 181-240: The test for copySystemCACertificates is
non-deterministic because it reads real host system paths; refactor
podmanRuntime.copySystemCACertificates to accept either an injected list of
candidate cert paths or a filesystem abstraction (e.g., an io/fs or interface)
so tests can control presence/absence of cert files, then update create_test.go
to create temporary fake cert files and assert certsCopied==true and file
contents, and a separate case with no files asserting certsCopied==false; keep
the existing function name copySystemCACertificates and the podmanRuntime
receiver so callers are easy to update.

In `@pkg/runtime/podman/network.go`:
- Around line 334-335: Update the appended shell check string (the one added to
the parts slice that currently reads "command -v nft >/dev/null 2>&1 || { echo
'nftables installation failed'; exit 1; }") to print a more descriptive error
that mentions possible enterprise proxy/SSL/certificate issues and diagnostic
hints (for example suggest checking proxy settings, certificate trust, or
include the command's stderr/exit code). Locate the code that appends to the
parts variable in the function handling network setup (the parts = append(parts,
"...nft...") line) and replace the simple echo with a message that includes
context about proxy/cert causes and a note to include the captured error/exit
status for debugging.
- Around line 330-332: Update the inline comment above the code that appends the
fallback install command (the parts variable entry: "command -v nft >/dev/null
2>&1 || dnf install -y nftables") to state that nftables and CA certificates are
pre-installed in the workspace image during build and that the network-guard
container uses that image, so this dnf install is a defensive fallback for edge
cases (e.g., manual removal or non-standard images) and should never run during
normal operation; reference the parts variable and the exact command string in
the comment so reviewers can see this is a safety-net rather than the primary
installation mechanism.

In `@pkg/runtime/podman/podman_test.go`:
- Around line 331-333: The assertion in the test that checks yamlStr for "kdn-"
is too permissive; update the test to assert the exact expected workspace image
string from the fixture (e.g. check yamlStr contains "image: kdn-my-project" or
assert a full line match) instead of just "kdn-". Locate the failing check that
references yamlStr in the podman_test.go test block and replace the
contains("kdn-") assertion with a contains("image: kdn-my-project") (or
equivalent exact match) to prevent false positives and catch template
regressions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 256f3ccc-86d4-4606-bd0a-0fee03308c77

📥 Commits

Reviewing files that changed from the base of the PR and between 7fb2187 and e9e5893.

📒 Files selected for processing (11)

• .gitignore
• pkg/runtime/podman/containerfile.go
• pkg/runtime/podman/containerfile_test.go
• pkg/runtime/podman/create.go
• pkg/runtime/podman/create_test.go
• pkg/runtime/podman/dashboard_test.go
• pkg/runtime/podman/network.go
• pkg/runtime/podman/podman_test.go
• pkg/runtime/podman/pods/onecli-pod.yaml
• pkg/runtime/podman/start_test.go
• pkg/runtime/podman/steplogger_test.go

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/runtime/podman/create_test.go`:
- Around line 253-291: The test TestFindSystemCACertificates is coupled to the
SSL_CERT_FILE env var; update the test to isolate env state by calling
t.Setenv("SSL_CERT_FILE", "") at the start of TestFindSystemCACertificates
(before creating subtests) and stop running the subtests in parallel (remove or
move t.Parallel() out of the individual t.Run closures) so
findSystemCACertificates is not affected by external SSL_CERT_FILE values; keep
references to the same test name TestFindSystemCACertificates and the function
findSystemCACertificates when locating the code to change.

In `@pkg/runtime/podman/create.go`:
- Around line 142-155: The code reads CA bundle paths (caBundlePath from env and
entries in certPaths) using os.Stat/os.ReadFile without normalizing—call
filepath.Abs on caBundlePath and on each path iterated from certPaths (handle
filepath.Abs errors by skipping that candidate) and then use the resulting
absolute path for os.Stat and os.ReadFile so relative-path ambiguity is
eliminated; update the blocks around caBundlePath, certPaths and certContent to
use the absolute path variable before checking/reading.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8f6a25d3-900f-49f3-9ea8-e4c64fb2e96c

📥 Commits

Reviewing files that changed from the base of the PR and between e9e5893 and 0f260bf.

📒 Files selected for processing (11)

• .gitignore
• pkg/runtime/podman/containerfile.go
• pkg/runtime/podman/containerfile_test.go
• pkg/runtime/podman/create.go
• pkg/runtime/podman/create_test.go
• pkg/runtime/podman/dashboard_test.go
• pkg/runtime/podman/network.go
• pkg/runtime/podman/podman_test.go
• pkg/runtime/podman/pods/onecli-pod.yaml
• pkg/runtime/podman/start_test.go
• pkg/runtime/podman/steplogger_test.go

✅ Files skipped from review due to trivial changes (4)

• pkg/runtime/podman/steplogger_test.go
• .gitignore
• pkg/runtime/podman/pods/onecli-pod.yaml
• pkg/runtime/podman/start_test.go

[wherka-ama]

@coderabbitai help

[coderabbitai]

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

CodeRabbit commands

These commands are invoked using PR/Issue comments.

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai rate limit to show your current review rate limit status.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai evaluate custom pre-merge check --instructions <custom-checks-instructions> --name <custom-checks-title> [--mode <error|warning>] to validate the custom pre-merge checks instructions. Defaults to error when --mode is omitted.
• @coderabbitai ignore pre-merge checks to override pre-merge checks and get an approval on PR.
• @coderabbitai run pre-merge checks to run pre-merge checks on the pull request.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai emit path instructions to emit generated path-specific review instructions for this repository.
• @coderabbitai resolve merge conflict to automatically resolve merge conflicts.
• @coderabbitai autofix to automatically fix issues identified in unresolved review comments.
• @coderabbitai resolve to resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai generate configuration to create a PR that adds the current resolved configuration as .coderabbit.yaml (or show it if already present).
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit configuration file (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, support, documentation and community

• Visit our status page to check the current availability of CodeRabbit.
• Create a ticket on our support page for assistance with any issues or questions.
• Visit our documentation site for detailed information on how to use CodeRabbit.
• Join our Discord community to connect with other users and get help from the community.
• Follow us on X/Twitter for updates and announcements.

[wherka-ama]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

♻️ Duplicate comments (1)

pkg/runtime/podman/create_test.go (1)

182-251: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Isolate SSL_CERT_FILE in TestCopySystemCACertificates to prevent env-coupled flakiness.

copySystemCACertificates() calls findSystemCACertificates(), which checks SSL_CERT_FILE before certPaths. With t.Parallel() here, host/CI env can override fixture selection and make assertions nondeterministic.

Proposed fix

 func TestCopySystemCACertificates(t *testing.T) {
-	t.Parallel()
+	// Not parallel: isolate process env for deterministic cert selection.
+	t.Setenv("SSL_CERT_FILE", "")

 	t.Run("copies certificates when cert file found", func(t *testing.T) {
-		t.Parallel()
-
 		instanceDir := t.TempDir()
 		p := &podmanRuntime{}
@@
 	t.Run("returns false when no certificates found", func(t *testing.T) {
-		t.Parallel()
-
 		instanceDir := t.TempDir()
 		p := &podmanRuntime{}
@@
 	t.Run("skips directories in cert paths", func(t *testing.T) {
-		t.Parallel()
-
 		instanceDir := t.TempDir()
 		p := &podmanRuntime{}

As per coding guidelines: “All tests MUST call t.Parallel() as the first line of the test function, except tests using t.Setenv() on the parent test function.”

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/runtime/podman/create_test.go` around lines 182 - 251, Remove the
top-level t.Parallel() from TestCopySystemCACertificates and instead call
t.Setenv("SSL_CERT_FILE", "") at the start of that parent test to isolate
environment from findSystemCACertificates(); keep the inner t.Parallel() calls
in each subtest so they remain parallel, and ensure references to
podmanRuntime.copySystemCACertificates and findSystemCACertificates still
operate against the controlled env.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@pkg/runtime/podman/create_test.go`:
- Around line 182-251: Remove the top-level t.Parallel() from
TestCopySystemCACertificates and instead call t.Setenv("SSL_CERT_FILE", "") at
the start of that parent test to isolate environment from
findSystemCACertificates(); keep the inner t.Parallel() calls in each subtest so
they remain parallel, and ensure references to
podmanRuntime.copySystemCACertificates and findSystemCACertificates still
operate against the controlled env.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9f51abda-8eeb-47b9-ae7c-e6015ffe573c

📥 Commits

Reviewing files that changed from the base of the PR and between 7fb2187 and ae70184.

📒 Files selected for processing (11)

• .gitignore
• pkg/runtime/podman/containerfile.go
• pkg/runtime/podman/containerfile_test.go
• pkg/runtime/podman/create.go
• pkg/runtime/podman/create_test.go
• pkg/runtime/podman/dashboard_test.go
• pkg/runtime/podman/network.go
• pkg/runtime/podman/podman_test.go
• pkg/runtime/podman/pods/onecli-pod.yaml
• pkg/runtime/podman/start_test.go
• pkg/runtime/podman/steplogger_test.go

[feloy]

Thanks for this contribution. The development of this CLI is for the moment in pause, as we are focusing on another architecture.

[wherka-ama]

Fair enough. Thanks for your comment @feloy 👍

As I mentioned in the issue this PR originated from, I'm not insisting on implementing this feature in any particular way. Just to be sure folks like us can use the Kaiden behind such solutions.

Feel free to close it. I've been heard. That's what matters to me :)