Nativelink Logo
Trust Root Support in Nativelink
Trust Root Support in Nativelink
Date: May 15, 2025
Est. read time: 5 minutes

Native Root Certificate Support in Nativelink

Section titled “Native Root Certificate Support in Nativelink”

Open source thrives on community contributions, and today’s story is a perfect example of why. External engineer Sam Eskandar identified a pain point in Nativelink’s TLS configuration and delivered a clean solution that eliminates deployment friction for teams using managed certificates.

Problem: Manual Certificate Management

Section titled “Problem: Manual Certificate Management”

Before this change, connecting to gRPC endpoints using TLS required specifying ClientTlsConfig like this:

{
ca_file: "path/to/ca.pem",
cert_file: "path/to/client.pem",
key_file: "path/to/client-key.pem"
}

Teams had to distribute CA certificates, client certificates, and key files across workers - creating friction for cloud deployments and potential security concerns when secrets need to be managed manually.

Solution: Native Root Certificate Support

Section titled “Solution: Native Root Certificate Support”

The new implementation adds a use_native_roots option that leverages the system’s native root certificate store, eliminating manual certificate file management for most deployment scenarios.

The core change is:

if config.use_native_roots == Some(true) {
if config.ca_file.is_some() {
warn!("Native root certificates are being used, all certificate files will be ignored");
}
return Ok(Some(
tonic::transport::ClientTlsConfig::new().with_native_roots(),
));
}

This implementation provides three distinct behaviors:

Configuration Examples

Section titled “Configuration Examples”

Here are the main ways to configure TLS in Nativelink. For complete configuration options, see the configuration reference.

Native Root Certificates

Section titled “Native Root Certificates”

For the majority of modern deployments, you can now enable native roots with one parameter:

{
"tls_config": {
"use_native_roots": true
}
}

This configuration automatically trusts certificates signed by any certificate authority in your system’s trust store - perfect for cloud environments with managed certificates.

Manual Certificate Path

Section titled “Manual Certificate Path”

Since use_native_roots defaults to false, you can still use the previous configuration:

{
"tls_config": {
"ca_file": "/path/to/ca.pem",
"cert_file": "/path/to/client.pem",
"key_file": "/path/to/client-key.pem"
}
}

GRPC Store and Local Worker Configuration

Section titled “GRPC Store and Local Worker Configuration”

The tls_config field can be used in GRPC store endpoints:

"stores": [
{
"grpc": {
"endpoints": [
{
"address": "grpcs://example.com:443",
"tls_config": {
"use_native_roots": true
}
}
],
"instance_name": "main",
"store_type": "cas"
},
"name": "CAS_STORE"
}
]

And in worker API endpoints:

"workers": [{
"local": {
"worker_api_endpoint": {
"uri": "grpcs://127.0.0.1:50061",
"tls_config": {
"use_native_roots": true
}
},
// ...
}
}]

Community Contributions

Section titled “Community Contributions”

The PR discussion shows how the review process strengthened the implementation. The contributor included comprehensive unit tests covering all configuration scenarios. Reviewers suggested UX improvements like warning users when certificate files are ignored, identified documentation needs, and planned future enhancements. One reviewer opened a follow-up PR to extend native roots to S3 stores.

This collaborative refinement process caught edge cases, improved error handling, and identified future improvements - resulting in a more robust implementation than any single contributor could have produced alone.

Looking forward

Section titled “Looking forward”

With native root certificate support, Nativelink becomes more accessible to teams across diverse infrastructure environments. Whether you’re running containerized workloads in Kubernetes, deploying on traditional virtual machines with corporate PKI, or prototyping locally, TLS configuration no longer presents a barrier to adoption.

This is the power of open source in action - community-driven improvements that make technology more accessible, secure, and flexible for everyone building the future. We’re grateful for contributions like this that strengthen Nativelink’s position as the premier open source remote execution platform.


Interested in contributing? Check out our GitHub repository.