Allow certificates config context to access raw arguments and environment before processing (#12995)

* Allow certificates config context to access existing raw arguments and environment

* Update src/Aspire.Hosting/ApplicationModel/ResourceExtensions.cs

Co-authored-by: Copilot <[email protected]>

* Update src/Aspire.Hosting/ApplicationModel/ResourceExtensions.cs

Co-authored-by: Copilot <[email protected]>

* Add xmldoc and update tests

* Update to use new DCP cert APIs

* Don't invalidate lifecycle key for persistent containers when adding pfx

* Fix failing test

* Correct path for executable certs

* Disable developer cert features by default in tests

* Reduce the test cases

* Disable cert trust in tests unless explicitly enabled

* Disable dev cert features by default for mac in template tests

---------

Co-authored-by: Copilot <[email protected]>

Author: danegsta

src/Aspire.Hosting.JavaScript/JavaScriptHostingExtensions.cs

@@ -223,7 +223,20 @@ private static IResourceBuilder<TResource> WithNodeDefaults<TResource>(this IRes
                 }
                 else
                 {
-                    ctx.Arguments.Add("--use-openssl-ca");
+                    if (ctx.EnvironmentVariables.TryGetValue("NODE_OPTIONS", out var existingOptionsObj))
+                    {
+                        ctx.EnvironmentVariables["NODE_OPTIONS"] = existingOptionsObj switch
+                        {
+                            // Attempt to append to existing NODE_OPTIONS if possible, otherwise overwrite
+                            string s when !string.IsNullOrEmpty(s) => $"{s} --use-openssl-ca",
+                            ReferenceExpression re => ReferenceExpression.Create($"{re} --use-openssl-ca"),
+                            _ => "--use-openssl-ca",
+                        };
+                    }
+                    else
+                    {
+                        ctx.EnvironmentVariables["NODE_OPTIONS"] = "--use-openssl-ca";
+                    }
                 }
 
                 return Task.CompletedTask;

src/Aspire.Hosting.Yarp/YarpResourceExtensions.cs

@@ -45,7 +45,10 @@ public static IResourceBuilder<YarpResource> AddYarp(
                       {
                           ctx.EnvironmentVariables["Kestrel__Certificates__Default__Path"] = ctx.CertificatePath;
                           ctx.EnvironmentVariables["Kestrel__Certificates__Default__KeyPath"] = ctx.KeyPath;
-                          ctx.EnvironmentVariables["Kestrel__Certificates__Default__Password"] = ctx.Password;
+                          if (ctx.Password is not null)
+                          {
+                              ctx.EnvironmentVariables["Kestrel__Certificates__Default__Password"] = ctx.Password;
+                          }
 
                           return Task.CompletedTask;
                       });

src/Aspire.Hosting/ApplicationModel/CertificateKeyPairConfigurationCallbackAnnotaion.cs

@@ -73,7 +73,7 @@ public sealed class CertificateKeyPairConfigurationCallbackAnnotationContext
     /// </code>
     /// </example>
     /// </remarks>
-    public required Dictionary<string, object?> EnvironmentVariables { get; init; }
+    public required Dictionary<string, object> EnvironmentVariables { get; init; }
 
     /// <summary>
     /// A value provider that will resolve to a path to the certificate file.

src/Aspire.Hosting/ApplicationModel/ResourceExtensions.cs

@@ -91,6 +91,10 @@ internal sealed class ContainerSpec
 
     [JsonPropertyName("createFiles")]
     public List<ContainerCreateFileSystem>? CreateFiles { get; set; }
+
+    // List of public PEM certificates to be trusted by the container
+    [JsonPropertyName("pemCertificates")]
+    public ContainerPemCertificates? PemCertificates { get; set; }
 }
 
 internal sealed class BuildContext
@@ -439,6 +443,25 @@ internal static class ContainerFileSystemEntryType
     public const string OpenSSL = "openssl";
 }
 
+internal sealed class ContainerPemCertificates
+{
+    // The destination in the container the certificates should be written to
+    [JsonPropertyName("destination")]
+    public string? Destination { get; set; }
+
+    // The list of PEM encoded certificates to write
+    [JsonPropertyName("certificates")]
+    public List<PemCertificate>? Certificates { get; set; }
+
+    // Optional list of bundle paths to overwrite in the container with the generated CA bundle
+    [JsonPropertyName("overwriteBundlePaths")]
+    public List<string>? OverwriteBundlePaths { get; set; }
+
+    // Should resource creation continue if there are errors writing one or more certificates?
+    [JsonPropertyName("continueOnError")]
+    public bool ContinueOnError { get; set; }
+}
+
 internal sealed record ContainerStatus : V1Status
 {
     // Container name displayed in Docker

src/Aspire.Hosting/Dcp/DcpExecutor.cs

@@ -63,6 +63,12 @@ internal sealed class ExecutableSpec
     /// </summary>
     [JsonPropertyName("ambientEnvironment")]
     public AmbientEnvironment? AmbientEnvironment { get; set; }
+
+    /// <summary>
+    /// Public PEM certificates to be configured for the Executable.
+    /// </summary>
+    [JsonPropertyName("pemCertificates")]
+    public ExecutablePemCertificates? PemCertificates { get; set; }
 }
 
 internal sealed class AmbientEnvironment
@@ -101,6 +107,18 @@ internal static class ExecutionType
     public const string IDE = "IDE";
 }
 
+internal sealed class ExecutablePemCertificates
+{
+    // The list of public PEM encoded certificates for the executable.
+    [JsonPropertyName("certificates")]
+    public List<PemCertificate>? Certificates { get; set; }
+
+    // Indicates whether to continue starting the Executable if there are issues setting up any certificates for
+    // the executable.
+    [JsonPropertyName("continueOnError")]
+    public bool ContinueOnError { get; set; }
+}
+
 internal sealed record ExecutableStatus : V1Status
 {
     /// <summary>

src/Aspire.Hosting/Dcp/Model/Container.cs

@@ -0,0 +1,18 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Text.Json.Serialization;
+
+namespace Aspire.Hosting.Dcp.Model;
+
+// Represents a public PEM encoded certificate
+internal sealed class PemCertificate
+{
+    // Thumbprint of the certificate
+    [JsonPropertyName("thumbprint")]
+    public string? Thumbprint { get; set; }
+
+    // The PEM encoded contents of the public certificate
+    [JsonPropertyName("contents")]
+    public string? Contents { get; set; }
+}