chore: support running Make tasks while on Zscaler on macOS

.gitignore

@@ -6,3 +6,4 @@ equinix-metal.swagger.json.orig
 git_push.sh
 services/*/api/
 pkg
+.certs

Makefile

@@ -11,10 +11,10 @@ USER_AGENT=${GIT_REPO}/${PACKAGE_VERSION}
 OPENAPI_IMAGE_TAG=v7.3.0
 OPENAPI_IMAGE=openapitools/openapi-generator-cli:${OPENAPI_IMAGE_TAG}
 CRI=docker # nerdctl
-OPENAPI_GENERATOR=${CRI} run --rm -u ${CURRENT_UID}:${CURRENT_GID} -v $(CURDIR):/local ${OPENAPI_IMAGE}
-SPEC_FETCHER=${CRI} run --rm -u ${CURRENT_UID}:${CURRENT_GID} -v $(CURDIR):/workdir --entrypoint sh mikefarah/yq:4.30.8 script/download_spec.sh
+OPENAPI_GENERATOR=${CRI} run --rm -u ${CURRENT_UID}:${CURRENT_GID} $(CUSTOM_CERT_VOLUME) -v $(CURDIR):/local ${OPENAPI_IMAGE}
+SPEC_FETCHER=${CRI} run --rm -u ${CURRENT_UID}:${CURRENT_GID} $(CUSTOM_CERT_VOLUME) -v $(CURDIR):/workdir --entrypoint sh mikefarah/yq:4.30.8 script/download_spec.sh
 MIN_GO_VERSION=1.19
-GO_CMD=${CRI} run --rm -u ${CURRENT_UID}:${CURRENT_GID} -v $(CURDIR):/workdir -w /workdir -e GOCACHE=/tmp/.cache golang:${MIN_GO_VERSION}
+GO_CMD=${CRI} run --rm -u ${CURRENT_UID}:${CURRENT_GID} $(CUSTOM_CERT_VOLUME) -v $(CURDIR):/workdir -w /workdir -e GOCACHE=/tmp/.cache golang:${MIN_GO_VERSION}
 GOLANGCI_LINT=golangci-lint
 
 SPEC_BASE_DIR=spec/services

script/setup_local_certs.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# TODO what about non-Mac on Zscaler?
+mkdir -p .certs
+
+# Eject the usual CA certificates for the local host
+security export -t certs -f pemseq -k /System/Library/Keychains/SystemRootCertificates.keychain -o .certs/ca-certificates.crt
+
+# Append the Zscaler CA certificate to the bundle
+security find-certificate -p -c "Zscaler" /Library/Keychains/System.keychain >> .certs/ca-certificates.crt
+
+# Set the magic env var so that Make tasks that run Docker commands
+# will overwrite the image's built-in CA cert bundle with our own
+export CUSTOM_CERT_VOLUME="-v `pwd`/.certs:/etc/ssl/certs"