spring-projects
diff --git a/‎spring-boot-project/spring-boot-docker-compose/src/main/java/org/springframework/boot/docker/compose/core/DefaultRunningService.java
+9-1 b/‎spring-boot-project/spring-boot-docker-compose/src/main/java/org/springframework/boot/docker/compose/core/DefaultRunningService.java
+9-1
diff --git a/‎spring-boot-project/spring-boot-docker-compose/src/main/java/org/springframework/boot/docker/compose/core/RunningService.java
+10-1 b/‎spring-boot-project/spring-boot-docker-compose/src/main/java/org/springframework/boot/docker/compose/core/RunningService.java
+10-1
diff --git a/‎spring-boot-project/spring-boot-docker-compose/src/main/java/org/springframework/boot/docker/compose/service/connection/DockerComposeConnectionDetailsFactory.java
+125 b/‎spring-boot-project/spring-boot-docker-compose/src/main/java/org/springframework/boot/docker/compose/service/connection/DockerComposeConnectionDetailsFactory.java
+125
diff --git a/‎spring-boot-project/spring-boot-testcontainers/src/main/java/org/springframework/boot/testcontainers/service/connection/ContainerConnectionDetailsFactory.java
+31 b/‎spring-boot-project/spring-boot-testcontainers/src/main/java/org/springframework/boot/testcontainers/service/connection/ContainerConnectionDetailsFactory.java
+31
diff --git a/‎spring-boot-project/spring-boot-testcontainers/src/main/java/org/springframework/boot/testcontainers/service/connection/ContainerConnectionSource.java
+26-3 b/‎spring-boot-project/spring-boot-testcontainers/src/main/java/org/springframework/boot/testcontainers/service/connection/ContainerConnectionSource.java
+26-3
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2023 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -45,6 +45,8 @@ class DefaultRunningService implements RunningService, OriginProvider {
 
 	private final DockerEnv env;
 
+	private final DockerComposeFile composeFile;
+
 	DefaultRunningService(DockerHost host, DockerComposeFile composeFile, DockerCliComposePsResponse composePsResponse,
 			DockerCliInspectResponse inspectResponse) {
 		this.origin = new DockerComposeOrigin(composeFile, composePsResponse.name());
@@ -55,6 +57,7 @@ class DefaultRunningService implements RunningService, OriginProvider {
 		this.ports = new DefaultConnectionPorts(inspectResponse);
 		this.env = new DockerEnv(inspectResponse.config().env());
 		this.labels = Collections.unmodifiableMap(inspectResponse.config().labels());
+		this.composeFile = composeFile;
 	}
 
 	@Override
@@ -97,4 +100,9 @@ public String toString() {
 		return this.name;
 	}
 
+	@Override
+	public DockerComposeFile composeFile() {
+		return this.composeFile;
+	}
+
 }
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2024 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -64,4 +64,13 @@ public interface RunningService {
 	 */
 	Map<String, String> labels();
 
+	/**
+	 * Return the Docker Compose file for the service.
+	 * @return the Docker Compose file
+	 * @since 3.5.0
+	 */
+	default DockerComposeFile composeFile() {
+		return null;
+	}
+
 }
@@ -16,17 +16,33 @@
 
 package org.springframework.boot.docker.compose.service.connection;
 
+import java.nio.file.Path;
 import java.util.Arrays;
+import java.util.Set;
 import java.util.function.Predicate;
 
 import org.springframework.boot.autoconfigure.service.connection.ConnectionDetails;
 import org.springframework.boot.autoconfigure.service.connection.ConnectionDetailsFactory;
+import org.springframework.boot.docker.compose.core.DockerComposeFile;
 import org.springframework.boot.docker.compose.core.RunningService;
+import org.springframework.boot.io.ApplicationResourceLoader;
 import org.springframework.boot.origin.Origin;
 import org.springframework.boot.origin.OriginProvider;
+import org.springframework.boot.ssl.SslBundle;
+import org.springframework.boot.ssl.SslBundleKey;
+import org.springframework.boot.ssl.SslOptions;
+import org.springframework.boot.ssl.jks.JksSslStoreBundle;
+import org.springframework.boot.ssl.jks.JksSslStoreDetails;
+import org.springframework.boot.ssl.pem.PemSslStore;
+import org.springframework.boot.ssl.pem.PemSslStoreBundle;
+import org.springframework.boot.ssl.pem.PemSslStoreDetails;
+import org.springframework.core.io.ResourceLoader;
+import org.springframework.core.io.support.SpringFactoriesLoader;
 import org.springframework.util.Assert;
 import org.springframework.util.ClassUtils;
+import org.springframework.util.CollectionUtils;
 import org.springframework.util.ObjectUtils;
+import org.springframework.util.StringUtils;
 
 /**
  * Base class for {@link ConnectionDetailsFactory} implementations that provide
@@ -106,6 +122,8 @@ protected static class DockerComposeConnectionDetails implements ConnectionDetai
 
 		private final Origin origin;
 
+		private volatile SslBundle sslBundle;
+
 		/**
 		 * Create a new {@link DockerComposeConnectionDetails} instance.
 		 * @param runningService the source {@link RunningService}
@@ -120,6 +138,113 @@ public Origin getOrigin() {
 			return this.origin;
 		}
 
+		protected SslBundle getSslBundle(RunningService service) {
+			if (this.sslBundle != null) {
+				return this.sslBundle;
+			}
+			SslBundle jksSslBundle = getJksSslBundle(service);
+			SslBundle pemSslBundle = getPemSslBundle(service);
+			if (jksSslBundle == null && pemSslBundle == null) {
+				return null;
+			}
+			if (jksSslBundle != null && pemSslBundle != null) {
+				throw new IllegalStateException("Mutually exclusive JKS and PEM ssl bundles have been configured");
+			}
+			SslBundle sslBundle = (jksSslBundle != null) ? jksSslBundle : pemSslBundle;
+			this.sslBundle = sslBundle;
+			return sslBundle;
+		}
+
+		private SslBundle getJksSslBundle(RunningService service) {
+			JksSslStoreDetails keyStoreDetails = getJksSslStoreDetails(service, "keystore");
+			JksSslStoreDetails trustStoreDetails = getJksSslStoreDetails(service, "truststore");
+			if (keyStoreDetails == null && trustStoreDetails == null) {
+				return null;
+			}
+			SslBundleKey key = SslBundleKey.of(service.labels().get("org.springframework.boot.sslbundle.jks.key.alias"),
+					service.labels().get("org.springframework.boot.sslbundle.jks.key.password"));
+			SslOptions options = createSslOptions(
+					service.labels().get("org.springframework.boot.sslbundle.jks.options.ciphers"),
+					service.labels().get("org.springframework.boot.sslbundle.jks.options.enabled-protocols"));
+			String protocol = service.labels().get("org.springframework.boot.sslbundle.jks.protocol");
+			Path workingDirectory = getWorkingDirectory(service);
+			return SslBundle.of(
+					new JksSslStoreBundle(keyStoreDetails, trustStoreDetails, getResourceLoader(workingDirectory)), key,
+					options, protocol);
+		}
+
+		private ResourceLoader getResourceLoader(Path workingDirectory) {
+			ClassLoader classLoader = ApplicationResourceLoader.get().getClassLoader();
+			return ApplicationResourceLoader.get(classLoader,
+					SpringFactoriesLoader.forDefaultResourceLocation(classLoader), workingDirectory);
+		}
+
+		private JksSslStoreDetails getJksSslStoreDetails(RunningService service, String storeType) {
+			String type = service.labels().get("org.springframework.boot.sslbundle.jks.%s.type".formatted(storeType));
+			String provider = service.labels()
+				.get("org.springframework.boot.sslbundle.jks.%s.provider".formatted(storeType));
+			String location = service.labels()
+				.get("org.springframework.boot.sslbundle.jks.%s.location".formatted(storeType));
+			String password = service.labels()
+				.get("org.springframework.boot.sslbundle.jks.%s.password".formatted(storeType));
+			if (location == null) {
+				return null;
+			}
+			return new JksSslStoreDetails(type, provider, location, password);
+		}
+
+		private Path getWorkingDirectory(RunningService runningService) {
+			DockerComposeFile composeFile = runningService.composeFile();
+			if (composeFile == null || CollectionUtils.isEmpty(composeFile.getFiles())) {
+				return Path.of(".");
+			}
+			return composeFile.getFiles().get(0).toPath().getParent();
+		}
+
+		private SslOptions createSslOptions(String ciphers, String enabledProtocols) {
+			Set<String> ciphersSet = null;
+			if (StringUtils.hasLength(ciphers)) {
+				ciphersSet = StringUtils.commaDelimitedListToSet(ciphers);
+			}
+			Set<String> enabledProtocolsSet = null;
+			if (StringUtils.hasLength(enabledProtocols)) {
+				enabledProtocolsSet = StringUtils.commaDelimitedListToSet(enabledProtocols);
+			}
+			return SslOptions.of(ciphersSet, enabledProtocolsSet);
+		}
+
+		private SslBundle getPemSslBundle(RunningService service) {
+			PemSslStoreDetails keyStoreDetails = getPemSslStoreDetails(service, "keystore");
+			PemSslStoreDetails trustStoreDetails = getPemSslStoreDetails(service, "truststore");
+			if (keyStoreDetails == null && trustStoreDetails == null) {
+				return null;
+			}
+			SslBundleKey key = SslBundleKey.of(service.labels().get("org.springframework.boot.sslbundle.pem.key.alias"),
+					service.labels().get("org.springframework.boot.sslbundle.pem.key.password"));
+			SslOptions options = createSslOptions(
+					service.labels().get("org.springframework.boot.sslbundle.pem.options.ciphers"),
+					service.labels().get("org.springframework.boot.sslbundle.pem.options.enabled-protocols"));
+			String protocol = service.labels().get("org.springframework.boot.sslbundle.pem.protocol");
+			Path workingDirectory = getWorkingDirectory(service);
+			ResourceLoader resourceLoader = getResourceLoader(workingDirectory);
+			return SslBundle.of(new PemSslStoreBundle(PemSslStore.load(keyStoreDetails, resourceLoader),
+					PemSslStore.load(trustStoreDetails, resourceLoader)), key, options, protocol);
+		}
+
+		private PemSslStoreDetails getPemSslStoreDetails(RunningService service, String storeType) {
+			String type = service.labels().get("org.springframework.boot.sslbundle.pem.%s.type".formatted(storeType));
+			String certificate = service.labels()
+				.get("org.springframework.boot.sslbundle.pem.%s.certificate".formatted(storeType));
+			String privateKey = service.labels()
+				.get("org.springframework.boot.sslbundle.pem.%s.private-key".formatted(storeType));
+			String privateKeyPassword = service.labels()
+				.get("org.springframework.boot.sslbundle.pem.%s.private-key-password".formatted(storeType));
+			if (certificate == null && privateKey == null) {
+				return null;
+			}
+			return new PemSslStoreDetails(type, certificate, privateKey, privateKeyPassword);
+		}
+
 	}
 
 }
@@ -16,6 +16,7 @@
 
 package org.springframework.boot.testcontainers.service.connection;
 
+import java.lang.annotation.Annotation;
 import java.util.Arrays;
 import java.util.List;
 import java.util.stream.Stream;
@@ -33,6 +34,7 @@
 import org.springframework.boot.autoconfigure.service.connection.ConnectionDetailsFactory;
 import org.springframework.boot.origin.Origin;
 import org.springframework.boot.origin.OriginProvider;
+import org.springframework.boot.ssl.SslBundle;
 import org.springframework.boot.testcontainers.lifecycle.TestcontainersStartup;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
@@ -166,6 +168,8 @@ protected static class ContainerConnectionDetails<C extends Container<?>>
 
 		private volatile C container;
 
+		private volatile SslBundle sslBundle;
+
 		/**
 		 * Create a new {@link ContainerConnectionDetails} instance.
 		 * @param source the source {@link ContainerConnectionSource}
@@ -194,6 +198,33 @@ protected final C getContainer() {
 			return this.container;
 		}
 
+		/**
+		 * Return the {@link SslBundle} to use with this connection or {@code null}.
+		 * @return the ssl bundle or {@code null}
+		 * @since 3.5.0
+		 */
+		protected SslBundle getSslBundle() {
+			if (this.source.getSslBundleSource() == null) {
+				return null;
+			}
+			SslBundle sslBundle = this.sslBundle;
+			if (sslBundle == null) {
+				sslBundle = this.source.getSslBundleSource().getSslBundle();
+				this.sslBundle = sslBundle;
+			}
+			return sslBundle;
+		}
+
+		/**
+		 * Whether the field or bean is annotated with the given annotation.
+		 * @param annotationType the annotation to check
+		 * @return whether the field or bean is annotated with the annotation
+		 * @since 3.5.0
+		 */
+		protected boolean hasAnnotation(Class<? extends Annotation> annotationType) {
+			return this.source.hasAnnotation(annotationType);
+		}
+
 		@Override
 		public Origin getOrigin() {
 			return this.source.getOrigin();
 
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2024 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
 
 package org.springframework.boot.testcontainers.service.connection;
 
+import java.lang.annotation.Annotation;
 import java.util.Set;
 import java.util.function.Supplier;
 
@@ -27,6 +28,7 @@
 import org.springframework.boot.origin.Origin;
 import org.springframework.boot.origin.OriginProvider;
 import org.springframework.core.annotation.MergedAnnotation;
+import org.springframework.core.annotation.MergedAnnotations;
 import org.springframework.core.log.LogMessage;
 import org.springframework.util.StringUtils;
 
@@ -60,26 +62,36 @@ public final class ContainerConnectionSource<C extends Container<?>> implements
 
 	private final Supplier<C> containerSupplier;
 
+	private final SslBundleSource sslBundleSource;
+
+	private final MergedAnnotations annotations;
+
 	ContainerConnectionSource(String beanNameSuffix, Origin origin, Class<C> containerType, String containerImageName,
-			MergedAnnotation<ServiceConnection> annotation, Supplier<C> containerSupplier) {
+			MergedAnnotation<ServiceConnection> annotation, Supplier<C> containerSupplier,
+			SslBundleSource sslBundleSource, MergedAnnotations annotations) {
 		this.beanNameSuffix = beanNameSuffix;
 		this.origin = origin;
 		this.containerType = containerType;
 		this.containerImageName = containerImageName;
 		this.connectionName = getOrDeduceConnectionName(annotation.getString("name"), containerImageName);
 		this.connectionDetailsTypes = Set.of(annotation.getClassArray("type"));
 		this.containerSupplier = containerSupplier;
+		this.sslBundleSource = sslBundleSource;
+		this.annotations = annotations;
 	}
 
 	ContainerConnectionSource(String beanNameSuffix, Origin origin, Class<C> containerType, String containerImageName,
-			ServiceConnection annotation, Supplier<C> containerSupplier) {
+			ServiceConnection annotation, Supplier<C> containerSupplier, SslBundleSource sslBundleSource,
+			MergedAnnotations annotations) {
 		this.beanNameSuffix = beanNameSuffix;
 		this.origin = origin;
 		this.containerType = containerType;
 		this.containerImageName = containerImageName;
 		this.connectionName = getOrDeduceConnectionName(annotation.name(), containerImageName);
 		this.connectionDetailsTypes = Set.of(annotation.type());
 		this.containerSupplier = containerSupplier;
+		this.sslBundleSource = sslBundleSource;
+		this.annotations = annotations;
 	}
 
 	private static String getOrDeduceConnectionName(String connectionName, String containerImageName) {
@@ -156,6 +168,17 @@ Set<Class<?>> getConnectionDetailsTypes() {
 		return this.connectionDetailsTypes;
 	}
 
+	SslBundleSource getSslBundleSource() {
+		return this.sslBundleSource;
+	}
+
+	boolean hasAnnotation(Class<? extends Annotation> annotationType) {
+		if (this.annotations == null) {
+			return false;
+		}
+		return this.annotations.isPresent(annotationType);
+	}
+
 	@Override
 	public String toString() {
 		return "@ServiceConnection source for %s".formatted(this.origin);